From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) by sourceware.org (Postfix) with ESMTPS id 1ED533858D28 for ; Sun, 20 Nov 2022 20:45:32 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 1ED533858D28 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=SystematicSw.ab.ca Authentication-Results: sourceware.org; spf=none smtp.mailfrom=systematicsw.ab.ca Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183]) by cmsmtp with ESMTP id wg6boB0XuMsxDwrByo8tQm; Sun, 20 Nov 2022 20:45:30 +0000 Received: from [10.0.0.5] ([184.64.124.72]) by cmsmtp with ESMTP id wrBxoTqSf5QfLwrByorxFq; Sun, 20 Nov 2022 20:45:30 +0000 X-Authority-Analysis: v=2.4 cv=SuCDVdC0 c=1 sm=1 tr=0 ts=637a91ea a=oHm12aVswOWz6TMtn9zYKg==:117 a=oHm12aVswOWz6TMtn9zYKg==:17 a=IkcTkHD0fZMA:10 a=yPf7pi8k6090NVXkwu8A:9 a=QEXdDO2ut3YA:10 Message-ID: Date: Sun, 20 Nov 2022 13:45:29 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0 To: cygwin@cygwin.com Cc: dalestan@gmail.com Subject: Re: Adding an embedded signature on setup-x86_64.exe Reply-To: cygwin@cygwin.com Content-Language: en-CA In-Reply-To: <64eb894e-0bce-2e68-3e8b-a8cd69711514@dronecode.org.uk> From: Brian Inglis Organization: Systematic Software Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-CMAE-Envelope: MS4xfOmvInefvAYvkrG7uR1lY890mNr71Opuxbe+7zLoUBHgo+opj6pQ/W0odaMAG5keKIDmTFjLvgYUh+B2LXE28/Fart06NJ84rVz/miamYQbaXSEDU4hI OPzmxttPtSmIvjzeD5S7MnQjMm0iLDUAMNesJ1ovhNKzKg1xr8HuUiPpmNipiTavW00L+8pQQZf+TDMfJKbUkTc4H7KTrUWeMMP93vPCbH/iFF+1zBPp6fp/ X-Spam-Status: No, score=-1163.6 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,KAM_LAZY_DOMAIN_SECURITY,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Sun, 20 Nov 2022 17:17:18 +0000, Jon Turney wrote: > On 18/11/2022 21:15, Dale McCoy wrote: >> I use Cygwin in the course of work, and while I can use the external gpg >> signature to verify the validity of setup-x86_64.exe, my IT department >> can't see that step. They get somewhat concerned when they see that Windows >> thinks setup-x86_64.exe is unsigned, and I certainly don't blame them. >> Can I convince you to also embed a signature in the installer, so Windows >> recognizes the file is signed? > This something I'd like to do, but unfortunately, the remaining blocking > issues are not technical. > > In order to sign the code in this way, the key needs to be signed by a > CA that participates in Microsoft Trusted Root Program. These CAs > charge an annual fee. As the person who makes the setup releases, I'm > not going to pay that out of my own pocket, and we currently have no > organization to collect donations for that (or any other) purpose. If Cygwin becomes an SFC member, they may be able to fund Cygwin signing certs. -- Take care. Thanks, Brian Inglis Calgary, Alberta, Canada La perfection est atteinte Perfection is achieved non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut -- Antoine de Saint-Exupéry