DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 544AfAxC4148602
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 544AfAxC4148602
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=Cm3oN8uR
X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 886CF3858C62
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1746355269;
	bh=r/Tr0KXf1zmKwhnAS3S9kw3jHRgdipNvXLToVgYibLY=;
	h=Subject:Date:References:Cc:In-Reply-To:To:List-Id:
	 List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
	 From:Reply-To:From;
	b=Cm3oN8uRURR3SkgeCLk5cSTmRSlyAi/YTharzH2whWiJHNRgf9UeyafoGST29jKfk
	 4/fBFFsNeD6rEj25o4aBmQfrksMy+VP0oQuOHiLPB0T8Q+v/Ps3PZY/ibTYW+tPrMA
	 r+ClgCQmNo07OaqOrbbjDnODJMoyLK5mDB5BOAjk=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 37C863858C42
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 37C863858C42
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1746355247; cv=none;
 b=LroyVM3DN+xcKlYahTfFKFqDYuJ8S0x61C7jojyQ0Klar7p2kB/J/Gs6BvORAOnvZtteNtDwZiMvKvOMxEnzux3vC1T9esQ6c2IqoeWatOVKSo102GxLeIOPI+1OcDkbfXehcDRiIm0yZbMpTuyVs2enFNco0DeEXZFz0T3QFQA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1746355247; c=relaxed/simple;
 bh=Qu+dxdl5a9amujZti79seVYyJJWN/bszXY+h+Hndmpo=;
 h=DKIM-Signature:From:Mime-Version:Subject:Date:Message-Id:To;
 b=tvpVV6UQ6ChQIq3dwuM/IIbYzHvxnEIigzFchnOJ/YeE3vXjEgahcfBvetTjUBIrg9FAAjEQ2FIiRazTz8EC8QKxIQXVnC0HB7oGxygNxo0MnRiMpc6dLEpddQ2Kb08sUABRNK+hjU4DzpUG6ZiR58fzir70QMwDVBO0NZ4qz/E=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 37C863858C42
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1746355246; x=1746960046;
 h=to:in-reply-to:cc:references:message-id:date:subject:mime-version
 :from:content-transfer-encoding:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=Go8a8Y6oNymT67WC1rbKAkcjx5ngJWZTq7rH7XgIUzw=;
 b=Jut3YvUrwE7n621BlsbdDodb1rQC10TJthb/0Y9sFOh2yOqPbZkUB2UWSvlJUyZ4Zl
 mKsp35GCpL5kSoLnewUQHbJ+PPEsNjUchl6emGwwdW7pGVGBqYmzKn4SvFDizWQBBegP
 zn02gYSj/LkiNhjmGqVc2nUB5m7CK5ecYqCT6yLx6QCtxWSenQqN+ISvf1YdR9ZZBogQ
 TkV+rcXVpFFF2Pu7Rml/B7DG32MAc5UdC/vGnni2kVplnFYM4KqjTBg5LTT3yaxvbANk
 +lwIi2qFD///iWqQ9du64HD78c23rPUQd4vScHc5FWEcP16c/KRODTtmQGJue6lKqweY
 vCFw==
X-Gm-Message-State: AOJu0YzyZYOktviAdDE300jaJkcHEkCQhJ1Lu7BsSdECIu2k7Syghgyv
 9qgfve3MC0E/9G0eo3ixvUXRuuJvxmPm2fY2E0cV+znsHMinxGT8qLKFDGbgfvE7RLQkSLMudYg
 =
X-Gm-Gg: ASbGncuYgc8dx349MMHEZcIXjmQGSasuhr3MOdufya+Ji+cgDcoNtmVnwgIj/kUkg1w
 grMuv6FXqGYFg3uqS/Mut0hjZnARrQkXQAyHvhJRdvGVJ2Yor3FqjtfQxB0Ra5PLvFuruHlhdS5
 f75PIZg7eVx7gGA9gb0StPz0l6nYQqI0tyzp+MvwHOkH50HrWiWZJsSu1lmyzKaXFcTVcqM8mvi
 jVH31Qu0kIlCCWHJnG4qQB6xC+hsU0LkxdKY7dkiykmT6ZusgmjjBgi9vU2YU9PaHdjOHAkguTR
 Mf9jrjoTplOIaG+Q7fPsvhqyMVKP0JudnGc2NH39z8X3kRaFy9mk9q5ez4BK3HcFB3flXA==
X-Google-Smtp-Source: AGHT+IEidHSJOhQ+Y9/dxH0eajrxUr/ltDIi5cgIVKdbPixCHTHJWRsuhnSYxBWK5r265mdYU8Agfw==
X-Received: by 2002:a05:690c:6f92:b0:708:3532:ec9a with SMTP id
 00721157ae682-708eaf6d2b7mr44451847b3.34.1746355246285; 
 Sun, 04 May 2025 03:40:46 -0700 (PDT)
Mime-Version: 1.0 (1.0)
Subject: Re: Signing cygwin.com binaries with signtool by default ?
Date: Sun, 4 May 2025 06:40:35 -0400
Message-Id: <A9978416-D4F7-4DD3-B7DB-199387C9EAF0@dgtlrift.com>
References: <082cda25-f30a-f3c2-a360-63551c38f904 AT jdrake DOT com>
Cc: Brian Inglis via Cygwin <cygwin AT cygwin DOT com>
In-Reply-To: <082cda25-f30a-f3c2-a360-63551c38f904@jdrake.com>
To: Jeremy Drake <cygwin AT jdrake DOT com>
X-Mailer: iPhone Mail (22E252)
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: James Hanley via Cygwin <cygwin AT cygwin DOT com>
Reply-To: James Hanley <jhanley AT dgtlrift DOT com>
Content-Type: text/plain; charset="utf-8"
Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 544AfAxC4148602

Cygwin as an organization can act as your own CA and leave it up to IT organizations to add the Cygwin public TA cert to the CA trust store.
-Jim

> On May 3, 2025, at 3:43 PM, Jeremy Drake via Cygwin <cygwin AT cygwin DOT com> wrote:
> 
> On Sat, 3 May 2025, Brian Inglis via Cygwin wrote:
> 
>>> On 2025-05-03 12:21, Roland Mainz via Cygwin wrote:
>>> Is it somehow possible that the CI+Release binaries (*.exe, *.dll) can
>>> be signed with signtool
>>> (https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool)?
>> 
>> No - would break the Cygwin licence terms unless MS releases source!
> 
> Huh?!?
> 
>> Cygwin supports osslsigncode:
>> 
>>    https://cygwin.com/packages/summary/osslsigncode-src.html
>> 
>> OpenSSL-based Authenticode signing and timestamping tool
>> 
>> Platform-independent tool for Authenticode signing of PE(EXE/SYS/DLL/etc), CAB
>> and MSI files. It also supports timestamping (Authenticode and RFC3161).
>> 
>> That would require our volunteers to find and spend more of their free time to
>> integrate the tool into the package build processes, and it would not be
>> available until the volunteers find more of their free time once the next
>> release of each upstream package becomes available.
> 
> It would also require getting an X.509 code signing certificate from a
> Microsoft-blessed authority.  AFAIK, these are not free.  I do remember
> investigating a service for free signing of open-source binaries (I
> believe Vim.org uses it for its Windows binaries), but the requirements
> for integrating with the build automation (so they could verify that
> binaries weren't tampered with during build) was too onerous for MSYS2 to
> consider at the time.
> 
> --
> Problem reports:      https://cygwin.com/problems.html
> FAQ:                  https://cygwin.com/faq/
> Documentation:        https://cygwin.com/docs.html
> Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple