Cygwin as an organization can act as your own CA and leave it up to IT organizations to add the Cygwin public TA cert to the CA trust store. -Jim
> On May 3, 2025, at 3:43 PM, Jeremy Drake via Cygwin <[email protected]> wrote: > > On Sat, 3 May 2025, Brian Inglis via Cygwin wrote: > >>> On 2025-05-03 12:21, Roland Mainz via Cygwin wrote: >>> Is it somehow possible that the CI+Release binaries (*.exe, *.dll) can >>> be signed with signtool >>> (https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool)? >> >> No - would break the Cygwin licence terms unless MS releases source! > > Huh?!? > >> Cygwin supports osslsigncode: >> >> https://cygwin.com/packages/summary/osslsigncode-src.html >> >> OpenSSL-based Authenticode signing and timestamping tool >> >> Platform-independent tool for Authenticode signing of PE(EXE/SYS/DLL/etc), >> CAB >> and MSI files. It also supports timestamping (Authenticode and RFC3161). >> >> That would require our volunteers to find and spend more of their free time >> to >> integrate the tool into the package build processes, and it would not be >> available until the volunteers find more of their free time once the next >> release of each upstream package becomes available. > > It would also require getting an X.509 code signing certificate from a > Microsoft-blessed authority. AFAIK, these are not free. I do remember > investigating a service for free signing of open-source binaries (I > believe Vim.org uses it for its Windows binaries), but the requirements > for integrating with the build automation (so they could verify that > binaries weren't tampered with during build) was too onerous for MSYS2 to > consider at the time. > > -- > Problem reports: https://cygwin.com/problems.html > FAQ: https://cygwin.com/faq/ > Documentation: https://cygwin.com/docs.html > Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
