David A. Wheeler inquired: > > Has Cygwin considered signing the installer using Sign Tool? More info:
On Fri, 3 Apr 2015 01:22:15 +0300, Andrey Repin <anrdae...@yandex.ru> wrote: > Did Microsoft made it available separately? Or is there a description of the > structure of such a signature and/or a free tool that can be used to generate > it? Microsoft makes signtool available as part of its SDK at no charge (gratis, not libre): https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx This page points to some alternatives: http://stackoverflow.com/questions/18211594/windows-code-signing-process-alternative-to-ms-signtool-exe They note that Mono includes "signcode", and it's libre (as well gratis). Instructions here: https://developer.mozilla.org/en-US/docs/Signing_an_executable_with_Authenticode > Last I checked, you have to install a metric ton of garbage to get signtool as > a bonus. It seems to be a short ton. The default installs a lot, but you can deselect much. It's not tiny due to dependencies, but it's not *everything*. Also, you *only* have to install it on the system that does the signing; no other system needs it. It's good to have a separate signing system anyway. > People who don't check signature manually, won't check the credibility of > the embedded signature either. > And it only takes about thirty seconds to fake the lines that are visible in > prompt dialogue. Clearly this is limited. But these signatures are automatically checked by Windows, and the publisher is displayed for review before acceptance, which raises the bar a little. The number of people who check the signatures on setup*.exe is probably pretty small; I'm hoping to raise the safety bar for everyone else. There's also an appearance factor: running an unsigned app looks scarier (there's a warning "The publisher could not be verified...", possibly followed by a User Account warning again noting the 'unknown' publisher). Having a signature may make users and their admins more confident that it's okay to use Cygwin. --- David A. Wheeler -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
