Mail Archives: cygwin/2025/05/03/15:27:50

Brian Inglis via Cygwin <cygwin AT cygwin DOT com> · Sat, 3 May 2025 13:27:17 -0600

On 2025-05-03 12:49, Roland Mainz via Cygwin wrote:
> On Sat, May 3, 2025 at 8:21â€ŻPM Roland Mainz <roland DOT mainz AT nrubsig DOT org> wrote:
>> Is it somehow possible that the CI+Release binaries (*.exe, *.dll) can
>> be signed with signtool
>> (https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool) ?
>> It seems that Microsoft Defender has become overly aggressive to some
>> Cygwin binaries (mostly /usr/bin/hostname, /usr/bin/find, /usr/bin/tar
>> etc.) in the last couple of weeks and just blocks them.
>>
>> Our IT supports that they can "whitelist" binaries based on their
>> cryptographic signature... but neither the binaries from the CI nor
>> the Release binaries have any signatures...
> 
> BTW: The Windows Defender rule which causes /usr/bin/find.exe,
> /usr/bin/hostname.exe etc. to be blocked is "Block use of copied or
> impersonated system tools" (C0033C00-D16D-4114-A5A0-DC9B3A7D2CEB) ...

Where can we see these rules?

Can your paid IT support not modify those rules to bypass Cygwin installs?

And maybe share how to with the open source community?

Presumably we are providing you with a valuable commodity with valuable utility 
as well as a valuable freedom to do with it as you like.

Perhaps you could repay that valuable freedom, by using some of your valuable 
resources to figure out and implement workarounds to proprietary barriers to our 
freedom to use that commodity, and share those with the community!

BTW those MS Windows provided utilities are badly outdated, and many have 
security risks with CVEs against them, so should be replaced with the latest 
upstream Windows builds ASAP.

Perhaps MS should be lambasted for blocking users who choose to install and use 
versions of utilities from sources which are more current than those provided by 
MS, with the security risks eliminated by unpaid volunteers who support secure 
software which offers their users freedom and do it in their free time!

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien Ă  ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien Ă  retrancher  but when there is no more to cut
                                 -- Antoine de Saint-ExupĂ©ry

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

DMARC-Filter:	OpenDMARC Filter v1.4.2 delorie.com 543JRn4S3813403
Authentication-Results:	delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results:	delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter:	OpenDKIM Filter v2.11.0 delorie.com 543JRn4S3813403
Authentication-Results:	delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=A9Xdj3xH
X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org E17303858019
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1746300468;
	bh=8yFyNh8OwbSBojKoF5EktUzpc9sw2vTWu/mRCbP62o0=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	From;
	b=A9Xdj3xHkwr3jTx4jg3/QRKS1G+nePuc8ug8uhnx0ktdqC8P90La/WOdmQa7pyP0f
	WlwvMGaPf00TMIF6MyXUuIXXnKUNotYeIUO45w6ds3u43Z5/nJ7tpl96+fwZyuWb9w
	JnR13bGNxI+UI3wshdDygFcf41dEukz1GCvPIhMc=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org 4DF013858429
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org 4DF013858429
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1746300440; cv=none;
	b=ASKVugrl+UWcfRrIIEFR9wDhq+CraiwJONsWcy4SwEuvS2UJ3pP+W0KfkuF/xrvdBe660qNVAyvFK0B4wa7IyRmUJ8r7gbzN9+rgiNJUssipCB94QGS/ZEvmIwMcyyeXlXt9XqSrYyQXiR1wVl0eknrz16PYsKK+shA5QJzFlo4=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1746300440; c=relaxed/simple;
	bh=cvi7di3ZOWYKmyeHX5GE21yk+v0bNxnHJ0v1kjhTFoQ=;
	h=Message-ID:Date:MIME-Version:From:Subject:To:DKIM-Signature;
	b=DXtDuyE5clggrMbkxzWWUdtxWgcbZYpEQbrWG9biFNgPmZei2vdp7AYiMXf0v4GNXH7ELmqvJm+nZxcNppHkhP6uN/FBol1KU+DjSPvQwM1YVYTvl9l843FxYM+Bsu7c4IYY332lexO3SYflQqlBpOtzvNJPjGBaZk76N0GAmxM=
ARC-Authentication-Results:	i=1; server2.sourceware.org
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 4DF013858429
Message-ID:	<b3ee3010-cf03-4ea5-96c2-9fccb7eede17@SystematicSW.ab.ca>
Date:	Sat, 3 May 2025 13:27:17 -0600
MIME-Version:	1.0
User-Agent:	Mozilla Thunderbird
Subject:	Re: Signing cygwin.com binaries with signtool by default ?
To:	cygwin AT cygwin DOT com
References:	<CAKAoaQn=-jVLnrO1hmM_4JAPodO-YnUuw+fcnDScHa=d2G48=A AT mail DOT gmail DOT com>
	<CAKAoaQkwnZ2LJeKwHFmJ7yWLxFvJrdp+3iewqzS6ujj0cupuJQ AT mail DOT gmail DOT com>
Organization:	Systematic Software
In-Reply-To:	<CAKAoaQkwnZ2LJeKwHFmJ7yWLxFvJrdp+3iewqzS6ujj0cupuJQ@mail.gmail.com>
X-Rspamd-Queue-Id:	8E5DD20024
X-Stat-Signature:	ynkegs8q1n6amrgd47frfditoquznqnq
X-Rspamd-Server:	rspamout01
X-Session-Marker:	427269616E2E496E676C69734053797374656D6174696353572E61622E6361
X-Session-ID:	U2FsdGVkX1/70YW6Q6nzEr+TEl1VayYE+zD+Ti9+qgk=
X-HE-Tag:	1746300438-478116
X-HE-Meta:	U2FsdGVkX188GwrB5d082DK0Ij9f+Q6Dw50aQy8dTK0bAugL59YNpJdqclEcokkSM1XTPG7fORN3Ga1Or3aLdLRXfmVl6pldOi1CLkrsC6e5G7kVO0SZAZAiIn4+3Uz+8qAbcxdj/2+MZlMYzwuE5EDY2gpTre/M/95Te79VudSyvRkXH9ej5KoEkyXDnBSGvrlx3Uku0Za3jtCi9O8zqaqoHb7u/Bua7DgML091LvmBElrJ/hKxmY7d7umN1VUw/cskAyo6/r4FrHBvnxVjrGtGtEMlw2vU6Z24HNjqeqQLeBKjL5LddoTb8NzXve0rLxfxQXJawIACtYrFBIQMM1VwyTVvFOPaIom236bUmnoOBsy3BN+D/2uDjUmHKKzRA6wYlGGo0zURgn1BpSpDM9+ZyQxhUeQd8AElowg1kDzrMVNUHstNupi9K5kJelwH7gXFtcVX/sxxQu/+DxH9qaaqGHP7mBu74kXwwIjT5SE=
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe:	<https://cygwin.com/mailman/options/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Brian Inglis via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	cygwin AT cygwin DOT com
Cc:	Brian Inglis <Brian DOT Inglis AT SystematicSW DOT ab DOT ca>
Errors-To:	cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender:	"Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 543JRn4S3813403

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019