Mail Archives: cygwin/2025/05/03/15:44:09

Jeremy Drake via Cygwin <cygwin AT cygwin DOT com> · Sat, 3 May 2025 12:43:42 -0700 (PDT)

On Sat, 3 May 2025, Brian Inglis via Cygwin wrote:

> On 2025-05-03 12:21, Roland Mainz via Cygwin wrote:
> > Is it somehow possible that the CI+Release binaries (*.exe, *.dll) can
> > be signed with signtool
> > (https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool)?
>
> No - would break the Cygwin licence terms unless MS releases source!

Huh?!?

> Cygwin supports osslsigncode:
>
> 	https://cygwin.com/packages/summary/osslsigncode-src.html
>
> OpenSSL-based Authenticode signing and timestamping tool
>
> Platform-independent tool for Authenticode signing of PE(EXE/SYS/DLL/etc), CAB
> and MSI files. It also supports timestamping (Authenticode and RFC3161).
>
> That would require our volunteers to find and spend more of their free time to
> integrate the tool into the package build processes, and it would not be
> available until the volunteers find more of their free time once the next
> release of each upstream package becomes available.

It would also require getting an X.509 code signing certificate from a
Microsoft-blessed authority.  AFAIK, these are not free.  I do remember
investigating a service for free signing of open-source binaries (I
believe Vim.org uses it for its Windows binaries), but the requirements
for integrating with the build automation (so they could verify that
binaries weren't tampered with during build) was too onerous for MSYS2 to
consider at the time.

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

DMARC-Filter:	OpenDMARC Filter v1.4.2 delorie.com 543Ji9gc3820495
Authentication-Results:	delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results:	delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter:	OpenDKIM Filter v2.11.0 delorie.com 543Ji9gc3820495
Authentication-Results:	delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=jdLkGy1n
X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 808543858406
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1746301448;
	bh=+fxqYAjpse+yuY93tSimCN4IhIa+hftujxzNk/DhkW4=;
	h=Date:To:Subject:In-Reply-To:References:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	From;
	b=jdLkGy1nwmcP3Vp5QWAEvASo2uonYdhBeiLB17edZSpSA5okFEzOcAOcMcU0kQnLx
	zoKZXZAau3s2gfFCriNJvWEMftP8U2Hb07byJ4YykayppODoHvmRcD4A9RYbX5EhED
	0xXfIYO76oyOaWeT68uYiW7odvHJ/5dnA+/JJfIw=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org 09D343858D35
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org 09D343858D35
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1746301423; cv=none;
	b=c+gZc+AaJ0PyhqC+TQ6ty3TyFCcHe9F0OhUxSh6ksNS2jkaxWGLReZtQZ4oPHr+sqwd85l1HjCyer2Q6Hag8ebh8J0sspGietTC+9ND1yFdXDK69bhsPZrPx7b6pkXwDIWJqInPWM+R1e8GW0dKjuTC3ntHi4PEkKewMjSApWf4=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1746301423; c=relaxed/simple;
	bh=RQfO4VIALzGxeJrDmIuBJzqb5TVnTjanhdgZh5FrRg0=;
	h=DKIM-Signature:Date:From:To:Subject:Message-ID:MIME-Version;
	b=AtErVpWwOFoorvfpnLDS3ha/SCl0QQism8R/Q0+Zgk6WggKnXtsLgjWHxUHFhoskLhlhGpAEzJI1Fiwej9J3rNdrcrBHFAgzu+F6+J2NaajihJA19HYGa3216llXctL6cVqsMmrxK22xZ3fvTBp0LDv4UUPZ9Ij3lbyLT/ZmFD4=
ARC-Authentication-Results:	i=1; server2.sourceware.org
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 09D343858D35
Date:	Sat, 3 May 2025 12:43:42 -0700 (PDT)
X-X-Sender:	jeremyd AT resin DOT csoft DOT net
To:	Brian Inglis via Cygwin <cygwin AT cygwin DOT com>
Subject:	Re: Signing cygwin.com binaries with signtool by default ?
In-Reply-To:	<5fd86c45-8236-43ce-b259-0e0145dda30f@SystematicSW.ab.ca>
Message-ID:	<082cda25-f30a-f3c2-a360-63551c38f904@jdrake.com>
References:	<CAKAoaQn=-jVLnrO1hmM_4JAPodO-YnUuw+fcnDScHa=d2G48=A AT mail DOT gmail DOT com>
	<5fd86c45-8236-43ce-b259-0e0145dda30f AT SystematicSW DOT ab DOT ca>
MIME-Version:	1.0
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe:	<https://cygwin.com/mailman/options/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Jeremy Drake via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	Jeremy Drake <cygwin AT jdrake DOT com>
Errors-To:	cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender:	"Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019