On 30/12/2021 21:24, Greg Williamson wrote:
Hello,
While attempting to verify the installer found here:
https://cygwin.com/install.html
GPG verification for "setup-x86_64.exe" failed with "BAD signature from
"Cygwin <cygwin@cygwin.com>". I also created a SHA512 hash of the installer
and it did not match the one posted here:
https://cygwin.com/sha512.sum
As a sanity check I attempted to verify the 32bit version "setup-x86.exe".
The SHA512 matched and the GPG signature verification succeeded.
I thought I'd report here in case there was a security issue. Thank you in
advance for your assistance!
At 2021-Dec-30 19:14 UTC I downgraded the setup executables being served
to a previous version, to give some more time to investigate an issue
reported with setup 2.911.
I'm going to guess that was the reason for this.
However, please note that some caching outside of our control must have
occurred, as at all times, the signatures and hashes presented were
consistent and correct.
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
