Re: Should cygwin's setup*.exe be signed using Sign Tool?
On 4/9/2015 8:05 AM, Jon TURNEY wrote: [snip] > The actual work that needs to be done here is to identify an alternative > open source signing tool and how to use it. > > It would be nice to have such a tool packaged for cygwin, as that would > allow people to sign any MinGW-w64 executables they make... I've been using osslsigncode for a long time. Ref: http://sourceforge.net/projects/osslsigncode/ It used to compile OTB in Cygwin (as well as Linux), depends on OpenSSL, and libcurl. But that was version 1.5.2. The current version, 1.7.1, which on the way added "support for compiling and running on Windows" messed things up (the usual way, assuming that it is compiling for native Windows). I fix it by disabling HAVE_WINDOWS_H in the generated config.h . -- René Berber -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Should cygwin's setup*.exe be signed using Sign Tool?
On 02/04/2015 19:13, David A. Wheeler wrote: Running setup*.exe produces "Publisher: Unknown publisher", and it's doubtful that many people check the signature of the .exe file before running. Even if they did, there's the problem that the signature comes from the same place. Has Cygwin considered signing the installer using Sign Tool? More info: https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx http://blog.didierstevens.com/2008/12/31/howto-add-a-digital-signature-to-executables/ I believe signing it this way would eliminate the "unknown publisher"; it would also protect the many people who don't follow the current signature-checking process. This would create a strong barrier against code subversion after release. The signed executable could also be signed using the current process, so you don't need to *eliminate* any capability. I can't provide a patch to do this, obviously :-). I don't think this is obvious at all. You can't provide the certificate, but you can provide a patch. However, saying "install Windows SDK, use signtool" is not a solution, for reasons already discussed. The actual work that needs to be done here is to identify an alternative open source signing tool and how to use it. It would be nice to have such a tool packaged for cygwin, as that would allow people to sign any MinGW-w64 executables they make... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Should cygwin's setup*.exe be signed using Sign Tool?
On Apr 2 23:27, David A. Wheeler wrote: > On Thu, 2 Apr 2015 21:23:16 -0400, Bryan Berns wrote: > > Since the setup executable is responsible for running a whole bunch of > > community contributed post-install executables as part of the > > installation process, I'm not sure whether it'd be advisable to stamp > > a particular individual's name or company's name on the executive > > installer (e.g. Red Hat, for example). > > I would expect the publisher to be "The Cygwin Project". > That's what the website says, after all! > > In my mind, the point of the signature would be to assure that you have the > correct > (untainted) installer, and that the other software installed was the one from > Cygwin. > As far as community install issue goes, the same this is true for Fedora, > Debian, etc., > and that seems to be reasonably understood. We're not going to change anything. From my POV there's no good reason to use Windows tools, especially given that the entire infrastructure is running on an RHEL box. So we're using the key on sourceware.org with the GPG tool running under Linux on sourceware.org. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat pgpdQHe5wpMCo.pgp Description: PGP signature
Re: Should cygwin's setup*.exe be signed using Sign Tool?
On Thu, 2 Apr 2015 21:23:16 -0400, Bryan Berns wrote: > Since the setup executable is responsible for running a whole bunch of > community contributed post-install executables as part of the > installation process, I'm not sure whether it'd be advisable to stamp > a particular individual's name or company's name on the executive > installer (e.g. Red Hat, for example). I would expect the publisher to be "The Cygwin Project". That's what the website says, after all! In my mind, the point of the signature would be to assure that you have the correct (untainted) installer, and that the other software installed was the one from Cygwin. As far as community install issue goes, the same this is true for Fedora, Debian, etc., and that seems to be reasonably understood. --- David A. Wheeler -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Should cygwin's setup*.exe be signed using Sign Tool?
