This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Cygwin's installation and security models?


> Specifically, when I launch Cygwin's setup.exe, I am warned:

> "Do you want to allow this app from an unknown publisher to
> make changes to your system?"

This is a generic warning suggesting to double-check your actions.

> That code could be anything. I think that means that
> if your website gets hacked, and the setup binaries
> get replaced, everyone is in trouble. Compare with the
> recent Classic Shell hack where not having a signed
> installer was, at least, a warning.


> I'd expect the app to be signed

Signed by whom?

> and generate a UAC prompt saying it was signed by Redhat or similar.

I can fake such a signature in under 30 seconds.
All this "signing" tests is that the signature is correct and the content hash
is matching the signature. Period.
If anything, I see this warning as a good reason to go on a search to check
the credibility of your download yourself. And that is what really matters,
instead of blindly trusting the pretty images.

For additional info, you can start reading from , and consider the .

Just in case I'm not confusing you with someone else: This mailing list is in
"no top posting, please, thank you" mode.

With best regards,
Andrey Repin
Wednesday, August 17, 2016 21:18:58

Sorry for my terrible english...

Problem reports:
Unsubscribe info:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]