Web lists-archives.com

Re: SSL not required for setup.exe download




On 3/12/19, Andrey Repin wrote:
> Greetings, Lee!
>
>>>>> Which is way worse in my opinion, than any theoretical MITM attack,
>>>>> which
>>>>> is easily mitigated with proper validation of your downloads.
>>>
>>>> Serious question - exactly how does one do "proper validation of your
>>>> downloads"?
>>>
>>> Use PGP signature to validate the installer. Use separate channel to
>>> obtain
>>> trust records for PGP key used in signing.
>
>> Yes, in the ideal world.  But at least in my experience, most windows
>> software doesn't come with a pgp signature & using a separate channel
>> to get the pgp key isn't so easy.
>
> In my experience, this is a Cygwin mailing list and we're discussing issues
> of obtaining and verifying the authenticity of setup.exe.

But you made proper validation sound so easy and so general :)

But ok, we'll limit it to just the cygwin setup.exe.  What separate
channel is available for finding the cygwin signing key?  My
recollection is that I gave up looking & used the link on the install
page to get the public key.

> P.S.
> In regard to Cygwin mailing list, please teach your mail agent to not quote
> raw email addresses.

Sorry about that

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple