DMARC-Filter:	OpenDMARC Filter v1.4.2 delorie.com 544AcFDS4147576
Authentication-Results:	delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results:	delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter:	OpenDKIM Filter v2.11.0 delorie.com 544AcFDS4147576
Authentication-Results:	delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=x34AFLXH
X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 8A0693858C78
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1746355093;
	bh=JEcNiRpiFsToPRFwYwrG5XE/5o64UhRTMRTn43fUqZI=;
	h=Subject:Date:References:In-Reply-To:To:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	From;
	b=x34AFLXHBIdfNVWUrLBIHs+YeGhzlanLe+saN0vQgtOuLwd4y5M5zWYTgK3RCQ8Jq
	j4/kmBysJnb7hsq+/kX2vKCamM86HQjz1Cx0omz3fw6FqaYd/5oh+m+u3N+BqjGl+i
	9t/n9h8S2YJm7Y3WwGGtsgiOB4M6rgACr/3jpEM8=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org 33BBB3858CD9
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org 33BBB3858CD9
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1746355067; cv=none;
	b=qCnnc7eZ3Atz+RMv+JQyi0/p0wjToYccHtKjyBq9UJQqAmb6s6asNnDLlwDm86GDYypIl1IsQSGwEjFR5BRZV5dbLQ2w/hhQsU+8s+GqEfiStafLmobD02o+KaZ/5KOVKmkK0W5y9LBOEPKhXmD9kjm/q+oZCAbyUSK9ULFU2Io=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1746355067; c=relaxed/simple;
	bh=Fz/JeI2CwSSjOOQ6eyvb+3RJh4iudXSyuqmW/C5SBK4=;
	h=DKIM-Signature:From:Mime-Version:Subject:Date:Message-Id:To;
	b=x0Xivl+wwhS3jR6JTVMg33B+wVmdGrf6VIrhQNpcZieBdKX7uCgFQvRVp7z0x0nTd2T8JtIU/C9Glv5hN9rRySg1Va+PAw6AIfkKUlVOf9xR3pEo4jFEvSDpr3DQfmximwfbWLxdoe+LVSH3f5b72B2TCVOBWpMl65YZUR7c7x0=
ARC-Authentication-Results:	i=1; server2.sourceware.org
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 33BBB3858CD9
X-Google-DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20230601; t=1746355066; x=1746959866;
	h=to:in-reply-to:cc:references:message-id:date:subject:mime-version
	:from:content-transfer-encoding:x-gm-message-state:from:to:cc
	:subject:date:message-id:reply-to;
	bh=A65Exfn8Cv9HRnifVdQE5/DP5OeKDYUJclITK4BO+xU=;
	b=k+FXulREAn7CXMqvTRxP43fBSpjc/vmVTuzDfLp4GP8we9Eq/CFkshIi0fqgP48CVm
	CFePLC62FU73noJdC7PQgAeXuIjMf6PcROA+O5akFRs9zerGs3ePcoj6nHke2N4q05gy
	Y/fLVWbcS57X/q9PNXBuSecvkVAC1asL54xL/re+u1lghwGpRp6OAxvwufNfz30YvXi7
	5O83TfVpiHUYDG6SCIy2dZsgTwVUyw3Elk9LrN36ChbqgfJ+Qp45stg3kCHMRDIPGIXZ
	MTTFJDaz2vUUjYIkBVVh+UhIRne6LP2J9lwRf2sjpeDZmP8nN28lOkQUvx0OPRT4yn3r
	PWuQ==
X-Gm-Message-State:	AOJu0Yz5s2mCeshGJtNFyc9qRIVYhpplTD6i2rYf+tFhW75jZg5a/Ly4
	PTuWdFQVYuMwzpscfs6Vsca36HlZbjjsiW1VFwrkZxVwlTwtRQgrmand1ykR++QSaY9DzFG3nqU
	=
X-Gm-Gg:	ASbGncsweontQTgPUbYZ7JU59G80DAgT10odz852mC/tEliCdf5jTZRuUadhTnigPyg
	Xkls0dGCl7+D7ImwEsDAV4OgvioyM5/ab/b5i0gQn7YbEb6MPEKBXPRjVofpjgM1Ymz9eIKeHwQ
	lK59zbOQcHml48TE1tePo1u2I133G3rPyBjzAYUXx5/oyBQp1FwHriyU61TguovjJjVsUfYJuLb
	I7G/MKjwjbZj/Z56IEssAoGAeyC6x1WDIdIb+lmxK6K+ebeyFuGZSFyZB5uahpxRAPah+YccAF2
	P7VMYzKai5xAM0tHxxmwg4nd8ynYRhGDlq057iz+AW7p8zcst52V/aWmoWrwN25pQLkNzA==
X-Google-Smtp-Source:	AGHT+IHLmz+W2HEaBHAt8iORkk3xjYBRGX41n7Xh/MIL7VsCNgxbIszMLLrD9Rlni9Rsu3Rz4GdLMg==
X-Received:	by 2002:a05:6902:478a:b0:e72:74a9:18d with SMTP id
	3f1490d57ef6-e7571b356bbmr6176372276.42.1746355066404;
	Sun, 04 May 2025 03:37:46 -0700 (PDT)
Mime-Version:	1.0 (1.0)
Subject:	Re: Signing cygwin.com binaries with signtool by default ?
