DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 543JRn4S3813403 Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 543JRn4S3813403 Authentication-Results: delorie.com; dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=A9Xdj3xH X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E17303858019 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1746300468; bh=8yFyNh8OwbSBojKoF5EktUzpc9sw2vTWu/mRCbP62o0=; h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=A9Xdj3xHkwr3jTx4jg3/QRKS1G+nePuc8ug8uhnx0ktdqC8P90La/WOdmQa7pyP0f WlwvMGaPf00TMIF6MyXUuIXXnKUNotYeIUO45w6ds3u43Z5/nJ7tpl96+fwZyuWb9w JnR13bGNxI+UI3wshdDygFcf41dEukz1GCvPIhMc= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 4DF013858429 ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 4DF013858429 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1746300440; cv=none; b=ASKVugrl+UWcfRrIIEFR9wDhq+CraiwJONsWcy4SwEuvS2UJ3pP+W0KfkuF/xrvdBe660qNVAyvFK0B4wa7IyRmUJ8r7gbzN9+rgiNJUssipCB94QGS/ZEvmIwMcyyeXlXt9XqSrYyQXiR1wVl0eknrz16PYsKK+shA5QJzFlo4= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1746300440; c=relaxed/simple; bh=cvi7di3ZOWYKmyeHX5GE21yk+v0bNxnHJ0v1kjhTFoQ=; h=Message-ID:Date:MIME-Version:From:Subject:To:DKIM-Signature; b=DXtDuyE5clggrMbkxzWWUdtxWgcbZYpEQbrWG9biFNgPmZei2vdp7AYiMXf0v4GNXH7ELmqvJm+nZxcNppHkhP6uN/FBol1KU+DjSPvQwM1YVYTvl9l843FxYM+Bsu7c4IYY332lexO3SYflQqlBpOtzvNJPjGBaZk76N0GAmxM= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4DF013858429 Message-ID: Date: Sat, 3 May 2025 13:27:17 -0600 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Signing cygwin.com binaries with signtool by default ? Content-Language: en-CA To: cygwin AT cygwin DOT com References: Organization: Systematic Software In-Reply-To: X-Rspamd-Queue-Id: 8E5DD20024 X-Stat-Signature: ynkegs8q1n6amrgd47frfditoquznqnq X-Rspamd-Server: rspamout01 X-Session-Marker: 427269616E2E496E676C69734053797374656D6174696353572E61622E6361 X-Session-ID: U2FsdGVkX1/70YW6Q6nzEr+TEl1VayYE+zD+Ti9+qgk= X-HE-Tag: 1746300438-478116 X-HE-Meta: U2FsdGVkX188GwrB5d082DK0Ij9f+Q6Dw50aQy8dTK0bAugL59YNpJdqclEcokkSM1XTPG7fORN3Ga1Or3aLdLRXfmVl6pldOi1CLkrsC6e5G7kVO0SZAZAiIn4+3Uz+8qAbcxdj/2+MZlMYzwuE5EDY2gpTre/M/95Te79VudSyvRkXH9ej5KoEkyXDnBSGvrlx3Uku0Za3jtCi9O8zqaqoHb7u/Bua7DgML091LvmBElrJ/hKxmY7d7umN1VUw/cskAyo6/r4FrHBvnxVjrGtGtEMlw2vU6Z24HNjqeqQLeBKjL5LddoTb8NzXve0rLxfxQXJawIACtYrFBIQMM1VwyTVvFOPaIom236bUmnoOBsy3BN+D/2uDjUmHKKzRA6wYlGGo0zURgn1BpSpDM9+ZyQxhUeQd8AElowg1kDzrMVNUHstNupi9K5kJelwH7gXFtcVX/sxxQu/+DxH9qaaqGHP7mBu74kXwwIjT5SE= X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.30 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Brian Inglis via Cygwin Reply-To: cygwin AT cygwin DOT com Cc: Brian Inglis Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com Sender: "Cygwin" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 543JRn4S3813403 On 2025-05-03 12:49, Roland Mainz via Cygwin wrote: > On Sat, May 3, 2025 at 8:21 PM Roland Mainz wrote: >> Is it somehow possible that the CI+Release binaries (*.exe, *.dll) can >> be signed with signtool >> (https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool) ? >> It seems that Microsoft Defender has become overly aggressive to some >> Cygwin binaries (mostly /usr/bin/hostname, /usr/bin/find, /usr/bin/tar >> etc.) in the last couple of weeks and just blocks them. >> >> Our IT supports that they can "whitelist" binaries based on their >> cryptographic signature... but neither the binaries from the CI nor >> the Release binaries have any signatures... > > BTW: The Windows Defender rule which causes /usr/bin/find.exe, > /usr/bin/hostname.exe etc. to be blocked is "Block use of copied or > impersonated system tools" (C0033C00-D16D-4114-A5A0-DC9B3A7D2CEB) ... Where can we see these rules? Can your paid IT support not modify those rules to bypass Cygwin installs? And maybe share how to with the open source community? Presumably we are providing you with a valuable commodity with valuable utility as well as a valuable freedom to do with it as you like. Perhaps you could repay that valuable freedom, by using some of your valuable resources to figure out and implement workarounds to proprietary barriers to our freedom to use that commodity, and share those with the community! BTW those MS Windows provided utilities are badly outdated, and many have security risks with CVEs against them, so should be replaced with the latest upstream Windows builds ASAP. Perhaps MS should be lambasted for blocking users who choose to install and use versions of utilities from sources which are more current than those provided by MS, with the security risks eliminated by unpaid volunteers who support secure software which offers their users freedom and do it in their free time! -- Take care. Thanks, Brian Inglis Calgary, Alberta, Canada La perfection est atteinte Perfection is achieved non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add mais lorsqu'il n'y a plus rien à retrancher but when there is no more to cut -- Antoine de Saint-Exupéry -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple