> Has Cygwin considered signing the installer using Sign Tool? More info: > > https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx > > http://blog.didierstevens.com/2008/12/31/howto-add-a-digital-signature-to-executables/ > > I believe signing it this way would eliminate the "unknown publisher"; it > would also protect the many people who don't follow the current > signature-checking process. This would create a strong barrier against code > subversion after release. > > The signed executable could also be signed using the current process, so you > don't need to *eliminate* any capability. I can't provide a patch to do > this, obviously :-). > > --- David A. Wheeler
Ultimately, this is probably a Corinna question since I believe she compiles the setup executable, but I'll provide my general input as an software developer. Firstly, the tools to sign an executable are certainly available as part of the Windows SDK which is freely downloadable -- so no problem there. However, we would have to determine which publicly trusted certificate to use (using a self-signed cert would likely produce the same message) and is signing the executable the *right* thing to do. Since the setup executable is responsible for running a whole bunch of community contributed post-install executables as part of the installation process, I'm not sure whether it'd be advisable to stamp a particular individual's name or company's name on the executive installer (e.g. Red Hat, for example). If a tainted executable was uploaded into the package repository and subsequently flagged, the certificate authority may have to revoke the certificate which is never good for publicity of the signer. For most pieces of software, the maintainer or the maintainers company's can very confidently vouch for the content of the installation package and executables within it. In the Cygwin world, this accountability is a little more distributed between the package maintainers and source code contributors. That said, I have the upmost respect for the package maintainers and I've never had any security problems with the Cygwin packages other than stupid antivirus false positives and some dirty limericks that got installed (my HR department didn't like that). So that's my two cents. For all I know the *real* reason it's not signed is "nobody had asked for it". - Bryan -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
