X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:references:to:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=LYPjbDXyCHYuNI+a
	UXgIGQtpEyn8mzrGn8dASvW+oX5j9h0ClCUFv8Mptau61PpuWoDmvVnvl/ISWUoH
	cJl2F/Xl2aRt/8HY98cKRlc5tkY5MquXIU8B+kPGSZ/KdeMS36odSOJJj60WFpXv
	SzV8s2FHtkxIfV0wIth/Z7bcYAk=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:references:to:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=DWHU99+0PX5OeawE0Po5hJ
	CpK/Q=; b=ecV3sEYNpXiMZV8FZ0/yb44H083OX9gaJZs+7mifZ06SavtZRIVEq3
	BpY6SGYdxT2S2WNkKuvtMFlQwN9eBoK4A1R20VoJnB3GLhYrMCfnmLZvBSvs7MLB
	hAwSvk3VXJJjbybrIcC1uTSlzKCcoiebV6rLVJjFOxEdmEfjYvOHE=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=0.9 required=5.0 tests=AWL,BAYES_50,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.2 spammy=calgary, H*r:sk:smtp-ou, Brian, Hx-languages-length:834
X-HELO: smtp-out-so.shaw.ca
X-Authority-Analysis: v=2.2 cv=T/3OdLCQ c=1 sm=1 tr=0 a=WqCeCkldcEjBO3QZneQsCg==:117 a=WqCeCkldcEjBO3QZneQsCg==:17 a=IkcTkHD0fZMA:10 a=BrDiTsk0AAAA:8 a=w5aJ8kaLLAry8Qfnm_kA:9 a=lxE3RMdgE7R84xUG:21 a=PLg3o-Fst-YGEHXA:21 a=fK1jZSgjKPFatbRoI9mg:22
Reply-To: cygwin AT cygwin DOT com
Subject: Re: Cygwin's installation and security models?
References: <1740128398 DOT 25713364 DOT 1471398599819 DOT JavaMail DOT yahoo DOT ref AT mail DOT yahoo DOT com> <1740128398 DOT 25713364 DOT 1471398599819 DOT JavaMail DOT yahoo AT mail DOT yahoo DOT com>
To: cygwin AT cygwin DOT com
From: Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca>
Message-ID: <db827cf0-8b99-408a-dea9-7ee9d4bcddc7@SystematicSw.ab.ca>
Date: Tue, 16 Aug 2016 22:17:51 -0600
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <1740128398.25713364.1471398599819.JavaMail.yahoo@mail.yahoo.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-CMAE-Envelope: MS4wfBv8wnJdXMJwPCyly8uebXI8ITok8F7axCPskjJNjEufGXk7LFbeRdJwa1pOLJ9EHCpfRGJPV5H8R7XGYj1u+xOM0j46rZRodvP5NsCtITiO7WP8HSbq ZyZBI9Spb21OD7YOkt17lf+d+tRPw2U+YBT2K9PQVaOUIau5ziLwRMMt8H5c6uzXKI/EERiHO4nXKA==
X-IsSubscribed: yes

On 2016-08-16 19:49, lloyd DOT wood AT yahoo DOT co DOT uk wrote:
> I'd like to understand Cygwin's installation and
> security models better:
> - Cygwin's installers aren't signed.
> - downloads are from a number of untrusted mirrors
>   via http/ftp, and packages aren't verified.
> Is this correct?

Nope!
The installer is downloaded from a TLS enabled web site.
The installer manifest contains a public key, so the build
or at least the manifest is signed with a private key.
There are detached GPG signatures for the installer programs
setup_x86{,_64}.exe and setup.ini data files, verified by the
installer.
The setup.ini installer data files contain message digests
for each of the installable packages, verified by the
installer.
HTH
-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple