This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Should cygwin's setup*.exe be signed using Sign Tool?

Greetings, David A. Wheeler!

> Running setup*.exe produces "Publisher: Unknown publisher", and it's
> doubtful that many people check the signature of the .exe file before
> running.  Even if they did, there's the problem that the signature comes from the same place.

> Has Cygwin considered signing the installer using Sign Tool? More info:

Did Microsoft made it available separately? Or is there a description of the
structure of such a signature and/or a free tool that can be used to generate
Last I checked, you have to install a metric ton of garbage to get signtool as
a bonus.


> I believe signing it this way would eliminate the "unknown publisher"; it
> would also protect the many people who don't follow the current
> signature-checking process.  This would create a strong barrier against code subversion after release.

People who don't check signature manually, won't check the credibility of
the embedded signature either.
And it only takes about thirty seconds to fake the lines that are visible in
prompt dialogue.
Been there, done that.

> The signed executable could also be signed using the current process, so you
> don't need to *eliminate* any capability.  I can't provide a patch to do
> this, obviously :-).

Signing executable doesn't alter its behavior in any way, shape or form.
I've had success signing executable archives.

With best regards,
Andrey Repin
Friday, April 3, 2015 01:17:20

Sorry for my terrible english...

Problem reports:
Unsubscribe info:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]