Re: Signing cygwin.com binaries with signtool by default ?

Sun, 04 May 2025 06:51:56 -0700 

Or get a free Let's Encrypt cert as many orgs do.

--
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retrancher  but when there is no more to cut
                                -- Antoine de Saint-Exupéry


On 2025-05-04 04:40, James Hanley via Cygwin wrote:

Cygwin as an organization can act as your own CA and leave it up to IT 
organizations to add the Cygwin public TA cert to the CA trust store.
-Jim


On May 3, 2025, at 3:43 PM, Jeremy Drake via Cygwin <[email protected]> wrote:

On Sat, 3 May 2025, Brian Inglis via Cygwin wrote:


On 2025-05-03 12:21, Roland Mainz via Cygwin wrote:
Is it somehow possible that the CI+Release binaries (*.exe, *.dll) can
be signed with signtool
(https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool)?


No - would break the Cygwin licence terms unless MS releases source!


Huh?!?


Cygwin supports osslsigncode:

    https://cygwin.com/packages/summary/osslsigncode-src.html

OpenSSL-based Authenticode signing and timestamping tool

Platform-independent tool for Authenticode signing of PE(EXE/SYS/DLL/etc), CAB
and MSI files. It also supports timestamping (Authenticode and RFC3161).

That would require our volunteers to find and spend more of their free time to
integrate the tool into the package build processes, and it would not be
available until the volunteers find more of their free time once the next
release of each upstream package becomes available.


It would also require getting an X.509 code signing certificate from a
Microsoft-blessed authority.  AFAIK, these are not free.  I do remember
investigating a service for free signing of open-source binaries (I
believe Vim.org uses it for its Windows binaries), but the requirements
for integrating with the build automation (so they could verify that
binaries weren't tampered with during build) was too onerous for MSYS2 to
consider at the time.


--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Reply via email to