David A. Wheeler inquired: > > Has Cygwin considered signing the installer using Sign Tool? More info: On Fri, 3 Apr 2015 01:22:15 +0300, Andrey Repin wrote: > Did Microsoft made it available separately? Or is there a description of the > structure of such a signature and/or a free tool that can be used to generate > it? Microsoft makes signtool available as part of its SDK at no charge (gratis, not libre): https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx This page points to some alternatives: http://stackoverflow.com/questions/18211594/windows-code-signing-process-alternative-to-ms-signtool-exe They note that Mono includes "signcode", and it's libre (as well gratis). Instructions here: https://developer.mozilla.org/en-US/docs/Signing_an_executable_with_Authenticode > Last I checked, you have to install a metric ton of garbage to get signtool as > a bonus. It seems to be a short ton. The default installs a lot, but you can deselect much. It's not tiny due to dependencies, but it's not *everything*. Also, you *only* have to install it on the system that does the signing; no other system needs it. It's good to have a separate signing system anyway. > People who don't check signature manually, won't check the credibility of > the embedded signature either. > And it only takes about thirty seconds to fake the lines that are visible in > prompt dialogue. Clearly this is limited. But these signatures are automatically checked by Windows, and the publisher is displayed for review before acceptance, which raises the bar a little. The number of people who check the signatures on setup*.exe is probably pretty small; I'm hoping to raise the safety bar for everyone else. There's also an appearance factor: running an unsigned app looks scarier (there's a warning "The publisher could not be verified...", possibly followed by a User Account warning again noting the 'unknown' publisher). Having a signature may make users and their admins more confident that it's okay to use Cygwin. --- David A. Wheeler -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Should cygwin's setup*.exe be signed using Sign Tool?
> Has Cygwin considered signing the installer using Sign Tool? More info: > > https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx > > http://blog.didierstevens.com/2008/12/31/howto-add-a-digital-signature-to-executables/ > > I believe signing it this way would eliminate the "unknown publisher"; it > would also protect the many people who don't follow the current > signature-checking process. This would create a strong barrier against code > subversion after release. > > The signed executable could also be signed using the current process, so you > don't need to *eliminate* any capability. I can't provide a patch to do > this, obviously :-). > > --- David A. Wheeler Ultimately, this is probably a Corinna question since I believe she compiles the setup executable, but I'll provide my general input as an software developer. Firstly, the tools to sign an executable are certainly available as part of the Windows SDK which is freely downloadable -- so no problem there. However, we would have to determine which publicly trusted certificate to use (using a self-signed cert would likely produce the same message) and is signing the executable the *right* thing to do. Since the setup executable is responsible for running a whole bunch of community contributed post-install executables as part of the installation process, I'm not sure whether it'd be advisable to stamp a particular individual's name or company's name on the executive installer (e.g. Red Hat, for example). If a tainted executable was uploaded into the package repository and subsequently flagged, the certificate authority may have to revoke the certificate which is never good for publicity of the signer. For most pieces of software, the maintainer or the maintainers company's can very confidently vouch for the content of the installation package and executables within it. In the Cygwin world, this accountability is a little more distributed between the package maintainers and source code contributors. That said, I have the upmost respect for the package maintainers and I've never had any security problems with the Cygwin packages other than stupid antivirus false positives and some dirty limericks that got installed (my HR department didn't like that). So that's my two cents. For all I know the *real* reason it's not signed is "nobody had asked for it". - Bryan -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Should cygwin's setup*.exe be signed using Sign Tool?
Greetings, David A. Wheeler! > Running setup*.exe produces "Publisher: Unknown publisher", and it's > doubtful that many people check the signature of the .exe file before > running. Even if they did, there's the problem that the signature comes from > the same place. > Has Cygwin considered signing the installer using Sign Tool? More info: Did Microsoft made it available separately? Or is there a description of the structure of such a signature and/or a free tool that can be used to generate it? Last I checked, you have to install a metric ton of garbage to get signtool as a bonus. > https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx > > http://blog.didierstevens.com/2008/12/31/howto-add-a-digital-signature-to-executables/ > I believe signing it this way would eliminate the "unknown publisher"; it > would also protect the many people who don't follow the current > signature-checking process. This would create a strong barrier against code > subversion after release. People who don't check signature manually, won't check the credibility of the embedded signature either. And it only takes about thirty seconds to fake the lines that are visible in prompt dialogue. Been there, done that. > The signed executable could also be signed using the current process, so you > don't need to *eliminate* any capability. I can't provide a patch to do > this, obviously :-). Signing executable doesn't alter its behavior in any way, shape or form. I've had success signing executable archives. -- With best regards, Andrey Repin Friday, April 3, 2015 01:17:20 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Should cygwin's setup*.exe be signed using Sign Tool?
Running setup*.exe produces "Publisher: Unknown publisher", and it's doubtful that many people check the signature of the .exe file before running. Even if they did, there's the problem that the signature comes from the same place. Has Cygwin considered signing the installer using Sign Tool? More info: https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx http://blog.didierstevens.com/2008/12/31/howto-add-a-digital-signature-to-executables/ I believe signing it this way would eliminate the "unknown publisher"; it would also protect the many people who don't follow the current signature-checking process. This would create a strong barrier against code subversion after release. The signed executable could also be signed using the current process, so you don't need to *eliminate* any capability. I can't provide a patch to do this, obviously :-). --- David A. Wheeler -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple