On 2010/03/17 10:28 PM, Dave Korn wrote: > On 18/03/2010 00:58, Steven Monai wrote: > >> As an alternative to setting up SSL on cygwin.com, what about the idea >> of crypto-signing (e.g. with gnupg) every release of setup.exe, and then >> posting the signature alongside the binary? I know I would breathe a >> little easier if I were able to positively verify the authenticity of a >> given setup.exe binary. > > That much is already done, and documented on the front page of cygwin.com: > read the first sentence under "Installing and Updating Cygwin and its > Packages" heading just beneath the mid-bar, or go straight to > http://cygwin.com/setup.exe.sig
Ah, there it is. I don't know how I managed to miss that. >> The public key would need to be distributed via channels other than just >> cygwin.com, to make it more difficult to spoof. Fortunately, there are a >> number of public PGP/GPG key servers to fill that purpose. > > And we have already uploaded it to them; DSA key ID 676041BA: > > http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xA9A262FF676041BA Fantastic! Thanks. -SM -- -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
