DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 544DphnZ017195 Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 544DphnZ017195 Authentication-Results: delorie.com; dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=RYcM0iBH X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E0290385840C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1746366702; bh=32yv5Tf2RtFuA31FALXPVKz9bPWpix7hWHsU7CI7gl0=; h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=RYcM0iBHZOAubOvvcmSXQspF0ku9dxaJqyOshFlBckg5upHlL0b82E6vu2nSAfyW7 ldSNnJK7rw6rLe6ntVc6YvFILQBSUMZ44YJaoOXtRjMOsfFV0w+KiJasDhG/cTzdoP E3QON+9odDT83gDOhXy5hk1/ZDnubHMLt1fFRl8k= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 6FE243858D1E ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 6FE243858D1E ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1746366644; cv=none; b=nS1K+vla3nX3kw0FSjSky3STzoIiBfLJhwXVKxKosNtgSKQ+X5rmteSecGArmPT/p2iTBHIlNAjR2wy58H7mgw3CNKevynKyvATM6GcIa8cJo7iRM3+ui3MYrElgKpMvxWTlMrrUPBPbEfhhzFvI3wewHRsES5ja6oeED2T9dgo= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1746366644; c=relaxed/simple; bh=3fUPdrmg7ndAzOLV8SJ0Oh/5keaGXZ5E96wxxph5mF0=; h=Message-ID:Date:MIME-Version:From:Subject:To:DKIM-Signature; b=AvUW5mmpU9lp0d9k6D7gGRDB6XLYTaAoNF8BnncpHNsOvv/zY8GEZt8x0W/0S7W8YO8KSD4ocGQ0PeqvaTdfh4xIXBqIpIA9QWyRvWtAFwRUN6B26Q7tU4i+q2oWxp3c86YzQeN5tyVTxUHxzlIj3s8B1ykTFQ+2ryw1trbEqtE= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 6FE243858D1E Message-ID: Date: Sun, 4 May 2025 07:50:41 -0600 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Signing cygwin.com binaries with signtool by default ? Content-Language: en-CA To: cygwin AT cygwin DOT com References: <082cda25-f30a-f3c2-a360-63551c38f904 AT jdrake DOT com> Organization: Systematic Software In-Reply-To: X-Rspamd-Queue-Id: C357960011 X-Stat-Signature: hs3yy1ogudhoj48ayriirgxyxn4xfr5t X-Rspamd-Server: rspamout01 X-Session-Marker: 427269616E2E496E676C69734053797374656D6174696353572E61622E6361 X-Session-ID: U2FsdGVkX1+WWTNqorImH989PVsFelkz0WQgfiYfUFY= X-HE-Tag: 1746366642-29395 X-HE-Meta: U2FsdGVkX18WORnnmimREhz+sWGX86xWAU+R4Tf0v/wNv4feE+41ImPjyksmLou6aA60pzYTuT7Fn/c8YIcPnFnwNY9RS7+gpNHrAtQGjz3G0DVxJArZxwu6+vK3cBgPjK6KdxYfAVqH/l/Wfk9EA0eiUnenzjRzY8aI046cI6HwAgXdNxCSg8Up6+q4/aDEDcZEkNGloBDjTchq/MIr9EntKFKc+/l1j8aQWo8dQsBISSefV+UkH3Vg+kHmt7JW2Tu5o3MZBb+nvXPVmoF/WGE+NP48oY61lb0eUGIrVgNcDMRDrImU7YEGBW9Z9qiYFiVpnKC/l9ft1DJVgJkwtGWRYdgD1uAMccSDVKS1VD3jZs5d3cdWrIrXx0Rk2SHeBPi1rWpHnbQMOg+RLIuj/mbrpA7bxt+FIrLQ9HD2pgHcTBIw8q5jtaISO/697ChWh56kqk/gHUvIOM6r0/ooiPGkyYnlZNViNAIjlgVjRpSTMAxTikEmVakCeSXqjwBL X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.30 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Brian Inglis via Cygwin Reply-To: cygwin AT cygwin DOT com Cc: Brian Inglis Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com Sender: "Cygwin" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 544DphnZ017195 Or get a free Let's Encrypt cert as many orgs do. -- Take care. Thanks, Brian Inglis Calgary, Alberta, Canada La perfection est atteinte Perfection is achieved non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add mais lorsqu'il n'y a plus rien à retrancher but when there is no more to cut -- Antoine de Saint-Exupéry On 2025-05-04 04:40, James Hanley via Cygwin wrote: > Cygwin as an organization can act as your own CA and leave it up to IT organizations to add the Cygwin public TA cert to the CA trust store. > -Jim > >> On May 3, 2025, at 3:43 PM, Jeremy Drake via Cygwin wrote: >> >> On Sat, 3 May 2025, Brian Inglis via Cygwin wrote: >> >>>> On 2025-05-03 12:21, Roland Mainz via Cygwin wrote: >>>> Is it somehow possible that the CI+Release binaries (*.exe, *.dll) can >>>> be signed with signtool >>>> (https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool)? >>> >>> No - would break the Cygwin licence terms unless MS releases source! >> >> Huh?!? >> >>> Cygwin supports osslsigncode: >>> >>> https://cygwin.com/packages/summary/osslsigncode-src.html >>> >>> OpenSSL-based Authenticode signing and timestamping tool >>> >>> Platform-independent tool for Authenticode signing of PE(EXE/SYS/DLL/etc), CAB >>> and MSI files. It also supports timestamping (Authenticode and RFC3161). >>> >>> That would require our volunteers to find and spend more of their free time to >>> integrate the tool into the package build processes, and it would not be >>> available until the volunteers find more of their free time once the next >>> release of each upstream package becomes available. >> >> It would also require getting an X.509 code signing certificate from a >> Microsoft-blessed authority. AFAIK, these are not free. I do remember >> investigating a service for free signing of open-source binaries (I >> believe Vim.org uses it for its Windows binaries), but the requirements >> for integrating with the build automation (so they could verify that >> binaries weren't tampered with during build) was too onerous for MSYS2 to >> consider at the time. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple