This patch series presupposes the one posted starting at [1]. Currently, signatures are verified using the cygwin signing key and other keys supplied by the user. Validation with any key is accepted. This patch series makes the following changes:
- For official cygwin mirrors (those listed in mirrors.lst), only the cygwin key is tried. - For purported private mirrors (from the "last-mirror" user setting or the "Add URL box" or the command line), the cygwin key is tried first. If this fails, then the remaining keys are tried. If one of these succeeds, then the site is silently reclassified (with a message in the log file) as a 'user site' rather than a 'mirror'. The change takes effect on the next setup run or when the user selects 'Back'. - If the user turns off signature validation with the -X option, a weaker check is done: We look for "release: cygwin" in the setup.ini file. If that fails for an official mirror, the file is rejected. If it fails for a purported private mirror, the site is silently reclassified, as above. The reclassification is done silently because it could easily be necessary, through no fault of the user. There are three reasons for this. First, the distinction between mirrors and user sites is new, and it will take time for users to become accustomed to it. Second, for setup.rc files that were written before [1], "last-mirror" includes all selected sites, whether mirrors or not. Finally, sites specified on the command line are initially assumed to be mirrors until we can perform the above checks. [1] https://sourceware.org/ml/cygwin-apps/2017-12/msg00051.html Ken Brown (4): Allow validation of signatures using the cygwin key only Insist on cygwin signing key for official mirrors Try cygwin signing key for private mirrors If signature validation is turned off, check 'release:' tag crypto.cc | 5 ++-- crypto.h | 3 ++- ini.cc | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++------- res.rc | 1 + resource.h | 1 + site.h | 2 ++ 6 files changed, 87 insertions(+), 12 deletions(-) -- 2.15.1