Cygwin setup signing public key update

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Cygwin setup signing public key update

Jon TURNEY
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This is an announcement of an update to the key used to sign (i) Cygwin setup executables, and (ii) the (compressed) setup.ini package manifest.

For a transitional period, these items will be signed using both the old and new keys.

The old key was:

$  gpg --keyid-format=long --with-fingerprint --list-keys 676041BA
pub   1024D/A9A262FF676041BA 2008-06-13
      Key fingerprint = 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA
uid                          Cygwin <[hidden email]>
sub   1024g/0AF098B5A1DB7B5C 2008-06-13
      Key fingerprint = F025 F81A E24C 6F04 C2C4  8626 0AF0 98B5 A1DB 7B5C

and the new key is:

$ gpg --keyid-format=long --with-fingerprint --list-keys E2E56300
pub   4096R/1A698DE9E2E56300 2020-02-27 [expires: 2022-02-26]
      Key fingerprint = 5640 5CF6 FCC8 1574 682A  5D56 1A69 8DE9 E2E5 6300
uid                          Cygwin <[hidden email]>

This message is signed with both old and new keys.

You can verify those signature by saving this message to a text file, and running

    gpg --verify cygwin.asc

You can import the new key to your gpg keyring by saving this message to a text file, and running

    gpg --import cygwin.asc

-----BEGIN PGP SIGNATURE-----

iF0EAREIAB0WIQQRad+fInNPdDqlkjKpomL/Z2BBugUCXmuqcQAKCRCpomL/Z2BB
umBDAKCT7BFztJQvD8U9CNdXojR9FCbaWgCfc+EJLwvUuVTYchj/wYIHrJnsgcaJ
AjMEAQEIAB0WIQRWQFz2/MgVdGgqXVYaaY3p4uVjAAUCXmuqcQAKCRAaaY3p4uVj
AEYtD/0WaTuyWsjFohDej5VOKcI4TSFzRJp3NYUPtNBw0gFQGi+UXhL7hRAwvxUE
wgnpxT129ekk+C/soqRkc6rj4yqGV/0qm9fjKLNZWMqCFMace32WpkE0iW9f4HhH
Ep/LvbakD+G9yzLWcNLaKvCofeWzmB8A4ZPIRCMHrfz4CZWwBHPiGrS+mkjtlRKc
VBAypdz0oPJrRNAHgQfTnrWFFYMkGu0oUOaUY4RbERptTE05EZR4cYDM43mfzh+1
OiWawj9RaUWeLJOIi6464a26tY8d08lKKcW6+AuVIH2/jO7ktoVvMFMPYkPhaosY
nldg94jY/U+/FzY7hvkVuWlSLpF/N8NK4r0MBjDMHv5xCXc6FSidOv+2hmIQ6TnT
C/lf+fI+NaCb/uafpdkFIKGoMstYVd7uCdgsLUDjqQIojg/2v3SZPQVapS0pu2cO
hyh+LTBxahb1L1fApQZcmepK5ktCCGSsbUy9P+sGXGXZGOoXzD+OGswPY/Lqc06t
bl4aA8/5/xqv2gTj4YYQD9jmHRWHzML6BsHZaD+nDIHhXuEenARA14l8TPyy7S31
ZMtjTJpYak7PH0u4vGnALuwMA25nk6L4RsQcGoi5AkDuuOicUfhW3EkYmq4i3DdN
acnGyH/dedBLxtt/+14gUdoSv6XOhQaB+QHDedmls1rpi2dKrA==
=7SVr
-----END PGP SIGNATURE-----
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF5X0f8BEADUQ8f3R8j30YAd0sxyZvvmKHYXbQx80Oq+slpDsh3RL+i36TEH
SVTRVKl0LcyMSFrL9cyIBJpVPl6c2//f6HwVik+R7Ri1PPzHqtQMPekruAGP7EgR
nBj5Zs8IsmeZ09tH6fLoIozlvIg2ZtkVXnYnXZIf+bFa1k2AQm/EMTzj9NVdKcML
KswrbEMHgFAhB4HU2UH80x5gXE5lDtznz+3teDF2u0SYe3k96mm08rUfrCH8xzSy
3KhGZW7kGDXfxL4CxyO3KorWrF31d8h0sA0uLeftk0Sq+YM3uO8TYNmAvX/Ymvvc
