Re: [PATCH setup 4/4] Codesign setup.exe (DO NOT APPLY)
On Dec 13 19:33, Achim Gratz wrote: > Corinna Vinschen writes: > >> That wouldn't do any good for folks trying to use an old setup version > >> or am I missing something? > > > > They would get two messages, "Sig has expired" and "there's a new version > > of setup". Isn't that sufficient? > > I was under the (maybe mistaken) impression that the executable would > stop running if the signature was deemed incorrect. > > >> In the meantime, we could provide a detached signature with the cygwin > >> key, just like we do for setup.ini? > > > > We already do. You can download setup-x86.exe.sig and > > setup-x86_64.exe.sig from https://cygwin.com/ > > It's not advertised in an easily accessible place (i.e. right besides > the download link on cygwin.com main page). The install page shows > those, but I'm not sure how many people look it up there. The websites are in git(*). Just send patches if you see some flaw. Thanks, Corinna (*) https://cygwin.com/git/gitweb.cgi?p=cygwin-htdocs.git -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat signature.asc Description: PGP signature
Re: [PATCH setup 4/4] Codesign setup.exe (DO NOT APPLY)
Corinna Vinschen writes: >> That wouldn't do any good for folks trying to use an old setup version >> or am I missing something? > > They would get two messages, "Sig has expired" and "there's a new version > of setup". Isn't that sufficient? I was under the (maybe mistaken) impression that the executable would stop running if the signature was deemed incorrect. >> In the meantime, we could provide a detached signature with the cygwin >> key, just like we do for setup.ini? > > We already do. You can download setup-x86.exe.sig and > setup-x86_64.exe.sig from https://cygwin.com/ It's not advertised in an easily accessible place (i.e. right besides the download link on cygwin.com main page). The install page shows those, but I'm not sure how many people look it up there. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ DIY Stuff: http://Synth.Stromeko.net/DIY.html
Re: [PATCH setup 4/4] Codesign setup.exe (DO NOT APPLY)
On 12/12/2016 17:30, Corinna Vinschen wrote: Hi Jon, On Dec 12 13:29, Jon Turney wrote: As discussed in https://cygwin.com/ml/cygwin/2015-04/msg00133.html This is quite straightforward, but unfortunately, requires a non-technical problem to be solved to complete. 1/ A code signing certificate signed by a CA is required. Where do we get one which is trusted, can be checked publically, and doesn't cost any money? This is a trick question, right? You don't :( Who will be keymaster and with whom do we share the private key? 2/ The signature should be timestamped, so that it remains vaild after the signing key expires, but I assume you have to use the timestamp service of the CA that signed the key. This is more saying that we should use osslsigncode's -t option, but I don't quite know how. Looking at this again, all the examples I find use a certain CA's timestamp service, so I think perhaps my assumption is wrong. Not necessarily. We can workaround that by getting a new key and release a new setup. +sign: upx + @if [ -e `which osslsigncode` ]; then \ + osslsigncode sign -certs $(srcdir)/cygwin.crt -key $(srcdir)/cygwin.key -n "Cygwin setup" -i https://cygwin.com/ -in setup$(EXEEXT) -out setup-signed$(EXEEXT) ;\ ^ $(srcdir)? This might not be quite right. We need to store the cert in a reasonable safe place, certainly not in srcdir (or git). Yes, this could be done better. I added these filesname to .gitignore to make sure they didn't end up in the git repo :)
Re: [PATCH setup 4/4] Codesign setup.exe (DO NOT APPLY)
