[PATCH setup 4/4] Codesign setup.exe (DO NOT APPLY)
Corinna Vinschen
corinna-cygwin@cygwin.com
Mon Dec 12 17:31:00 GMT 2016
Hi Jon,
On Dec 12 13:29, Jon Turney wrote:
> As discussed in https://cygwin.com/ml/cygwin/2015-04/msg00133.html
>
> This is quite straightforward, but unfortunately, requires a non-technical
> problem to be solved to complete.
>
> 1/ A code signing certificate signed by a CA is required.
Where do we get one which is trusted, can be checked publically,
and doesn't cost any money?
Who will be keymaster and with whom do we share the private key?
> 2/ The signature should be timestamped, so that it remains vaild after the
> signing key expires, but I assume you have to use the timestamp service of
> the CA that signed the key.
Not necessarily. We can workaround that by getting a new key and
release a new setup.
> +sign: upx
> + @if [ -e `which osslsigncode` ]; then \
> + osslsigncode sign -certs $(srcdir)/cygwin.crt -key $(srcdir)/cygwin.key -n "Cygwin setup" -i https://cygwin.com/ -in setup$(EXEEXT) -out setup-signed$(EXEEXT) ;\
^^^^^^^^^
$(srcdir)?
This might not be quite right. We need to store the cert in a reasonable
safe place, certainly not in srcdir (or git).
Thanks,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin-apps/attachments/20161212/4fa6eda9/attachment.sig>
More information about the Cygwin-apps
mailing list