On 02/04/2015 19:13, David A. Wheeler wrote:
Running setup*.exe produces "Publisher: Unknown publisher", and it's doubtful
that many people check the signature of the .exe file before running. Even if they did,
there's the problem that the signature comes from the same place.
Has Cygwin considered signing the installer using Sign Tool? More info:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx
http://blog.didierstevens.com/2008/12/31/howto-add-a-digital-signature-to-executables/
I believe signing it this way would eliminate the "unknown publisher"; it would
also protect the many people who don't follow the current signature-checking process.
This would create a strong barrier against code subversion after release.
The signed executable could also be signed using the current process, so you
don't need to *eliminate* any capability. I can't provide a patch to do this,
obviously :-).
I don't think this is obvious at all. You can't provide the
certificate, but you can provide a patch.
However, saying "install Windows SDK, use signtool" is not a solution,
for reasons already discussed.
The actual work that needs to be done here is to identify an alternative
open source signing tool and how to use it.
It would be nice to have such a tool packaged for cygwin, as that would
allow people to sign any MinGW-w64 executables they make...
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
