Unable to Verify 64 bit Installer on Windows

Hamish McIntyre-Bhatty hamishmb@live.co.uk
Thu Dec 30 21:51:33 GMT 2021

On 30/12/2021 21:24, Greg Williamson wrote:
> Hello,
> While attempting to verify the installer found here:
> https://cygwin.com/install.html
> GPG verification for "setup-x86_64.exe" failed with "BAD signature from
> "Cygwin <cygwin@cygwin.com>". I also created a SHA512 hash of the 
> installer
> and it did not match the one posted here:
> https://cygwin.com/sha512.sum
> As a sanity check I attempted to verify the 32bit version "setup-x86.exe".
> The SHA512 matched and the GPG signature verification succeeded.
> I thought I'd report here in case there was a security issue. Thank you in
> advance for your assistance!
> ~Greg
This is concerning. I recently re-installed Cygwin so I'm glad I marked 
my packages as test. I hope those weren't compromised installers, though 
hopefully my antivirus would have stopped anything nefarious.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x18F1759B3457223F.asc
Type: application/pgp-keys
Size: 3131 bytes
Desc: OpenPGP public key
URL: <https://cygwin.com/pipermail/cygwin/attachments/20211230/66bf5968/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://cygwin.com/pipermail/cygwin/attachments/20211230/66bf5968/attachment-0001.sig>

More information about the Cygwin mailing list