| www.delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:content-type:content-transfer-encoding | |
| :mime-version:from:reply-to:to:subject:date:in-reply-to | |
| :message-id; q=dns; s=default; b=Mld3rMXa8q/5ikU5KNLqfx5k1SPSC1E | |
| JDiozozI6lW+SWSHmk7MVoZW2MzaxGsoaaBhvKp2seHTbCmBlg00gOkSYrdCFdaD | |
| 5OcCNyuGrUbYB/P2yiQYn7Ktr8j12OE0nMZEgHgPk2B82EEqgV/Kscf51jCTDeZN | |
| WCGE5Z4XZ6cE= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:content-type:content-transfer-encoding | |
| :mime-version:from:reply-to:to:subject:date:in-reply-to | |
| :message-id; s=default; bh=2TUuCMekJEMhyULohtvKCJ0Slxw=; b=T1ttX | |
| 2WC2w2ynxXqyj8WmWnRHSfZt+ikie4n8LE3+Z7MoM9vA++Oy3uxjLVzH/p0HGsQG | |
| mEf8X+8g/0Q5sZBUCkE2d7Hp0N9gwW09cuxAJk3nUsBa7ErTY9dO6eQlj/p8Coeh | |
| q8vO06wvpAN/W8/YFGjRTFsq3ov2BgwUBZtpJc= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=1.8 required=5.0 tests=AWL,BAYES_05,KAM_BODY_URIBL_PCCC,KAM_EXEURI,SPF_PASS,UNPARSEABLE_RELAY autolearn=no version=3.3.2 |
| X-HELO: | aibo.runbox.com |
| MIME-Version: | 1.0 |
| From: | "David A. Wheeler" <dwheeler AT dwheeler DOT com> |
| Reply-To: | dwheeler AT dwheeler DOT com |
| To: | "cygwin" <cygwin AT cygwin DOT com> |
| Subject: | Re: Should cygwin's setup*.exe be signed using Sign Tool? |
| Date: | Thu, 02 Apr 2015 23:17:17 -0400 (EDT) |
| In-Reply-To: | <721062557.20150403012215@yandex.ru> |
| Message-Id: | <E1Yds6f-0008Lh-Ge@rmm6prod02.runbox.com> |
| X-IsSubscribed: | yes |
| X-MIME-Autoconverted: | from quoted-printable to 8bit by delorie.com id t333Haof001059 |
David A. Wheeler inquired: > > Has Cygwin considered signing the installer using Sign Tool? More info: On Fri, 3 Apr 2015 01:22:15 +0300, Andrey Repin <anrdaemon AT yandex DOT ru> wrote: > Did Microsoft made it available separately? Or is there a description of the > structure of such a signature and/or a free tool that can be used to generate it? Microsoft makes signtool available as part of its SDK at no charge (gratis, not libre): https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx This page points to some alternatives: http://stackoverflow.com/questions/18211594/windows-code-signing-process-alternative-to-ms-signtool-exe They note that Mono includes "signcode", and it's libre (as well gratis). Instructions here: https://developer.mozilla.org/en-US/docs/Signing_an_executable_with_Authenticode > Last I checked, you have to install a metric ton of garbage to get signtool as > a bonus. It seems to be a short ton. The default installs a lot, but you can deselect much. It's not tiny due to dependencies, but it's not *everything*. Also, you *only* have to install it on the system that does the signing; no other system needs it. It's good to have a separate signing system anyway. > People who don't check signature manually, won't check the credibility of > the embedded signature either. > And it only takes about thirty seconds to fake the lines that are visible in > prompt dialogue. Clearly this is limited. But these signatures are automatically checked by Windows, and the publisher is displayed for review before acceptance, which raises the bar a little. The number of people who check the signatures on setup*.exe is probably pretty small; I'm hoping to raise the safety bar for everyone else. There's also an appearance factor: running an unsigned app looks scarier (there's a warning "The publisher could not be verified...", possibly followed by a User Account warning again noting the 'unknown' publisher). Having a signature may make users and their admins more confident that it's okay to use Cygwin. --- David A. Wheeler -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |