On 3/12/19, Andrey Repin wrote: > Greetings, Lee! > >>>>> Which is way worse in my opinion, than any theoretical MITM attack, >>>>> which >>>>> is easily mitigated with proper validation of your downloads. >>> >>>> Serious question - exactly how does one do "proper validation of your >>>> downloads"? >>> >>> Use PGP signature to validate the installer. Use separate channel to >>> obtain >>> trust records for PGP key used in signing. > >> Yes, in the ideal world. But at least in my experience, most windows >> software doesn't come with a pgp signature & using a separate channel >> to get the pgp key isn't so easy. > > In my experience, this is a Cygwin mailing list and we're discussing issues > of obtaining and verifying the authenticity of setup.exe.
But you made proper validation sound so easy and so general :) But ok, we'll limit it to just the cygwin setup.exe. What separate channel is available for finding the cygwin signing key? My recollection is that I gave up looking & used the link on the install page to get the public key. > P.S. > In regard to Cygwin mailing list, please teach your mail agent to not quote > raw email addresses. Sorry about that Regards, Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