On Dec 12 19:47, Achim Gratz wrote: > Corinna Vinschen writes: > >> 2/ The signature should be timestamped, so that it remains vaild after the > >> signing key expires, but I assume you have to use the timestamp service of > >> the CA that signed the key. > > > > Not necessarily. We can workaround that by getting a new key and > > release a new setup. > > That wouldn't do any good for folks trying to use an old setup version > or am I missing something? They would get two messages, "Sig has expired" and "there's a new version of setup". Isn't that sufficient? Corinna > In the meantime, we could provide a detached signature with the cygwin > key, just like we do for setup.ini? We already do. You can download setup-x86.exe.sig and setup-x86_64.exe.sig from https://cygwin.com/ Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat signature.asc Description: PGP signature
Re: [PATCH setup 4/4] Codesign setup.exe (DO NOT APPLY)
Corinna Vinschen writes: >> 2/ The signature should be timestamped, so that it remains vaild after the >> signing key expires, but I assume you have to use the timestamp service of >> the CA that signed the key. > > Not necessarily. We can workaround that by getting a new key and > release a new setup. That wouldn't do any good for folks trying to use an old setup version or am I missing something? In the meantime, we could provide a detached signature with the cygwin key, just like we do for setup.ini? Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada
Re: [PATCH setup 4/4] Codesign setup.exe (DO NOT APPLY)
Hi Jon, On Dec 12 13:29, Jon Turney wrote: > As discussed in https://cygwin.com/ml/cygwin/2015-04/msg00133.html > > This is quite straightforward, but unfortunately, requires a non-technical > problem to be solved to complete. > > 1/ A code signing certificate signed by a CA is required. Where do we get one which is trusted, can be checked publically, and doesn't cost any money? Who will be keymaster and with whom do we share the private key? > 2/ The signature should be timestamped, so that it remains vaild after the > signing key expires, but I assume you have to use the timestamp service of > the CA that signed the key. Not necessarily. We can workaround that by getting a new key and release a new setup. > +sign:upx > + @if [ -e `which osslsigncode` ]; then \ > + osslsigncode sign -certs $(srcdir)/cygwin.crt -key > $(srcdir)/cygwin.key -n "Cygwin setup" -i https://cygwin.com/ -in > setup$(EXEEXT) -out setup-signed$(EXEEXT) ;\ ^ $(srcdir)? This might not be quite right. We need to store the cert in a reasonable safe place, certainly not in srcdir (or git). Thanks, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat signature.asc Description: PGP signature
[PATCH setup 4/4] Codesign setup.exe (DO NOT APPLY)
As discussed in https://cygwin.com/ml/cygwin/2015-04/msg00133.html This is quite straightforward, but unfortunately, requires a non-technical problem to be solved to complete. 1/ A code signing certificate signed by a CA is required. 2/ The signature should be timestamped, so that it remains vaild after the signing key expires, but I assume you have to use the timestamp service of the CA that signed the key. Signed-off-by: Jon Turney --- .gitignore | 2 ++ Makefile.am | 13 +++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 8b81166..a27cae3 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,5 @@ autoconf.h.in* inilex.cc iniparse.cc iniparse.hh +cygwin.crt +cygwin.key diff --git a/Makefile.am b/Makefile.am index 12ad5ca..5afbb9f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -293,8 +293,8 @@ setup-src: git ls-files | tar -T - -cJf ${CURDIR}/$$ver-src.tar.xz;\ echo $$ver-src.tar.xz; exec rm -f $$ver -# optional: strip and compress executable -.PHONY:strip upx +# optional: strip, compress and sign executable +.PHONY:strip upx sign strip: all $(OBJCOPY) --add-gnu-debuglink=/dev/null --only-keep-debug setup$(EXEEXT) setup.dbg @@ -307,3 +307,12 @@ upx: strip else \ echo "UPX doesn't seem to be installed, cannot compress setup$(EXEEXT)." ;\ fi + +sign: upx + @if [ -e `which osslsigncode` ]; then \ + osslsigncode sign -certs $(srcdir)/cygwin.crt -key $(srcdir)/cygwin.key -n "Cygwin setup" -i https://cygwin.com/ -in setup$(EXEEXT) -out setup-signed$(EXEEXT) ;\ + chmod +x setup-signed.exe ;\ + mv setup-signed.exe setup.exe ;\ + else \ + echo "osslsigncode not found, cannot sign setup$(EXEEXT)." ;\ + fi -- 2.8.3