Security Concern: setup.exe signature difficult to verify
Wed May 20 03:03:00 GMT 2009
Today, I was downloading cygwin, and discovered how challenging it
really is to verify the authenticity of setup.exe. Typically there
are 3 ways an executable can be verified:
Method 1) Windows supports signed exe files. When you first execute
an exe, windows first shows a window allowing you to confirm it's
authenticity. <This is the most effective and preferred solution on
Method 2) Downloading the exe from a trusted site via https. <Slightly
less secure as the connection and not the exe is verified.>
Method 3) Using gnupg to check the .sig provided along with the exe.
<Requires the user already have gpg installed and have access to a
certificate, and has to be checked manually.>
However, I ran into the following issues when attempting to verify
Cygwin's setup.exe using each of those methods:
Problem with Method 1)
setup.exe doesn't have a windows digital signature.
Windows doesn't even recognize setup.exe as a win32 executable (try
right clicking and viewing the properties... notice you can't even see
publisher information and it wants to run it in a DOS virtual
Problem with Method 2)
Cygwin.com's webserver doesn't support https. Try connecting to
Problem with Method 3)
Yes, you can download http://www.cygwin.com/setup.exe.sig. However
you won't find mention of that on the website.
Sadly, to check this signature you have to already have gpg.exe
installed. This of course requires you already have cygwin installed.
It's a chicken and egg problem.
Also, cygwin's webpages don't discuss where to get the certificate to
use when verifying the signature.
The bottom line is that without any form of easy to use verification,
those attempting to download setup.exe are vulnerable to a
man-in-the-middle attack, where they can be tricked into downloading
and executing a trojan instead. And this is sad considering the fact
that setup.exe does actually attempt to provide security & checksums
when downloading modules, but all this is for not if setup.exe itself
is not secure.
My recommendation is to make method 1 and method 2 both available.
Meantime, are there any other solutions for validating security that
P.S. Yes, I did search the FAQ and mailinglists without success before
sending this post. There is a lot to search through, so if I missed
the answer somewhere, please let me know.
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
More information about the Cygwin