12

I want to install Cygwin-64 ,when i go to download page ,some information tells me: Run setup-x86_64.exe any time you want to update or install a Cygwin package for 64-bit windows. The signature for setup-x86_64.exe can be used to verify the validity of this binary using this public key.

Installing and Updating Cygwin Packages

How can i verify the validity of this binary using this public key?How to write the command in cmd ?

Tog
  • 4,975
  • 14
  • 37
  • 42
showkey
  • 89
  • 4
  • 16
  • 40

2 Answers2

5

First, import the key with:

gpg --import pubring.asc
gpg --list-keys

Now you can verify this signature against your list of public keys:

gpg --verify setup-x86_64.exe.sig setup-x86_64.exe
elsamuko
  • 271
  • 1
  • 8
  • 8
    please explain thte answer and what the commands do – Fazer87 Jun 25 '14 at 09:35
  • How do you verify the validity of `pubring.asc` found [here](https://cygwin.com/key/pubring.asc)? – Tino Dec 05 '15 at 12:02
  • You can alternatively import the public key with `gpg --recv-keys 0xa9a262ff676041ba`. The public key can be found e.g. [here](https://pgp.mit.edu/pks/lookup?op=get&search=0xA9A262FF676041BA). – elsamuko Dec 06 '15 at 13:24
  • what if I do not have gpg yet? I've found that it is a "chicken and egg problem": https://cygwin.com/ml/cygwin/2009-05/msg00587.html – Andrzej Martyna Mar 27 '18 at 20:14
0

gpg --import pubring.asc (as in @elsamuko's answer) searches for the key in the hkp://keys.gnupg.net keyserver (the default in the ~/.gnupg/gpg.conf file). sometimes that server+key combo doesn't seem to work though.

hence, as suggested by unSpawn and/or @user1686, the alternative is to retrieve the key from a different server... say http://keyserver.ubuntu.com/, for instance. thus:

$ gpg --keyserver keyserver.ubuntu.com --recv 1a698de9e2e56300
$ gpg --list-keys

$ gpg --keyid-format=long --with-fingerprint --verify setup-x86_64.exe.sig setup-x86_64.exe
gpg: Signature made Thu Feb 17 22:01:07 2022 GMT
gpg:                using DSA key A9A262FF676041BA
gpg: Can't check signature: public key not found
gpg: Signature made Thu Feb 17 22:01:07 2022 GMT
gpg:                using RSA key 1A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5640 5CF6 FCC8 1574 682A  5D56 1A69 8DE9 E2E5 6300

... does the trick!.

please follow this interesting discussion is you feel icky about the WARNING message.

Manuel F
  • 1
  • 1