URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

Herbert Stocker hersto@gmx.de
Thu Sep 29 02:29:00 GMT 2016


On 28.09.2016 23:05, Wayne Porter wrote:
> On Wed, Sep 28, 2016 at 07:52:05PM +0000, Thomas Sanders wrote:
>> gpg --verify setup-x86.exe.sig setup-x86.exe
>> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
>> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg:          There is no indication that the signature belongs to the owner.
>> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA
> This appears to be a good signature, just that the key is untrusted. Someone
> else correct me if I'm wrong, but that is typical to see, at least for me.

But doesn't it mean that anybody who manages to hack into your web
server, or who does a man in the middle attack on the HTTP (without S)
connection, is able to replace the setup-x86.exe by a malicious one
and to also provide a corresponding setup-x86.exe.sig, so that the gpg
output will be "good signature but untrusted key"?

my 2 cents.


Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

More information about the Cygwin mailing list