This is the mail archive of the cygwin-apps mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[PATCH setup draft 2/4] Insist on cygwin signing key for official mirrors

From: Ken Brown <kbrown at cornell dot edu>
To: cygwin-apps at cygwin dot com
Date: Mon, 11 Dec 2017 16:41:34 -0500
Subject: [PATCH setup draft 2/4] Insist on cygwin signing key for official mirrors
Authentication-results: sourceware.org; auth=none
References: <20171211214136.6500-1-kbrown@cornell.edu>

If a mirror comes from mirrors.lst, validate the signature using the
cygwin signing key only.
---
 ini.cc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ini.cc b/ini.cc
index 18ab2e3..4be8263 100644
--- a/ini.cc
+++ b/ini.cc
@@ -292,8 +292,12 @@ do_remote_ini (HWND owner)
 	  current_ini_sig_name = current_ini_name + ".sig";
 	  ini_sig_file = get_url_to_membuf (current_ini_sig_name, owner);
 	  ini_file = get_url_to_membuf (current_ini_name, owner);
+
+	  // Official mirrors must be signed by the cygwin key.
+	  bool main_key_only = n->from_mirrors_lst;
 	  ini_file = check_ini_sig (ini_file, ini_sig_file, sig_fail,
-				    n->url.c_str (), current_ini_sig_name.c_str (), owner);
+				    n->url.c_str (), current_ini_sig_name.c_str (), owner, main_key_only);
+
 	  // stop searching as soon as we find a setup file
 	  if (ini_file)
 	    break;
-- 
2.15.1

References:
- [PATCH setup draft 0/4] Improve setup.ini validation
  - From: Ken Brown

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]