From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.135]) by sourceware.org (Postfix) with ESMTPS id 28FFC3858434 for ; Mon, 21 Nov 2022 12:49:36 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 28FFC3858434 Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=cygwin.com Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=cygwin.com Received: from calimero.vinschen.de ([24.134.7.25]) by mrelayeu.kundenserver.de (mreue011 [212.227.15.167]) with ESMTPSA (Nemesis) id 1MMoOy-1ogXIF2ulI-00IkCq; Mon, 21 Nov 2022 13:49:31 +0100 Received: by calimero.vinschen.de (Postfix, from userid 500) id 8481EA80884; Mon, 21 Nov 2022 13:49:30 +0100 (CET) Date: Mon, 21 Nov 2022 13:49:30 +0100 From: Corinna Vinschen To: Brian Inglis Cc: cygwin@cygwin.com, dalestan@gmail.com Subject: Re: Adding an embedded signature on setup-x86_64.exe Message-ID: Reply-To: cygwin@cygwin.com Mail-Followup-To: Brian Inglis , cygwin@cygwin.com, dalestan@gmail.com References: <64eb894e-0bce-2e68-3e8b-a8cd69711514@dronecode.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Provags-ID: V03:K1:dRF1/0qol4LUHNANOGVf3Lbj5rXo36sYa6Ht7DC52DWV3+IjQTc nEYBo3CGrEd1kbKscqXymRxI0Eh1KIVFsRarLF4DWcPOkqACNFl+bfF2yk1lXOmhJJV4m6m BdT5L/aLmLZXmkyDvBIAgCn2r22p3IboyOsu+jKe6n/r/8pkIuflmVwbipyj3b9vfwNfJmK ZeakEsQacRujMiAdv0+7w== X-UI-Out-Filterresults: notjunk:1;V03:K0:HUFxbauxzEE=:zhXZjFTR2explSUKNhptm1 q9lsFXTsYVMboVpruIRHcG+6pTU/dYyy+NEZRIwRxNvgvgjqfsv0woQ5HmSP+fw32QqFY0pnn jyITB3k3HPX+p/qfnhtGqAHGDXg446iEgb2TPuJSICpZHCZoGQPiwao15HJIcBhwyEA5YqLt4 7InVU67ULs5+GqF5SlfuzGdXRtP68X2iuIsKUFHJ29TOOpV9NpXZDTIS9DqM+KQDh62qFJGiE JUow6WT6/vYVYpsNRFSumyVRaS9inCQcnwZnCkhv6mA5o1zud7zB2SkW0zacyxTK6Ggy1osGQ h1A5UOdXtg+CxNr+vhvaR93l1Kru4RmULHpnSBapnqY4NG/9D3xrwWHOq3/x7p7h2tnEVhS38 M96R+YuErCPnZlC3T9Vg390Aw+QoZJVUFwOmrRfMkFjQD7mTNpQf7Jxc2gcp3qaOtN3PGZphZ Om8MGzPvvY53oR9DIeGp4lpC36KCDZ73X15WarauCAq77hF6blzMpTpOxcNlmDkGtTa4URwet OcMW3z+FXNmfo5l2szwhRlt0bvKKB8RFLUsOp03NBXHxfMRx/MH+eSwSU4inBdhL7mduiW8FD KoVfrVGDqkh9Uwuy4FePvCIF83brbkvjDLyfbSH23Xb1ehjoZsduCFJ7SCWbe3VZjBKyuJRLz vVkvMpRprRx4mtz/NP75lP2Q20G4m5PhlfRMbFkNM30MY8idqhOb851OpyskYuBbV4YWOeFFy HBfxhGyltBMMtkZXJcAFW6SExjQA2qVsZwM8+roRZ7If0d0zo+de1mmoSC+4aqSc2yBFgYkTo hDhn5GhIpI8G+IWf0NpQYQMDrgojg== X-Spam-Status: No, score=-96.0 required=5.0 tests=BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_DMARC_NONE,KAM_DMARC_STATUS,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_FAIL,SPF_HELO_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Nov 20 13:45, Brian Inglis wrote: > On Sun, 20 Nov 2022 17:17:18 +0000, Jon Turney wrote: > > On 18/11/2022 21:15, Dale McCoy wrote: > > > I use Cygwin in the course of work, and while I can use the external gpg > > > signature to verify the validity of setup-x86_64.exe, my IT department > > > can't see that step. They get somewhat concerned when they see that Windows > > > thinks setup-x86_64.exe is unsigned, and I certainly don't blame them. > > > Can I convince you to also embed a signature in the installer, so Windows > > > recognizes the file is signed? > > > This something I'd like to do, but unfortunately, the remaining blocking > > issues are not technical. > > > > In order to sign the code in this way, the key needs to be signed by a > > CA that participates in Microsoft Trusted Root Program. These CAs > > charge an annual fee. As the person who makes the setup releases, I'm > > not going to pay that out of my own pocket, and we currently have no > > organization to collect donations for that (or any other) purpose. > > If Cygwin becomes an SFC member, they may be able to fund Cygwin signing certs. Good point! Corinna