If a mirror comes from mirrors.lst, validate the signature using the cygwin signing key only. --- ini.cc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/ini.cc b/ini.cc index 18ab2e3..4be8263 100644 --- a/ini.cc +++ b/ini.cc @@ -292,8 +292,12 @@ do_remote_ini (HWND owner) current_ini_sig_name = current_ini_name + ".sig"; ini_sig_file = get_url_to_membuf (current_ini_sig_name, owner); ini_file = get_url_to_membuf (current_ini_name, owner); + + // Official mirrors must be signed by the cygwin key. + bool main_key_only = n->from_mirrors_lst; ini_file = check_ini_sig (ini_file, ini_sig_file, sig_fail, - n->url.c_str (), current_ini_sig_name.c_str (), owner); + n->url.c_str (), current_ini_sig_name.c_str (), owner, main_key_only); + // stop searching as soon as we find a setup file if (ini_file) break; -- 2.15.1