Today, I was downloading cygwin, and discovered how challenging it really is to verify the authenticity of setup.exe. Typically there are 3 ways an executable can be verified:
Method 1) Windows supports signed exe files. When you first execute an exe, windows first shows a window allowing you to confirm it's authenticity. <This is the most effective and preferred solution on windows.> Method 2) Downloading the exe from a trusted site via https. <Slightly less secure as the connection and not the exe is verified.> Method 3) Using gnupg to check the .sig provided along with the exe. <Requires the user already have gpg installed and have access to a certificate, and has to be checked manually.> However, I ran into the following issues when attempting to verify Cygwin's setup.exe using each of those methods: Problem with Method 1) setup.exe doesn't have a windows digital signature. Windows doesn't even recognize setup.exe as a win32 executable (try right clicking and viewing the properties... notice you can't even see publisher information and it wants to run it in a DOS virtual machine). Problem with Method 2) Cygwin.com's webserver doesn't support https. Try connecting to https://www.cygwin.com/setup.exe Problem with Method 3) Yes, you can download http://www.cygwin.com/setup.exe.sig. However you won't find mention of that on the website. Sadly, to check this signature you have to already have gpg.exe installed. This of course requires you already have cygwin installed. It's a chicken and egg problem. Also, cygwin's webpages don't discuss where to get the certificate to use when verifying the signature. The bottom line is that without any form of easy to use verification, those attempting to download setup.exe are vulnerable to a man-in-the-middle attack, where they can be tricked into downloading and executing a trojan instead. And this is sad considering the fact that setup.exe does actually attempt to provide security & checksums when downloading modules, but all this is for not if setup.exe itself is not secure. My recommendation is to make method 1 and method 2 both available. Meantime, are there any other solutions for validating security that I'm missing? Thanks, Doug P.S. Yes, I did search the FAQ and mailinglists without success before sending this post. There is a lot to search through, so if I missed the answer somewhere, please let me know. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/