Break the license rules? How - is it GPLv3? -Jim > On May 3, 2025, at 3:09 PM, Brian Inglis via Cygwin <[email protected]> wrote: > > On 2025-05-03 12:21, Roland Mainz via Cygwin wrote: >> Is it somehow possible that the CI+Release binaries (*.exe, *.dll) can >> be signed with signtool >> (https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool)? > > No - would break the Cygwin licence terms unless MS releases source! > >> It seems that Microsoft Defender has become overly aggressive to some >> Cygwin binaries (mostly /usr/bin/hostname, /usr/bin/find, /usr/bin/tar >> etc.) in the last couple of weeks and just blocks them. > > Aha - more MS Embrace, Extend, Extinguish! > > Which Windows, Defender, and Cygwin releases did this start with? > > $ which -a find hostname tar | cyg-sanitize-output.sed > /usr/bin/find > /proc/cygdrive/c/WINDOWS/system32/find > /usr/bin/hostname > /proc/cygdrive/c/WINDOWS/system32/hostname > /usr/bin/tar > /proc/cygdrive/c/WINDOWS/system32/tar > > Perhaps Cygwin installer or cygcheck should start renaming MS Windows > binaries whose names conflict with Cygwin utilities! ;^> > > What about other packages that install exes whose names conflict with MS > Windows utilities - does MS block them also, or just Cygwin's, or also other > open source; what about WSL installs? > > [I noticed today that MS supports using only its own proprietary FIDO passkey > authenticator app - which nobody sensible would ever trust! I liked when we > used to be able to delete MS crypto keys from the MS Windows keystore.] > >> Our IT supports that they can "whitelist" binaries based on their >> cryptographic signature... but neither the binaries from the CI nor >> the Release binaries have any signatures... > > Perhaps your paid IT support could just figure out how they could bypass > Defender checking the Cygwin roots or /*bin/ dirs? > > I suspect many of us do that to reduce the overhead of the BLODA. > > Or perhaps your paid IT support could just figure out how they could provide > their own Cygwin mirror with binaries signed with their own signatures and > tools. > > Cygwin supports osslsigncode: > > https://cygwin.com/packages/summary/osslsigncode-src.html > > OpenSSL-based Authenticode signing and timestamping tool > > Platform-independent tool for Authenticode signing of PE(EXE/SYS/DLL/etc), > CAB and MSI files. It also supports timestamping (Authenticode and RFC3161). > > That would require our volunteers to find and spend more of their free time > to integrate the tool into the package build processes, and it would not be > available until the volunteers find more of their free time once the next > release of each upstream package becomes available. > > -- > Take care. Thanks, Brian Inglis Calgary, Alberta, Canada > > La perfection est atteinte Perfection is achieved > non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add > mais lorsqu'il n'y a plus rien à retrancher but when there is no more to cut > -- Antoine de Saint-Exupéry > > -- > Problem reports: https://cygwin.com/problems.html > FAQ: https://cygwin.com/faq/ > Documentation: https://cygwin.com/docs.html > Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
-- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