QcyIEIn2Gyni1TZvCJ49R0FF+4Q7jeF7aqlJCNaF662F7L2J/wy2SsRanMQ5uu2V
Ch+JlZ9X0222cp3Uf6znBJftzkkCRLNWLDcGsL9tqHyouflfUL3wKabcFwVXebks
rk1Nz2zx6hqCSlPxzk2gP0TPXwz8uwyo0SQOp9r1ZX66CL4EWiqvPdI4Dk1YnJk5
kDHKFFgWYGZjjspts4BWwDgpikHjczgcKY3PGB8ORChEDOfXCU7+rrgRuY+jKS47
/IAcXs+dvxEau9wCDlcE1U9P2QZcw3Y4fD7R8YMeHNMhG7I53uTrIGZGV44gyf1Z
lRrI4EK3j3AEwHuPszWsV4jpgBlXi1SBCyU6t5gDjHNRCmxvpdnp7G6pUwARAQAB
tBpDeWd3aW4gPGN5Z3dpbkBjeWd3aW4uY29tPokCPgQTAQoAKAUCXlfR/wIbAwUJ
A8JnAAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQGmmN6eLlYwCWMBAAnXTI
9VdCjm+BZ9hbfokxlXvSw24aFhP1mLPK3CGjZ6wWbI0Gvz8PjuR821TOjskI4EEG
Mfa+7SHc5yZu23oHO8wQkprLOEso6U9Bw615B1PV3oQy4PEoDJWJaOnllg2ehWmY
yYNztfmwX0qMivmNqF1JMa5uhwn7kSMB6bc3lRY8HC1m7ldV/oMUPlKgkt7Gp8/J
+YsZ9ddb2ilj7MgPO+VCLB7aodQiNHfNzBBwDPSk4g76NIBM+FyHcEHnZ+WZBqaE
RejKinWWxy/sgmA2g3kb6BXywxCpeAHdVabUGrUbENFKaN7db+5nw/BfN0fZMjOM
NOAMIAbBB7XhmMeAeV46/T3lLJeJm+FZE0azrVD9VVwIXb9yP7u+SthpaZOtMdPD
+71Umk/jSTYGVNjJz13gSsSdu8xSslItuIAgzTBihmWYg3FUDSUzStC7AIqRtnfn
fgaLt5icpZSUgZ1qnwE3q5p7IQ26gu353bDViMrFJczToSIdMGDzCUSDHq2ze2fv
WETMqO82CoSmZaHR+tn/6DBVlXJwX70EgdKhzahBK3NTEMtJVDTKJwfVlgXJH31Z
clrGSOXeePI75cCewbc4EHG7SugWH/dFWZYqhtazF6mJAlvvfEhGzqvj7g2FWmlZ
SJ5W4oIcHV49aBb/NaIxQA8O/65vlNnwVP9LkbyIRgQQEQoABgUCXlfTpgAKCRCp
omL/Z2BBurn6AJsEe77ARRsR1NEp06STdCbyppNJnQCggvdfcS7/HveOzENJu8Qt
WIVTThg=
=013R
-----END PGP PUBLIC KEY BLOCK-----
Reply | Threaded
Open this post in threaded view
|

Re: Cygwin setup signing public key update

Jon TURNEY
On 13/03/2020 16:13, Jon Turney wrote:
> This is an announcement of an update to the key used to sign (i)
> Cygwin setup executables, and (ii) the (compressed) setup.ini package
> manifest.

If you just run setup, and update it when it tells you to update it, no
action is required, and this message chain will be of limited interest
to you.

This update is following the policy announced at [1]:

 > On 05/08/2008 14:30, Dave Korn wrote:
 >> If we, from time to time, need to change this key, we will release
 >> a new version of setup.exe and make announcements on the cygwin
 >> and cygwin-announce mailing lists, and on the cygwin.com website.

Also see that post for further discussion of the technicals details of
setup signing.

The transition period, during which signatures are made using both keys
will probably be approx. 90 days, circumstances permitting.

Note that due to technical limitations in old versions of setup, the
form of signature we use on setup.ini is one that gpg can make, but
cannot verify for both keys. This is only an issue if you manually
verify setup.ini with gpg, rather than letting setup do it. (See [2])

[1] https://cygwin.com/ml/cygwin-announce/2008-08/msg00001.html
[2] https://dev.gnupg.org/T1462