Jon Turney writes: >> - Embeds a new Cygwin public key (which nothing is actually signed >> with yet) > > setup.ini is now being signed with both old and new Cygwin keys.
As I have my own mirror script that will then combine any local packages into one targeted install hierarchy and I _do_ check the signatures (that has saved me from broken mirrors a few times), I've had to go and import the new keys, which then gives me: ... mirroring ==> /mnt/mirror/cygwin/x86/setup.xz.sig ==> /mnt/mirror/cygwin/x86/setup.xz Waiting for 2 transfers to finish 2 1 ...all transfers finished! gpg: Signature made Sa, 14. Mrz 2020 11:53:57 CET gpg: using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA gpg: Good signature from "Cygwin <cyg...@cygwin.com>" [unknown] gpg: Signature made Sa, 14. Mrz 2020 11:53:57 CET gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300 gpg: Good signature from "Cygwin <cyg...@cygwin.com>" [unknown] So external signature checks actually work exactly as intended, thanks. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Factory and User Sound Singles for Waldorf rackAttack: http://Synth.Stromeko.net/Downloads.html#WaldorfSounds