Date:	Sun, 4 May 2025 06:37:35 -0400
Message-Id:	<D943C328-6581-4334-B06F-860922EEF62B@dgtlrift.com>
References:	<5fd86c45-8236-43ce-b259-0e0145dda30f AT SystematicSW DOT ab DOT ca>
In-Reply-To:	<5fd86c45-8236-43ce-b259-0e0145dda30f@SystematicSW.ab.ca>
To:	cygwin AT cygwin DOT com
X-Mailer:	iPhone Mail (22E252)
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	James Hanley via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	James Hanley <jhanley AT dgtlrift DOT com>
Cc:	cygwin AT cygwin DOT com
Sender:	"Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 544AcFDS4147576

Break the license rules? How - is it GPLv3?
-Jim

> On May 3, 2025, at 3:09 PM, Brian Inglis via Cygwin <cygwin AT cygwin DOT com> wrote:
> 
> On 2025-05-03 12:21, Roland Mainz via Cygwin wrote:
>> Is it somehow possible that the CI+Release binaries (*.exe, *.dll) can
>> be signed with signtool
>> (https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool)?
> 
> No - would break the Cygwin licence terms unless MS releases source!
> 
>> It seems that Microsoft Defender has become overly aggressive to some
>> Cygwin binaries (mostly /usr/bin/hostname, /usr/bin/find, /usr/bin/tar
>> etc.) in the last couple of weeks and just blocks them.
> 
> Aha - more MS Embrace, Extend, Extinguish!
> 
> Which Windows, Defender, and Cygwin releases did this start with?
> 
> $ which -a find hostname tar | cyg-sanitize-output.sed
> /usr/bin/find
> /proc/cygdrive/c/WINDOWS/system32/find
> /usr/bin/hostname
> /proc/cygdrive/c/WINDOWS/system32/hostname
> /usr/bin/tar
> /proc/cygdrive/c/WINDOWS/system32/tar
> 
> Perhaps Cygwin installer or cygcheck should start renaming MS Windows binaries whose names conflict with Cygwin utilities! ;^>
> 
> What about other packages that install exes whose names conflict with MS Windows utilities - does MS block them also, or just Cygwin's, or also other open source; what about WSL installs?
> 
> [I noticed today that MS supports using only its own proprietary FIDO passkey authenticator app - which nobody sensible would ever trust! I liked when we used to be able to delete MS crypto keys from the MS Windows keystore.]
> 
>> Our IT supports that they can "whitelist" binaries based on their
>> cryptographic signature... but neither the binaries from the CI nor
>> the Release binaries have any signatures...
> 
> Perhaps your paid IT support could just figure out how they could bypass Defender checking the Cygwin roots or /*bin/ dirs?
> 
> I suspect many of us do that to reduce the overhead of the BLODA.
> 
> Or perhaps your paid IT support could just figure out how they could provide their own Cygwin mirror with binaries signed with their own signatures and tools.
> 
> Cygwin supports osslsigncode:
> 
>    https://cygwin.com/packages/summary/osslsigncode-src.html
> 
> OpenSSL-based Authenticode signing and timestamping tool
> 
> Platform-independent tool for Authenticode signing of PE(EXE/SYS/DLL/etc), CAB and MSI files. It also supports timestamping (Authenticode and RFC3161).
> 
> That would require our volunteers to find and spend more of their free time to integrate the tool into the package build processes, and it would not be available until the volunteers find more of their free time once the next release of each upstream package becomes available.
> 
> --
> Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada
> 
> La perfection est atteinte                   Perfection is achieved
> non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
> mais lorsqu'il n'y a plus rien à retrancher  but when there is no more to cut
>                                -- Antoine de Saint-Exupéry
> 
> --
> Problem reports:      https://cygwin.com/problems.html
> FAQ:                  https://cygwin.com/faq/
> Documentation:        https://cygwin.com/docs.html
> Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -