subject:"RE\: URGENT\: BAD signature from \"Cygwin <cygwin@cygwin.com>\""

Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

2016-09-29 Thread Achim Gratz

Thomas Sanders writes:
> Thanks for the reply, here is the actual script. I must have copy/pasted the 
> wrong info previously.
> ###
>   wget -q http://cygwin.com/setup-x86.exe-O 
> ${DESTINATION}/setup-x86.exe
>   wget -q http://cygwin.com/setup-x86.exe.sig-O 
> ${DESTINATION}/setup-x86.exe.sig
>   wget -q http://cygwin.com/setup-x86_64.exe -O 
> ${DESTINATION}/setup-x86_64.exe
>   wget -q http://cygwin.com/setup-x86_64.exe.sig -O 
> ${DESTINATION}/setup-x86_64.exe.sig
>   wget -q http://cygwin.com/key/pubring.asc  -O ${DESTINATION}/pubring.asc

For checking the signatures to be of any real use, you'd need to use
https at least.  Also, you'd need to establish the provenance of the key
independently.

> testing /tftpboot/PXE/mirrors/cygwin//setup-x86.exe
> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
> gpg: BAD signature from "Cygwin "

BLODA, most likely.  Particularly some stupid heuristic scanner that
thinks that UPX compressed binaries are dangerous just because they use
compression.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Wavetables for the Terratec KOMPLEXER:
http://Synth.Stromeko.net/Downloads.html#KomplexerWaves

--
Problem reports:   http://cygwin.com/problems.html
FAQ:   http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info:  http://cygwin.com/ml/#unsubscribe-simple

Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

2016-09-29 Thread Lee

On 9/28/16, Herbert Stocker wrote:
> Hi,
>
> On 28.09.2016 23:05, Wayne Porter wrote:
>> On Wed, Sep 28, 2016 at 07:52:05PM +, Thomas Sanders wrote:
>>> gpg --verify setup-x86.exe.sig setup-x86.exe
>>> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID
>>> 676041BA
>>> gpg: Good signature from "Cygwin "
>>> gpg: WARNING: This key is not certified with a trusted signature!
>>> gpg:  There is no indication that the signature belongs to the
>>> owner.
>>> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760
>>> 41BA
>>
>> This appears to be a good signature, just that the key is untrusted.
>> Someone
>> else correct me if I'm wrong, but that is typical to see, at least for
>> me.
>
> But doesn't it mean that anybody who manages to hack into your web
> server, or who does a man in the middle attack on the HTTP (without S)
> connection, is able to replace the setup-x86.exe by a malicious one
> and to also provide a corresponding setup-x86.exe.sig, so that the gpg
> output will be "good signature but untrusted key"?

Only if you don't already have a cygwin@cygwin.com key saved:
  if [ $(gpg --list-keys | grep -c 'cygwin@cygwin.com') != 1 ]
  then
gpg --import ${DESTINATION}/pubring.asc
  fi

altho checking for exactly one instance instead of an instance seems doubtful.

On the other hand, I didn't even know setupXXX.exe was signed so I
haven't been checking at all :(

It'd be nice if someone could add a signature + public key link on the
front page instead of having to click thru the "fresh install" or
"update" link to find out there's signatures available.

Lee

--
Problem reports:   http://cygwin.com/problems.html
FAQ:   http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info:  http://cygwin.com/ml/#unsubscribe-simple

Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

2016-09-28 Thread Brian Inglis


On 2016-09-28 16:58, Thomas Sanders wrote:

###
  wget -q http://cygwin.com/setup-x86.exe-O ${DESTINATION}/setup-x86.exe
  wget -q http://cygwin.com/setup-x86.exe.sig-O 
${DESTINATION}/setup-x86.exe.sig
  wget -q http://cygwin.com/setup-x86_64.exe -O 
${DESTINATION}/setup-x86_64.exe
  wget -q http://cygwin.com/setup-x86_64.exe.sig -O 
${DESTINATION}/setup-x86_64.exe.sig
  wget -q http://cygwin.com/key/pubring.asc  -O ${DESTINATION}/pubring.asc

  if [ $(gpg --list-keys | grep -c 'cygwin@cygwin.com') != 1 ]
  then
gpg --import ${DESTINATION}/pubring.asc
  fi

  echo "testing ${DESTINATION}/setup-x86.exe"
  gpg --verify ${DESTINATION}/setup-x86.exe.sig ${DESTINATION}/setup-x86.exe
  if [ ${?} -gt 0 ]
  then
mv ${DESTINATION}/setup-x86.exe 
${DESTINATION}/setup-x86.exe.DONT_USE-BAD_SIGNATURE
  fi

  echo "testing ${DESTINATION}/setup-x86_64.exe"
  gpg --verify ${DESTINATION}/setup-x86_64.exe.sig 
${DESTINATION}/setup-x86_64.exe
  if [ ${?} -gt 0 ]
  then
mv ${DESTINATION}/setup-x86_64.exe 
${DESTINATION}/setup-x86_64.exe.DONT_USE-BAD_SIGNATURE
  fi ###
Here is the output:
testing /tftpboot/PXE/mirrors/cygwin//setup-x86.exe
gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
gpg: BAD signature from "Cygwin "

testing /tftpboot/PXE/mirrors/cygwin//setup-x86_64.exe
gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID 676041BA
gpg: Good signature from "Cygwin "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA


IIRC to suppress BAD and WARNING (it's been a while since I did this)
you install gnupg package, then generate your own key:
[following edited to obscure local details; I edited the details using
the example provided in gpg; skip this step if you have already done it
with your own details]

$ gpg --gen-key
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `~/.gnupg' created
gpg: new configuration file `~/.gnupg/gpg.conf' created
gpg: WARNING: options in `~/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `~/.gnupg/secring.gpg' created
gpg: keyring `~/.gnupg/pubring.gpg' created

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
 0 = key does not expire
= key expires in n days
  w = key expires in n weeks
  m = key expires in n months
  y = key expires in n years
Key is valid for? (0) 2y
Key expires at Fri 28 Sep 2018 09:17:14 PM GMT
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) "

Real name: Heinrich Heine
Email address: heinri...@duesseldorf.de
Comment: Der Dichter
You selected this USER-ID:
"Heinrich Heine (Der Dichter) "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

[*open another terminal and run "find / >& /dev/null &"; then do a Windows
File Explorer search for e; browse the web and wave the mouse around;
type junk into other windows; until the following messages stop appearing:
may take a few minutes unless your system is running background work*]

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 264 more bytes)
+
+

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 86 more bytes)
.+

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 128 more bytes)
+

gpg: ~/.gnupg/trustdb.gpg: trustdb created
gpg: key  marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s)

Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

2016-09-28 Thread Herbert Stocker


Hi,

On 28.09.2016 23:05, Wayne Porter wrote:

On Wed, Sep 28, 2016 at 07:52:05PM +, Thomas Sanders wrote:

gpg --verify setup-x86.exe.sig setup-x86.exe
gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
gpg: Good signature from "Cygwin "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA


This appears to be a good signature, just that the key is untrusted. Someone
else correct me if I'm wrong, but that is typical to see, at least for me.


But doesn't it mean that anybody who manages to hack into your web
server, or who does a man in the middle attack on the HTTP (without S)
connection, is able to replace the setup-x86.exe by a malicious one
and to also provide a corresponding setup-x86.exe.sig, so that the gpg
output will be "good signature but untrusted key"?

my 2 cents.

Herbert


--
Problem reports:   http://cygwin.com/problems.html
FAQ:   http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info:  http://cygwin.com/ml/#unsubscribe-simple

RE: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

2016-09-28 Thread Thomas Sanders

Thanks for the reply, here is the actual script. I must have copy/pasted the 
wrong info previously.
###
  wget -q http://cygwin.com/setup-x86.exe-O ${DESTINATION}/setup-x86.exe
  wget -q http://cygwin.com/setup-x86.exe.sig-O 
${DESTINATION}/setup-x86.exe.sig
  wget -q http://cygwin.com/setup-x86_64.exe -O 
${DESTINATION}/setup-x86_64.exe
  wget -q http://cygwin.com/setup-x86_64.exe.sig -O 
${DESTINATION}/setup-x86_64.exe.sig
  wget -q http://cygwin.com/key/pubring.asc  -O ${DESTINATION}/pubring.asc
  
  if [ $(gpg --list-keys | grep -c 'cygwin@cygwin.com') != 1 ]
  then 
gpg --import ${DESTINATION}/pubring.asc  
  fi

  echo "testing ${DESTINATION}/setup-x86.exe"
  gpg --verify ${DESTINATION}/setup-x86.exe.sig ${DESTINATION}/setup-x86.exe
  if [ ${?} -gt 0 ]
  then
mv ${DESTINATION}/setup-x86.exe 
${DESTINATION}/setup-x86.exe.DONT_USE-BAD_SIGNATURE
  fi

  echo "testing ${DESTINATION}/setup-x86_64.exe"
  gpg --verify ${DESTINATION}/setup-x86_64.exe.sig 
${DESTINATION}/setup-x86_64.exe
  if [ ${?} -gt 0 ]
  then 
mv ${DESTINATION}/setup-x86_64.exe 
${DESTINATION}/setup-x86_64.exe.DONT_USE-BAD_SIGNATURE
  fi ###
Here is the output:
testing /tftpboot/PXE/mirrors/cygwin//setup-x86.exe
gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
gpg: BAD signature from "Cygwin <cygwin@cygwin.com>"

testing /tftpboot/PXE/mirrors/cygwin//setup-x86_64.exe
gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID 676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA

 -- 
Thomas Sanders | Sr. Network Systems Administrator
TrellisWare Technologies, Inc.

Office/FAX: 858-753-1654 | Mobile: 619-512-3311


-Original Message-
From: Andrey Repin [mailto:anrdae...@yandex.ru] 
Sent: Wednesday, September 28, 2016 2:14 PM
To: Thomas Sanders; cygwin@cygwin.com
Subject: Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

Greetings, Thomas Sanders!

> FYI, I don't know if this is working as designed (please see the 
> application error below) wget https://cygwin.com/setup-x86.exe wget 
> https://cygwin.com/setup-x86.exe.sig

> gpg --verify setup-x86.exe.sig setup-x86.exe  
> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 
> 676041BA
> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
---^^
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:  There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 
> 41BA

> When running the app the following error occurs (Windows 7)

> This version of C:\Users\tsanders\cygwin_setup-x86.exe is not 
> compatible with th e version of Windows you're running. Check your 
> computer's system information to  see whether you need a x86 (32-bit) 
> or x64 (64-bit) version of the program, and  then contact the software 
> publisher.

Likely cause is your AV software blocking the file.
Try saving it with -O innocent_name.exe

> 
> wget https://cygwin.com/setup-x86_64.exe.sig
> wget https://cygwin.com/setup-x86_64.exe

> gpg --verify setup-x86_64.exe.sig setup-x86_64.exe
> gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID 
> 676041BA
> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
---^^
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:  There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 
> 41BA

Did you copy-pasted wrong console output or what?


--
With best regards,
Andrey Repin
Thursday, September 29, 2016 00:12:02

Sorry for my terrible english...


--
Problem reports:   http://cygwin.com/problems.html
FAQ:   http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info:  http://cygwin.com/ml/#unsubscribe-simple

Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

2016-09-28 Thread Andrey Repin

Greetings, Thomas Sanders!

> FYI, I don't know if this is working as designed (please see the application 
> error below)
> wget https://cygwin.com/setup-x86.exe
> wget https://cygwin.com/setup-x86.exe.sig  

> gpg --verify setup-x86.exe.sig setup-x86.exe  
> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
> gpg: Good signature from "Cygwin "
---^^
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:  There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA

> When running the app the following error occurs (Windows 7)

> This version of C:\Users\tsanders\cygwin_setup-x86.exe is not compatible with 
> th
> e version of Windows you're running. Check your computer's system information 
> to
>  see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, 
> and
>  then contact the software publisher.

Likely cause is your AV software blocking the file.
Try saving it with -O innocent_name.exe

> 
> wget https://cygwin.com/setup-x86_64.exe.sig
> wget https://cygwin.com/setup-x86_64.exe

> gpg --verify setup-x86_64.exe.sig setup-x86_64.exe
> gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID 676041BA
> gpg: Good signature from "Cygwin "
---^^
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:  There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA

Did you copy-pasted wrong console output or what?


-- 
With best regards,
Andrey Repin
Thursday, September 29, 2016 00:12:02

Sorry for my terrible english...


--
Problem reports:   http://cygwin.com/problems.html
FAQ:   http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info:  http://cygwin.com/ml/#unsubscribe-simple

Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

2016-09-28 Thread Wayne Porter

On Wed, Sep 28, 2016 at 07:52:05PM +, Thomas Sanders wrote:
> gpg --verify setup-x86.exe.sig setup-x86.exe  
> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
> gpg: Good signature from "Cygwin "
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:  There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA

This appears to be a good signature, just that the key is untrusted. Someone
else correct me if I'm wrong, but that is typical to see, at least for me.

> When running the app the following error occurs (Windows 7)
> 
> This version of C:\Users\tsanders\cygwin_setup-x86.exe is not compatible with 
> th
> e version of Windows you're running. Check your computer's system information 
> to
>  see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, 
> and
>  then contact the software publisher.

What is the output of the following from your system:
echo %PROCESSOR_IDENTIFIER% %PROCESSOR_ARCHITECTURE%



Wayne Porter



signature.asc
Description: PGP signature

Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

RE: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

7 matches

Site Navigation

Mail list logo

Footer information