Unable to Verify 64 bit Installer on Windows
Hamish McIntyre-Bhatty
hamishmb@live.co.uk
Thu Dec 30 21:51:33 GMT 2021
On 30/12/2021 21:24, Greg Williamson wrote:
> Hello,
>
> While attempting to verify the installer found here:
> https://cygwin.com/install.html
>
> GPG verification for "setup-x86_64.exe" failed with "BAD signature from
> "Cygwin <cygwin@cygwin.com>". I also created a SHA512 hash of the
> installer
> and it did not match the one posted here:
> https://cygwin.com/sha512.sum
>
> As a sanity check I attempted to verify the 32bit version "setup-x86.exe".
> The SHA512 matched and the GPG signature verification succeeded.
>
> I thought I'd report here in case there was a security issue. Thank you in
> advance for your assistance!
>
> ~Greg
>
This is concerning. I recently re-installed Cygwin so I'm glad I marked
my packages as test. I hope those weren't compromised installers, though
hopefully my antivirus would have stopped anything nefarious.
Hamish
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x18F1759B3457223F.asc
Type: application/pgp-keys
Size: 3131 bytes
Desc: OpenPGP public key
URL: <https://cygwin.com/pipermail/cygwin/attachments/20211230/66bf5968/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://cygwin.com/pipermail/cygwin/attachments/20211230/66bf5968/attachment-0001.sig>
More information about the Cygwin
mailing list