Unable to Verify 64 bit Installer on Windows

Brian Inglis Brian.Inglis@SystematicSw.ab.ca
Thu Dec 30 22:58:54 GMT 2021 

On 2021-12-30 14:24, Greg Williamson wrote:
> While attempting to verify the installer found here:
> https://cygwin.com/install.html
> 
> GPG verification for "setup-x86_64.exe" failed with "BAD signature from
> "Cygwin <cygwin@cygwin.com>". I also created a SHA512 hash of the installer
> and it did not match the one posted here:
> https://cygwin.com/sha512.sum

Did you perhaps download and rename the test setup 2.910 release?

It's normally best to post commands and output verbatim.

Sometimes you may have to manually run gpg2 --update-trustdb.

> As a sanity check I attempted to verify the 32bit version "setup-x86.exe".
> The SHA512 matched and the GPG signature verification succeeded.

Were the keys used the same as for x86_64?

> I thought I'd report here in case there was a security issue. Thank you in
> advance for your assistance!

All look good to me:

$ gpg2 --verify ~/mirror/x86/setup.xz{.sig,}
gpg: Signature made 2021 Dec 23 Thu 04:14:40 MST
gpg:                using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
$ gpg2 --verify ~/mirror/x86/setup.ini{.sig,}
gpg: Signature made 2021 Dec 23 Thu 04:14:28 MST
gpg:                using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
$ gpg2 --verify ~/mirror/x86/setup-x86.exe{.sig,}
gpg: Signature made 2021 Jul 15 Thu 05:59:50 MDT
gpg:                using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
gpg: Signature made 2021 Jul 15 Thu 05:59:50 MDT
gpg:                using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
$ cd ~/mirror/x86/ ; sha512sum --check --ignore-missing sha512.sum
setup.ini: OK
setup.ini.sig: OK
setup.xz: OK
setup.xz.sig: OK
setup-x86.exe: OK
$ gpg2 --verify ~/mirror/x86_64/setup.xz{.sig,}
gpg: Signature made 2021 Dec 12 Sun 15:14:43 MST
gpg:                using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
$ gpg2 --verify ~/mirror/x86_64/setup.ini{.sig,}
gpg: Signature made 2021 Dec 12 Sun 15:14:31 MST
gpg:                using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
$ gpg2 --verify ~/mirror/x86_64/setup-x86_64.exe{.sig,}
gpg: Signature made 2021 Jul 15 Thu 06:05:58 MDT
gpg:                using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
gpg: Signature made 2021 Jul 15 Thu 06:05:58 MDT
gpg:                using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
$ cd ~/mirror/x86_64/ ; sha512sum --check --ignore-missing sha512.sum
setup.ini: OK
setup.ini.sig: OK
setup.xz: OK
setup.xz.sig: OK
setup-x86_64.exe: OK

I've concatenated the downloaded cygwin.com and mirror arch sha512.sum.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]

More information about the Cygwin mailing list