X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:reply-to:message-id:to:subject :in-reply-to:references:mime-version:content-type :content-transfer-encoding; q=dns; s=default; b=uytKN3mui33MpYAW d82cYrupUSjfE4QETHqur8h3r5hJSr9ZwIqmxqh8HgaeFbp1yDwzB47pNBosuzHy XgdA8y/t5qD+yeJngpG3IPGVOqcHIAsRJqb/APGPh1BlShO7GCb4nBMIlfAZNZOM wqaUZTJas3oCon6ZgmBRfaeFogs= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:reply-to:message-id:to:subject :in-reply-to:references:mime-version:content-type :content-transfer-encoding; s=default; bh=wOfHOY94Psu9/Q915LgcZy mINbw=; b=VdKYItVmZit+Y8q2m7+mL4CcutdE/InDk/ytTB67MDdwbLxNf9c7Eu 8cPa5xxCcXXt3FBRSHXydfMHH/IjdMuIt2LaU1uPrufwshfeRyfI1Hh+8A3izABE VFfR6H7NN6QSXDkwRXCC8MV2U/6XADR4JgyRuXRwHIcdObAI9bIuA= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=2.2 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_THEBAT,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.2 spammy=H*F:D*yandex.ru, H*x:Bat!, H*UA:Bat!, warned X-HELO: forward2m.cmail.yandex.net Authentication-Results: smtp1h.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0 Date: Wed, 17 Aug 2016 21:34:05 +0300 From: Andrey Repin Reply-To: cygwin AT cygwin DOT com Message-ID: <441019555.20160817213405@yandex.ru> To: lloyd DOT wood AT yahoo DOT co DOT uk, cygwin AT cygwin DOT com Subject: Re: Cygwin's installation and security models? In-Reply-To: <2144740387.26033819.1471429498939.JavaMail.yahoo@mail.yahoo.com> References: <1740128398 DOT 25713364 DOT 1471398599819 DOT JavaMail DOT yahoo DOT ref AT mail DOT yahoo DOT com> <1740128398 DOT 25713364 DOT 1471398599819 DOT JavaMail DOT yahoo AT mail DOT yahoo DOT com> <2144740387 DOT 26033819 DOT 1471429498939 DOT JavaMail DOT yahoo AT mail DOT yahoo DOT com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Greetings, lloyd DOT wood AT yahoo DOT co DOT uk! > Specifically, when I launch Cygwin's setup.exe, I am warned: > "Do you want to allow this app from an unknown publisher to > make changes to your system?" This is a generic warning suggesting to double-check your actions. > That code could be anything. I think that means that > if your website gets hacked, and the setup binaries > get replaced, everyone is in trouble. Compare with the > recent Classic Shell hack where not having a signed > installer was, at least, a warning. > http://www.bleepingcomputer.com/news/security/audacity-and-classic-shell-download-server-hacked-by-pegglecrew-/ > I'd expect the app to be signed Signed by whom? > and generate a UAC prompt saying it was signed by Redhat or similar. I can fake such a signature in under 30 seconds. All this "signing" tests is that the signature is correct and the content hash is matching the signature. Period. If anything, I see this warning as a good reason to go on a search to check the credibility of your download yourself. And that is what really matters, instead of blindly trusting the pretty images. For additional info, you can start reading from http://sourceware.org/ml/cygwin/2015-04/msg00049.html , and consider the http://sourceware.org/ml/cygwin/2015-03/msg00119.html . P.S. Just in case I'm not confusing you with someone else: This mailing list is in "no top posting, please, thank you" mode. -- With best regards, Andrey Repin Wednesday, August 17, 2016 21:18:58 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple