Cygwin's installation and security models?

Andrey Repin anrdaemon@yandex.ru
Wed Aug 17 23:13:00 GMT 2016


Greetings, lloyd.wood@yahoo.co.uk!

> Specifically, when I launch Cygwin's setup.exe, I am warned:

> "Do you want to allow this app from an unknown publisher to
> make changes to your system?"

This is a generic warning suggesting to double-check your actions.

> That code could be anything. I think that means that
> if your website gets hacked, and the setup binaries
> get replaced, everyone is in trouble. Compare with the
> recent Classic Shell hack where not having a signed
> installer was, at least, a warning.

> http://www.bleepingcomputer.com/news/security/audacity-and-classic-shell-download-server-hacked-by-pegglecrew-/

> I'd expect the app to be signed

Signed by whom?

> and generate a UAC prompt saying it was signed by Redhat or similar.

I can fake such a signature in under 30 seconds.
All this "signing" tests is that the signature is correct and the content hash
is matching the signature. Period.
If anything, I see this warning as a good reason to go on a search to check
the credibility of your download yourself. And that is what really matters,
instead of blindly trusting the pretty images.

For additional info, you can start reading from
http://sourceware.org/ml/cygwin/2015-04/msg00049.html , and consider the
http://sourceware.org/ml/cygwin/2015-03/msg00119.html .

P.S.
Just in case I'm not confusing you with someone else: This mailing list is in
"no top posting, please, thank you" mode.


-- 
With best regards,
Andrey Repin
Wednesday, August 17, 2016 21:18:58

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list