Cygwin's installation and security models?

Andrey Repin
Wed Aug 17 23:13:00 GMT 2016


> Specifically, when I launch Cygwin's setup.exe, I am warned:

> "Do you want to allow this app from an unknown publisher to
> make changes to your system?"

This is a generic warning suggesting to double-check your actions.

> That code could be anything. I think that means that
> if your website gets hacked, and the setup binaries
> get replaced, everyone is in trouble. Compare with the
> recent Classic Shell hack where not having a signed
> installer was, at least, a warning.


> I'd expect the app to be signed

Signed by whom?

> and generate a UAC prompt saying it was signed by Redhat or similar.

I can fake such a signature in under 30 seconds.
All this "signing" tests is that the signature is correct and the content hash
is matching the signature. Period.
If anything, I see this warning as a good reason to go on a search to check
the credibility of your download yourself. And that is what really matters,
instead of blindly trusting the pretty images.

For additional info, you can start reading from , and consider the .

Just in case I'm not confusing you with someone else: This mailing list is in
"no top posting, please, thank you" mode.

With best regards,
Andrey Repin
Wednesday, August 17, 2016 21:18:58

Sorry for my terrible english...

Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list