On 18/03/2010 00:58, Steven Monai wrote: > As an alternative to setting up SSL on cygwin.com, what about the idea > of crypto-signing (e.g. with gnupg) every release of setup.exe, and then > posting the signature alongside the binary? I know I would breathe a > little easier if I were able to positively verify the authenticity of a > given setup.exe binary.
That much is already done, and documented on the front page of cygwin.com: read the first sentence under "Installing and Updating Cygwin and its Packages" heading just beneath the mid-bar, or go straight to http://cygwin.com/setup.exe.sig > The public key would need to be distributed via channels other than just > cygwin.com, to make it more difficult to spoof. Fortunately, there are a > number of public PGP/GPG key servers to fill that purpose. And we have already uploaded it to them; DSA key ID 676041BA: http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xA9A262FF676041BA cheers, DaveK -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
