This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Should cygwin's setup*.exe be signed using Sign Tool?
- From: "David A. Wheeler" <dwheeler at dwheeler dot com>
- To: "cygwin" <cygwin at cygwin dot com>
- Date: Thu, 02 Apr 2015 14:13:09 -0400 (EDT)
- Subject: Should cygwin's setup*.exe be signed using Sign Tool?
- Authentication-results: sourceware.org; auth=none
- Reply-to: dwheeler at dwheeler dot com
Running setup*.exe produces "Publisher: Unknown publisher", and it's doubtful that many people check the signature of the .exe file before running. Even if they did, there's the problem that the signature comes from the same place.
Has Cygwin considered signing the installer using Sign Tool? More info:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx
http://blog.didierstevens.com/2008/12/31/howto-add-a-digital-signature-to-executables/
I believe signing it this way would eliminate the "unknown publisher"; it would also protect the many people who don't follow the current signature-checking process. This would create a strong barrier against code subversion after release.
The signed executable could also be signed using the current process, so you don't need to *eliminate* any capability. I can't provide a patch to do this, obviously :-).
--- David A. Wheeler
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple