Cygwin installation - can't verify signature

0

I had come across the following thread (how to verify the validity of the binary using the public key?) which details the verifying of the validity of the signature provided by Cygwin for its installation. I ran the following commands (output shown as well):

$ gpg --import pubring.asc
gpg: key A9A262FF676041BA: public key "Cygwin <cygwin@cygwin.com>" imported
gpg: Total number processed: 1 
gpg:               imported: 1

$ gpg --list-keys
/home/ubuntuman/.gnupg/pubring.kbx
----------------------------------
pub   dsa1024 2008-06-13 [SC]
  1169DF9F22734F743AA59232A9A262FF676041BA
uid           [ unknown] Cygwin <cygwin@cygwin.com>
sub   elg1024 2008-06-13 [E]

$ gpg --verify setup-x86_64.exe.sig setup-x86_64.exe
gpg: Signature made Mon 23 Oct 2017 06:44:26 AM HST 
gpg:                using DSA key A9A262FF676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the 
owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA

so, is this safe to install? I'm new to GnuPG, signatures, and certificates. What pops out to me is the "WARNING: This key is not certified with a trusted signature" and that the "signature was made Mon 23 Oct 2017", which is pretty recent at the time of writing this post (Nov 5).

The Watermelon

Posted 2017-11-05T23:30:51.497

Reputation: 1

I'm not a expert in GPG but as I understand it is just a warning saying that it can't verify the identity of the issuer of the public key, which is normal with self-generated keys unless you certificate the key using a recognized entity. Regarding the recent date of the signature that is expected, it's the date when the package was signed, not when key used to sign it was created (based on output from --list-keys the key creation date seems to be 2008-06-13). – Alberto Martinez – 2017-11-05T23:58:33.813

hey Alberto, thanks for replying. My issue with this is that you really cannot verify whether or not the executable has been tampered with due to the fact that it doesn't have a signature and that the "signature" is provided on Cygwin's website. Therefore, you are relying on the trust that Cygwin's website is secure. My main intention for writing this post was to raise awareness to this fact, although the average user most likely won't care. I also was wondering if there was alternatives that the community likes, or if I should just say "screw it" and download Cygwin despite my paranoia. – The Watermelon – 2017-11-07T03:22:57.857

Maybe you are being a bit paranoid :). The current system is not perfect but a tampered executable would mean the attacker has a access to the source code, the web site and the private key (he could change the public key, but this would raise alarms because the signature check would fail for people that already have the key). And having the signature attached to the file wouldn't change the security because a signature is valid only for one file and one key (there is no such thing as a "wildcard" signature), also if an attacker tampered the package it could tamper also the attached signature. – Alberto Martinez – 2017-11-07T21:46:46.897

Answers

0

The message explains GnuPG was not able to validate the key's ownership. Everybody can generate keys for arbitrary names and mail addresses (just search the key servers for president@whitehouse.gov).

A very "OpenPGP" way would be to validate the key through the OpenPGP web of trust. Power users of OpenPGP verify other's identities and attest this verification by issuing certifications on the other's keys. This forms a network of connected keys, with a so-called trust path between two arbitrary keys in the network. If you also participate in this and trust the people on the trust path, you have successfully validated the key's ownership. GnuPG supports this through certifications (often also called signatures) and issuing trust; if you can validate a key through your local view on the web of trust, the warning message will vanish.

Then, there is a more pragmatic approach: if you find any reasonable clue the key belongs to the cygwin project, it is fine. This might be the fingerprint listed on the project website transmitted through HTTPs (short key IDs are not enough!).

Furthermore you could go along with "well, I cannot really validate the key now, but I'm still just playing with the software in a virtual machine or test device, and if no attack was announced in public or the key suddenly changes for some days or weeks, I'm fine". This concept would also be called trust-on-first-use: you don't really expect an attack or manipulated software, but want to be able to detect such one in future. Similarily, you could travel back in time; maybe you already find references to the key on other installations or distributions.

Jens Erat

Posted 2017-11-05T23:30:51.497

Reputation: 14 141

Asked: 2017-11-05T23:30:51.497

Viewed: 576 times

Active: 2017-11-17T20:43:10.553