0
I had come across the following thread (how to verify the validity of the binary using the public key?) which details the verifying of the validity of the signature provided by Cygwin for its installation. I ran the following commands (output shown as well):
$ gpg --import pubring.asc
gpg: key A9A262FF676041BA: public key "Cygwin <cygwin@cygwin.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
$ gpg --list-keys
/home/ubuntuman/.gnupg/pubring.kbx
----------------------------------
pub dsa1024 2008-06-13 [SC]
1169DF9F22734F743AA59232A9A262FF676041BA
uid [ unknown] Cygwin <cygwin@cygwin.com>
sub elg1024 2008-06-13 [E]
$ gpg --verify setup-x86_64.exe.sig setup-x86_64.exe
gpg: Signature made Mon 23 Oct 2017 06:44:26 AM HST
gpg: using DSA key A9A262FF676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA
so, is this safe to install? I'm new to GnuPG, signatures, and certificates. What pops out to me is the "WARNING: This key is not certified with a trusted signature" and that the "signature was made Mon 23 Oct 2017", which is pretty recent at the time of writing this post (Nov 5).
I'm not a expert in GPG but as I understand it is just a warning saying that it can't verify the identity of the issuer of the public key, which is normal with self-generated keys unless you certificate the key using a recognized entity. Regarding the recent date of the signature that is expected, it's the date when the package was signed, not when key used to sign it was created (based on output from
--list-keys
the key creation date seems to be 2008-06-13). – Alberto Martinez – 2017-11-05T23:58:33.813hey Alberto, thanks for replying. My issue with this is that you really cannot verify whether or not the executable has been tampered with due to the fact that it doesn't have a signature and that the "signature" is provided on Cygwin's website. Therefore, you are relying on the trust that Cygwin's website is secure. My main intention for writing this post was to raise awareness to this fact, although the average user most likely won't care. I also was wondering if there was alternatives that the community likes, or if I should just say "screw it" and download Cygwin despite my paranoia. – The Watermelon – 2017-11-07T03:22:57.857
Maybe you are being a bit paranoid :). The current system is not perfect but a tampered executable would mean the attacker has a access to the source code, the web site and the private key (he could change the public key, but this would raise alarms because the signature check would fail for people that already have the key). And having the signature attached to the file wouldn't change the security because a signature is valid only for one file and one key (there is no such thing as a "wildcard" signature), also if an attacker tampered the package it could tamper also the attached signature. – Alberto Martinez – 2017-11-07T21:46:46.897