On Sun, 20 Nov 2022 17:17:18 +0000, Jon Turney wrote:
On 18/11/2022 21:15, Dale McCoy wrote:
I use Cygwin in the course of work, and while I can use the external gpg
signature to verify the validity of setup-x86_64.exe, my IT department
can't see that step. They get somewhat concerned when they see that Windows
thinks setup-x86_64.exe is unsigned, and I certainly don't blame them.
Can I convince you to also embed a signature in the installer, so Windows
recognizes the file is signed?

This something I'd like to do, but unfortunately, the remaining blocking issues are not technical.

In order to sign the code in this way, the key needs to be signed by a CA that participates in Microsoft Trusted Root Program. These CAs charge an annual fee. As the person who makes the setup releases, I'm not going to pay that out of my own pocket, and we currently have no organization to collect donations for that (or any other) purpose.

If Cygwin becomes an SFC member, they may be able to fund Cygwin signing certs.

--
Take care. Thanks, Brian Inglis                 Calgary, Alberta, Canada

La perfection est atteinte                      Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter     not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer        but when there is no more to cut
                        -- Antoine de Saint-Exupéry

--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Reply via email to