This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Cygwin's installation and security models?


On 2016-08-16 19:49, lloyd.wood@yahoo.co.uk wrote:
I'd like to understand Cygwin's installation and
security models better:
- Cygwin's installers aren't signed.
- downloads are from a number of untrusted mirrors
  via http/ftp, and packages aren't verified.
Is this correct?

Nope!
The installer is downloaded from a TLS enabled web site.
The installer manifest contains a public key, so the build
or at least the manifest is signed with a private key.
There are detached GPG signatures for the installer programs
setup_x86{,_64}.exe and setup.ini data files, verified by the
installer.
The setup.ini installer data files contain message digests
for each of the installable packages, verified by the
installer.
HTH
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]