This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Cygwin's installation and security models?
- From: Brian Inglis <Brian dot Inglis at SystematicSw dot ab dot ca>
- To: cygwin at cygwin dot com
- Date: Tue, 16 Aug 2016 22:17:51 -0600
- Subject: Re: Cygwin's installation and security models?
- Authentication-results: sourceware.org; auth=none
- References: <1740128398.25713364.1471398599819.JavaMail.yahoo.ref@mail.yahoo.com> <1740128398.25713364.1471398599819.JavaMail.yahoo@mail.yahoo.com>
- Reply-to: cygwin at cygwin dot com
On 2016-08-16 19:49, lloyd.wood@yahoo.co.uk wrote:
I'd like to understand Cygwin's installation and
security models better:
- Cygwin's installers aren't signed.
- downloads are from a number of untrusted mirrors
via http/ftp, and packages aren't verified.
Is this correct?
Nope!
The installer is downloaded from a TLS enabled web site.
The installer manifest contains a public key, so the build
or at least the manifest is signed with a private key.
There are detached GPG signatures for the installer programs
setup_x86{,_64}.exe and setup.ini data files, verified by the
installer.
The setup.ini installer data files contain message digests
for each of the installable packages, verified by the
installer.
HTH
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple