www.delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2025/05/03/15:09:24

DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 543J9Oqv3805555
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 543J9Oqv3805555
Authentication-Results: delorie.com;
dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=JLib7Ca9
X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 5C0E33858C56
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
s=default; t=1746299362;
bh=/HTAi82lzzpiGCbirFQcbhU+f0i1pWCbDO+BE9R1D7U=;
h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
From;
b=JLib7Ca92PESSTgOPlUhQh6Dt3g2D/TwPQA0GkCGyGihmGQyuHnfY1nxrVheo8ROv
az4XzLV5P4SdpynNuUXJgtfnQZPhUXGp+5IKVb9nlf7F9gH8OFQxZJ2G5WvyP03ZMF
30C6fEznb15iPnY3Xe0X+c7w+b7BAXpEcvelR2fg=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org AAC733858D21
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org AAC733858D21
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1746299336; cv=none;
b=Rhfcde9c6DedP6Kvtd/HrbGaiq0OBEm0jTkM/mzZ6xAVQZ+KhU0Rb9jGDNLtZSmNRNrOXbEtGZc/67M0MXhljmCBYm+HhfVqPsCQFMU8URkKyXSvCxOf+mZgkcl7N3TvKJNXP0Qhxz64Jxq1xuXMTyekNut8KiFzDZgJvf1p9r8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
t=1746299336; c=relaxed/simple;
bh=dLswq+j4e93a5tXjVKjMrTYzuCOPa0UyVKqiIuxhY/A=;
h=Message-ID:Date:MIME-Version:From:Subject:To:DKIM-Signature;
b=ciqoLKZCHS+APS9NkxIXxDNnOaWGMOw6PTPE1HpUvDHdl59mNYl2rQyqGT7r3jOueOka1uF7sd2VgwoplghU7YQBBpzxLIu+unRkZRVh4Y67G4BfJPsl+U8wqYwa0jIYMTmNJoVGzVxKhnLL/9gmR6JYu95Q134ao+Eo3x2iChs=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org AAC733858D21
Message-ID: <5fd86c45-8236-43ce-b259-0e0145dda30f@SystematicSW.ab.ca>
Date: Sat, 3 May 2025 13:08:53 -0600
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Signing cygwin.com binaries with signtool by default ?
To: cygwin AT cygwin DOT com
References: <CAKAoaQn=-jVLnrO1hmM_4JAPodO-YnUuw+fcnDScHa=d2G48=A AT mail DOT gmail DOT com>
Organization: Systematic Software
In-Reply-To: <CAKAoaQn=-jVLnrO1hmM_4JAPodO-YnUuw+fcnDScHa=d2G48=A@mail.gmail.com>
X-Rspamd-Queue-Id: E110520024
X-Stat-Signature: ank9dmyszg53d6znqrxxnmcxin64fqct
X-Rspamd-Server: rspamout01
X-Session-Marker: 427269616E2E496E676C69734053797374656D6174696353572E61622E6361
X-Session-ID: U2FsdGVkX18+Q50y9zSa+Fo8r3usth7d+KrXqOkTiaE=
X-HE-Tag: 1746299334-189283
X-HE-Meta: U2FsdGVkX1/rHt91zVmduO0dKpBDY/UF7xaZJ+HJ6ciKJTCVMmQcKuCfxzBGuWWMdrVjBKX+5xLNjKzTJQRUIE6FskNOBSYi8QqcrwNIpmNJ26SUnRYAHXhnopWzUFXWiN/m5A4Lj4lZGBOmqLYFjBVtuI4c8Moh33dHvWi67DWTLCJh2/3N0wTvBmvURLHoFACDQckMYxt+kHmYqiBgFohP4tmmtlsCYcfT3LS5iqu+CvysyXQlOJnXr7xFh7ZiyI5hnWBrsg6UFuDfCiSA8kQAOIDHRhx1EUCJvyxKQ6KJLrSZhhPXYHl9Q8HJkmJL8xHmNOTtAyQH2eL4ojeacV2FmlXI9ZPuT7C9vq0zjPsHwllwuAPz9c7q4garASZfgnVY9bykn7+PxlIeuZ2kE7tmawdTXQOEkrumlcb8uXbH5MAlLM5Wy5JGBde0bQ6k0FdGFwxqc44=
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Brian Inglis via Cygwin <cygwin AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
Cc: Brian Inglis <Brian DOT Inglis AT SystematicSW DOT ab DOT ca>
Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 543J9Oqv3805555 

On 2025-05-03 12:21, Roland Mainz via Cygwin wrote:
> Is it somehow possible that the CI+Release binaries (*.exe, *.dll) can
> be signed with signtool
> (https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool)?

No - would break the Cygwin licence terms unless MS releases source!

> It seems that Microsoft Defender has become overly aggressive to some
> Cygwin binaries (mostly /usr/bin/hostname, /usr/bin/find, /usr/bin/tar
> etc.) in the last couple of weeks and just blocks them.

Aha - more MS Embrace, Extend, Extinguish!

Which Windows, Defender, and Cygwin releases did this start with?

$ which -a find hostname tar | cyg-sanitize-output.sed
/usr/bin/find
/proc/cygdrive/c/WINDOWS/system32/find
/usr/bin/hostname
/proc/cygdrive/c/WINDOWS/system32/hostname
/usr/bin/tar
/proc/cygdrive/c/WINDOWS/system32/tar

Perhaps Cygwin installer or cygcheck should start renaming MS Windows binaries 
whose names conflict with Cygwin utilities! ;^>

What about other packages that install exes whose names conflict with MS Windows 
utilities - does MS block them also, or just Cygwin's, or also other open 
source; what about WSL installs?

[I noticed today that MS supports using only its own proprietary FIDO passkey 
authenticator app - which nobody sensible would ever trust! I liked when we used 
to be able to delete MS crypto keys from the MS Windows keystore.]

> Our IT supports that they can "whitelist" binaries based on their
> cryptographic signature... but neither the binaries from the CI nor
> the Release binaries have any signatures...

Perhaps your paid IT support could just figure out how they could bypass 
Defender checking the Cygwin roots or /*bin/ dirs?

I suspect many of us do that to reduce the overhead of the BLODA.

Or perhaps your paid IT support could just figure out how they could provide 
their own Cygwin mirror with binaries signed with their own signatures and tools.

Cygwin supports osslsigncode:

	https://cygwin.com/packages/summary/osslsigncode-src.html

OpenSSL-based Authenticode signing and timestamping tool

Platform-independent tool for Authenticode signing of PE(EXE/SYS/DLL/etc), CAB 
and MSI files. It also supports timestamping (Authenticode and RFC3161).

That would require our volunteers to find and spend more of their free time to 
integrate the tool into the package build processes, and it would not be 
available until the volunteers find more of their free time once the next 
release of each upstream package becomes available.

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retrancher  but when there is no more to cut
                                 -- Antoine de Saint-Exupéry

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019