On Sat, 3 May 2025, Brian Inglis via Cygwin wrote: > On 2025-05-03 12:21, Roland Mainz via Cygwin wrote: > > Is it somehow possible that the CI+Release binaries (*.exe, *.dll) can > > be signed with signtool > > (https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool)? > > No - would break the Cygwin licence terms unless MS releases source!
Huh?!? > Cygwin supports osslsigncode: > > https://cygwin.com/packages/summary/osslsigncode-src.html > > OpenSSL-based Authenticode signing and timestamping tool > > Platform-independent tool for Authenticode signing of PE(EXE/SYS/DLL/etc), CAB > and MSI files. It also supports timestamping (Authenticode and RFC3161). > > That would require our volunteers to find and spend more of their free time to > integrate the tool into the package build processes, and it would not be > available until the volunteers find more of their free time once the next > release of each upstream package becomes available. It would also require getting an X.509 code signing certificate from a Microsoft-blessed authority. AFAIK, these are not free. I do remember investigating a service for free signing of open-source binaries (I believe Vim.org uses it for its Windows binaries), but the requirements for integrating with the build automation (so they could verify that binaries weren't tampered with during build) was too onerous for MSYS2 to consider at the time. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
