On 2016-08-16 19:49, lloyd.w...@yahoo.co.uk wrote:
I'd like to understand Cygwin's installation and security models better: - Cygwin's installers aren't signed. - downloads are from a number of untrusted mirrors via http/ftp, and packages aren't verified. Is this correct?
Nope! The installer is downloaded from a TLS enabled web site. The installer manifest contains a public key, so the build or at least the manifest is signed with a private key. There are detached GPG signatures for the installer programs setup_x86{,_64}.exe and setup.ini data files, verified by the installer. The setup.ini installer data files contain message digests for each of the installable packages, verified by the installer. HTH -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple