This is the mail archive of the
mailing list for the Cygwin project.
Re: Cygwin's installation and security models?
> Specifically, when I launch Cygwin's setup.exe, I am warned:
> "Do you want to allow this app from an unknown publisher to
> make changes to your system?"
This is a generic warning suggesting to double-check your actions.
> That code could be anything. I think that means that
> if your website gets hacked, and the setup binaries
> get replaced, everyone is in trouble. Compare with the
> recent Classic Shell hack where not having a signed
> installer was, at least, a warning.
> I'd expect the app to be signed
Signed by whom?
> and generate a UAC prompt saying it was signed by Redhat or similar.
I can fake such a signature in under 30 seconds.
All this "signing" tests is that the signature is correct and the content hash
is matching the signature. Period.
If anything, I see this warning as a good reason to go on a search to check
the credibility of your download yourself. And that is what really matters,
instead of blindly trusting the pretty images.
For additional info, you can start reading from
http://sourceware.org/ml/cygwin/2015-04/msg00049.html , and consider the
Just in case I'm not confusing you with someone else: This mailing list is in
"no top posting, please, thank you" mode.
With best regards,
Wednesday, August 17, 2016 21:18:58
Sorry for my terrible english...
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple