On 2021-12-30 14:24, Greg Williamson wrote:
While attempting to verify the installer found here:
https://cygwin.com/install.html
GPG verification for "setup-x86_64.exe" failed with "BAD signature from
"Cygwin <cygwin@cygwin.com>". I also created a SHA512 hash of the installer
and it did not match the one posted here:
https://cygwin.com/sha512.sum
Did you perhaps download and rename the test setup 2.910 release?
It's normally best to post commands and output verbatim.
Sometimes you may have to manually run gpg2 --update-trustdb.
As a sanity check I attempted to verify the 32bit version "setup-x86.exe".
The SHA512 matched and the GPG signature verification succeeded.
Were the keys used the same as for x86_64?
I thought I'd report here in case there was a security issue. Thank you in
advance for your assistance!
All look good to me:
$ gpg2 --verify ~/mirror/x86/setup.xz{.sig,}
gpg: Signature made 2021 Dec 23 Thu 04:14:40 MST
gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
$ gpg2 --verify ~/mirror/x86/setup.ini{.sig,}
gpg: Signature made 2021 Dec 23 Thu 04:14:28 MST
gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
$ gpg2 --verify ~/mirror/x86/setup-x86.exe{.sig,}
gpg: Signature made 2021 Jul 15 Thu 05:59:50 MDT
gpg: using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
gpg: Signature made 2021 Jul 15 Thu 05:59:50 MDT
gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
$ cd ~/mirror/x86/ ; sha512sum --check --ignore-missing sha512.sum
setup.ini: OK
setup.ini.sig: OK
setup.xz: OK
setup.xz.sig: OK
setup-x86.exe: OK
$ gpg2 --verify ~/mirror/x86_64/setup.xz{.sig,}
gpg: Signature made 2021 Dec 12 Sun 15:14:43 MST
gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
$ gpg2 --verify ~/mirror/x86_64/setup.ini{.sig,}
gpg: Signature made 2021 Dec 12 Sun 15:14:31 MST
gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
$ gpg2 --verify ~/mirror/x86_64/setup-x86_64.exe{.sig,}
gpg: Signature made 2021 Jul 15 Thu 06:05:58 MDT
gpg: using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
gpg: Signature made 2021 Jul 15 Thu 06:05:58 MDT
gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
$ cd ~/mirror/x86_64/ ; sha512sum --check --ignore-missing sha512.sum
setup.ini: OK
setup.ini.sig: OK
setup.xz: OK
setup.xz.sig: OK
setup-x86_64.exe: OK
I've concatenated the downloaded cygwin.com and mirror arch sha512.sum.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
