2

I had come across the following thread (how to verify the validity of the binary using the public key?) which details the verifying of the validity of the signature provided by Cygwin for its installation. I ran the following commands (output shown as well):

$ gpg --import pubring.asc
gpg: key A9A262FF676041BA: public key "Cygwin <cygwin@cygwin.com>" imported
gpg: Total number processed: 1 
gpg:               imported: 1

$ gpg --list-keys
/home/ubuntuman/.gnupg/pubring.kbx
----------------------------------
pub   dsa1024 2008-06-13 [SC]
  1169DF9F22734F743AA59232A9A262FF676041BA
uid           [ unknown] Cygwin <cygwin@cygwin.com>
sub   elg1024 2008-06-13 [E]

$ gpg --verify setup-x86_64.exe.sig setup-x86_64.exe
gpg: Signature made Mon 23 Oct 2017 06:44:26 AM HST 
gpg:                using DSA key A9A262FF676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the 
owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA

so, is this safe to install? I'm new to GnuPG, signatures, and certificates. What pops out to me is the "WARNING: This key is not certified with a trusted signature" and that the "signature was made Mon 23 Oct 2017", which is pretty recent at the time of writing this post (Nov 5).

Jens Erat
  • 18,485
  • 14
  • 68
  • 80
The Watermelon
  • 21

1 Answers1

1

The message explains GnuPG was not able to validate the key's ownership. Everybody can generate keys for arbitrary names and mail addresses (just search the key servers for president@whitehouse.gov).

A very "OpenPGP" way would be to validate the key through the OpenPGP web of trust. Power users of OpenPGP verify other's identities and attest this verification by issuing certifications on the other's keys. This forms a network of connected keys, with a so-called trust path between two arbitrary keys in the network. If you also participate in this and trust the people on the trust path, you have successfully validated the key's ownership. GnuPG supports this through certifications (often also called signatures) and issuing trust; if you can validate a key through your local view on the web of trust, the warning message will vanish.

Then, there is a more pragmatic approach: if you find any reasonable clue the key belongs to the cygwin project, it is fine. This might be the fingerprint listed on the project website transmitted through HTTPs (short key IDs are not enough!).

Furthermore you could go along with "well, I cannot really validate the key now, but I'm still just playing with the software in a virtual machine or test device, and if no attack was announced in public or the key suddenly changes for some days or weeks, I'm fine". This concept would also be called trust-on-first-use: you don't really expect an attack or manipulated software, but want to be able to detect such one in future. Similarily, you could travel back in time; maybe you already find references to the key on other installations or distributions.

Jens Erat
  • 18,485
  • 14
  • 68
  • 80