DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 543Ji9gc3820495 Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 543Ji9gc3820495 Authentication-Results: delorie.com; dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=jdLkGy1n X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 808543858406 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1746301448; bh=+fxqYAjpse+yuY93tSimCN4IhIa+hftujxzNk/DhkW4=; h=Date:To:Subject:In-Reply-To:References:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=jdLkGy1nwmcP3Vp5QWAEvASo2uonYdhBeiLB17edZSpSA5okFEzOcAOcMcU0kQnLx zoKZXZAau3s2gfFCriNJvWEMftP8U2Hb07byJ4YykayppODoHvmRcD4A9RYbX5EhED 0xXfIYO76oyOaWeT68uYiW7odvHJ/5dnA+/JJfIw= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 09D343858D35 ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 09D343858D35 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1746301423; cv=none; b=c+gZc+AaJ0PyhqC+TQ6ty3TyFCcHe9F0OhUxSh6ksNS2jkaxWGLReZtQZ4oPHr+sqwd85l1HjCyer2Q6Hag8ebh8J0sspGietTC+9ND1yFdXDK69bhsPZrPx7b6pkXwDIWJqInPWM+R1e8GW0dKjuTC3ntHi4PEkKewMjSApWf4= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1746301423; c=relaxed/simple; bh=RQfO4VIALzGxeJrDmIuBJzqb5TVnTjanhdgZh5FrRg0=; h=DKIM-Signature:Date:From:To:Subject:Message-ID:MIME-Version; b=AtErVpWwOFoorvfpnLDS3ha/SCl0QQism8R/Q0+Zgk6WggKnXtsLgjWHxUHFhoskLhlhGpAEzJI1Fiwej9J3rNdrcrBHFAgzu+F6+J2NaajihJA19HYGa3216llXctL6cVqsMmrxK22xZ3fvTBp0LDv4UUPZ9Ij3lbyLT/ZmFD4= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 09D343858D35 Date: Sat, 3 May 2025 12:43:42 -0700 (PDT) X-X-Sender: jeremyd AT resin DOT csoft DOT net To: Brian Inglis via Cygwin Subject: Re: Signing cygwin.com binaries with signtool by default ? In-Reply-To: <5fd86c45-8236-43ce-b259-0e0145dda30f@SystematicSW.ab.ca> Message-ID: <082cda25-f30a-f3c2-a360-63551c38f904@jdrake.com> References: <5fd86c45-8236-43ce-b259-0e0145dda30f AT SystematicSW DOT ab DOT ca> MIME-Version: 1.0 X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.30 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Jeremy Drake via Cygwin Reply-To: Jeremy Drake Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com Sender: "Cygwin" On Sat, 3 May 2025, Brian Inglis via Cygwin wrote: > On 2025-05-03 12:21, Roland Mainz via Cygwin wrote: > > Is it somehow possible that the CI+Release binaries (*.exe, *.dll) can > > be signed with signtool > > (https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool)? > > No - would break the Cygwin licence terms unless MS releases source! Huh?!? > Cygwin supports osslsigncode: > > https://cygwin.com/packages/summary/osslsigncode-src.html > > OpenSSL-based Authenticode signing and timestamping tool > > Platform-independent tool for Authenticode signing of PE(EXE/SYS/DLL/etc), CAB > and MSI files. It also supports timestamping (Authenticode and RFC3161). > > That would require our volunteers to find and spend more of their free time to > integrate the tool into the package build processes, and it would not be > available until the volunteers find more of their free time once the next > release of each upstream package becomes available. It would also require getting an X.509 code signing certificate from a Microsoft-blessed authority. AFAIK, these are not free. I do remember investigating a service for free signing of open-source binaries (I believe Vim.org uses it for its Windows binaries), but the requirements for integrating with the build automation (so they could verify that binaries weren't tampered with during build) was too onerous for MSYS2 to consider at the time. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple