Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack

Warren Young
Fri Feb 27 05:03:00 GMT 2015

On Feb 26, 2015, at 3:39 PM, Darik Horn <> wrote:
> Note that GPG signatures are published for the Cygwin setup binaries:

If someone can MITM the *.exe files, they can MITM the GPG sigs, too.

You could try and be diligent and check that the signature was made with a GPG key you trust, but I’ll bet most people who have checked this just test whether the signature is valid.

At its worst, GPG’s web of trust behaves like today’s overly-trusting web browsers, which may have hundreds of CAs you’ve never heard of.  Just because your browser vendor trusts the CA doesn’t mean you should, too.  Getting a GPG public key via an untrusted path is exactly like that.

GPG sigs are better for authenticity detection than MD5/SHA hashes, but only by as much as the trustworthiness of the path you got the GPG public key via.
Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list