Mail Archives: cygwin/2025/05/04/09:51:44

Brian Inglis via Cygwin <cygwin AT cygwin DOT com> · Sun, 4 May 2025 07:50:41 -0600

Or get a free Let's Encrypt cert as many orgs do.

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien Ã  ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien Ã  retrancher  but when there is no more to cut
                                 -- Antoine de Saint-ExupÃ©ry

On 2025-05-04 04:40, James Hanley via Cygwin wrote:
> Cygwin as an organization can act as your own CA and leave it up to IT organizations to add the Cygwin public TA cert to the CA trust store.
> -Jim
> 
>> On May 3, 2025, at 3:43â€¯PM, Jeremy Drake via Cygwin <cygwin AT cygwin DOT com> wrote:
>>
>> ï»¿On Sat, 3 May 2025, Brian Inglis via Cygwin wrote:
>>
>>>> On 2025-05-03 12:21, Roland Mainz via Cygwin wrote:
>>>> Is it somehow possible that the CI+Release binaries (*.exe, *.dll) can
>>>> be signed with signtool
>>>> (https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool)?
>>>
>>> No - would break the Cygwin licence terms unless MS releases source!
>>
>> Huh?!?
>>
>>> Cygwin supports osslsigncode:
>>>
>>>     https://cygwin.com/packages/summary/osslsigncode-src.html
>>>
>>> OpenSSL-based Authenticode signing and timestamping tool
>>>
>>> Platform-independent tool for Authenticode signing of PE(EXE/SYS/DLL/etc), CAB
>>> and MSI files. It also supports timestamping (Authenticode and RFC3161).
>>>
>>> That would require our volunteers to find and spend more of their free time to
>>> integrate the tool into the package build processes, and it would not be
>>> available until the volunteers find more of their free time once the next
>>> release of each upstream package becomes available.
>>
>> It would also require getting an X.509 code signing certificate from a
>> Microsoft-blessed authority.  AFAIK, these are not free.  I do remember
>> investigating a service for free signing of open-source binaries (I
>> believe Vim.org uses it for its Windows binaries), but the requirements
>> for integrating with the build automation (so they could verify that
>> binaries weren't tampered with during build) was too onerous for MSYS2 to
>> consider at the time.

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

DMARC-Filter:	OpenDMARC Filter v1.4.2 delorie.com 544DphnZ017195
Authentication-Results:	delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results:	delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter:	OpenDKIM Filter v2.11.0 delorie.com 544DphnZ017195
Authentication-Results:	delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=RYcM0iBH
X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org E0290385840C
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1746366702;
	bh=32yv5Tf2RtFuA31FALXPVKz9bPWpix7hWHsU7CI7gl0=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	From;
	b=RYcM0iBHZOAubOvvcmSXQspF0ku9dxaJqyOshFlBckg5upHlL0b82E6vu2nSAfyW7
	ldSNnJK7rw6rLe6ntVc6YvFILQBSUMZ44YJaoOXtRjMOsfFV0w+KiJasDhG/cTzdoP
	E3QON+9odDT83gDOhXy5hk1/ZDnubHMLt1fFRl8k=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org 6FE243858D1E
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org 6FE243858D1E
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1746366644; cv=none;
	b=nS1K+vla3nX3kw0FSjSky3STzoIiBfLJhwXVKxKosNtgSKQ+X5rmteSecGArmPT/p2iTBHIlNAjR2wy58H7mgw3CNKevynKyvATM6GcIa8cJo7iRM3+ui3MYrElgKpMvxWTlMrrUPBPbEfhhzFvI3wewHRsES5ja6oeED2T9dgo=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1746366644; c=relaxed/simple;
	bh=3fUPdrmg7ndAzOLV8SJ0Oh/5keaGXZ5E96wxxph5mF0=;
	h=Message-ID:Date:MIME-Version:From:Subject:To:DKIM-Signature;
	b=AvUW5mmpU9lp0d9k6D7gGRDB6XLYTaAoNF8BnncpHNsOvv/zY8GEZt8x0W/0S7W8YO8KSD4ocGQ0PeqvaTdfh4xIXBqIpIA9QWyRvWtAFwRUN6B26Q7tU4i+q2oWxp3c86YzQeN5tyVTxUHxzlIj3s8B1ykTFQ+2ryw1trbEqtE=
ARC-Authentication-Results:	i=1; server2.sourceware.org
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 6FE243858D1E
Message-ID:	<c7a0f3d6-f973-4601-889e-565fb7bde49e@SystematicSW.ab.ca>
Date:	Sun, 4 May 2025 07:50:41 -0600
MIME-Version:	1.0
User-Agent:	Mozilla Thunderbird
Subject:	Re: Signing cygwin.com binaries with signtool by default ?
To:	cygwin AT cygwin DOT com
References:	<082cda25-f30a-f3c2-a360-63551c38f904 AT jdrake DOT com>
	<A9978416-D4F7-4DD3-B7DB-199387C9EAF0 AT dgtlrift DOT com>
Organization:	Systematic Software
In-Reply-To:	<A9978416-D4F7-4DD3-B7DB-199387C9EAF0@dgtlrift.com>
X-Rspamd-Queue-Id:	C357960011
X-Stat-Signature:	hs3yy1ogudhoj48ayriirgxyxn4xfr5t
X-Rspamd-Server:	rspamout01
X-Session-Marker:	427269616E2E496E676C69734053797374656D6174696353572E61622E6361
X-Session-ID:	U2FsdGVkX1+WWTNqorImH989PVsFelkz0WQgfiYfUFY=
X-HE-Tag:	1746366642-29395
X-HE-Meta:	U2FsdGVkX18WORnnmimREhz+sWGX86xWAU+R4Tf0v/wNv4feE+41ImPjyksmLou6aA60pzYTuT7Fn/c8YIcPnFnwNY9RS7+gpNHrAtQGjz3G0DVxJArZxwu6+vK3cBgPjK6KdxYfAVqH/l/Wfk9EA0eiUnenzjRzY8aI046cI6HwAgXdNxCSg8Up6+q4/aDEDcZEkNGloBDjTchq/MIr9EntKFKc+/l1j8aQWo8dQsBISSefV+UkH3Vg+kHmt7JW2Tu5o3MZBb+nvXPVmoF/WGE+NP48oY61lb0eUGIrVgNcDMRDrImU7YEGBW9Z9qiYFiVpnKC/l9ft1DJVgJkwtGWRYdgD1uAMccSDVKS1VD3jZs5d3cdWrIrXx0Rk2SHeBPi1rWpHnbQMOg+RLIuj/mbrpA7bxt+FIrLQ9HD2pgHcTBIw8q5jtaISO/697ChWh56kqk/gHUvIOM6r0/ooiPGkyYnlZNViNAIjlgVjRpSTMAxTikEmVakCeSXqjwBL
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe:	<https://cygwin.com/mailman/options/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Brian Inglis via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	cygwin AT cygwin DOT com
Cc:	Brian Inglis <Brian DOT Inglis AT SystematicSW DOT ab DOT ca>
Errors-To:	cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender:	"Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 544DphnZ017195

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019