Cygwin setup error

Brian Inglis Brian.Inglis@SystematicSw.ab.ca
Tue Apr 21 22:07:02 GMT 2020 

On 2020-04-21 12:33, Marco Atzeri via Cygwin wrote:
> Am 21.04.2020 um 18:08 schrieb Antonio Cesar Rosa:
>> I do not think so. See the output from Virustotal:
>> 2431de4597a2162f3e1d60af90f638b41677265b07cc66fcb0231fdde452c841
>> setup-x86_64.exe 1.29 MB 2020-04-21 00:31:19 UTC
>> Size
>> 15 hours ago
>> 64bits direct-cpu-clock-access overlay peexe runtime-modules
>> DETECTION DETAILS BEHAVIOR COMMUNITY
>> SecureAge APEX Malicious MaxSecure Trojan.Malware.300983.susgen
>> Lastline MALWARE Acronis Undetected

Scoring 2[.5]/71 is not exactly a threatening consensus - believe the 69 and
ignore the 2[.5].
The URL check has eight more checkers excluding the three false positives score
0/80.
Many AVs use "heuristic/WAG" approaches which often give false positives on
installers.
This group probably sees about one false positive a month, but I don't ever
recall a real issue in about/over ten years.

> please reply on mailing list in copy.
> Virus Total with the URL https://cygwin.com/setup-x86_64.exe
> gives all clean.
> If you have a different result. likely you have a tampered file.
> And using the signature available on
> https://cygwin.com/install.html
> we also have:
> $ gpg2 --verify setup-x86_64.exe.sig
> gpg: assuming signed data in 'setup-x86_64.exe'
> gpg: Signature made Sat, Mar 21, 2020  6:35:25 PM CET
> gpg:                using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA
> gpg: checking the trustdb
> gpg: marginals needed: 3  completes needed: 1  trust model: pgp
> gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
> gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
> gpg: next trustdb check due at 2022-02-26
> gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [ultimate]
> gpg: Signature made Sat, Mar 21, 2020  6:35:25 PM CET
> gpg:                using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
> gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]

$ TZ=UTC wget -N http://cygwin.com/setup-x86{_64,}.exe{.sig,}
2020-04-21 21:26:37 URL:http://cygwin.com/setup-x86_64.exe.sig [661/661] ->
"setup-x86_64.exe.sig" [1]
2020-04-21 21:26:38 URL:http://cygwin.com/setup-x86_64.exe [1352723/1352723] ->
"setup-x86_64.exe" [1]
2020-04-21 21:26:38 URL:http://cygwin.com/setup-x86.exe.sig [661/661] ->
"setup-x86.exe.sig" [1]
2020-04-21 21:26:41 URL:http://cygwin.com/setup-x86.exe [1248787/1248787] ->
"setup-x86.exe" [1]
FINISHED --2020-04-21 21:26:41--
Total wall clock time: 4.4s
Downloaded: 4 files, 2.5M in 2.2s (1.12 MB/s)
$ TZ=UTC ls -glo --full setup-x86{_64,}.exe{.sig,}
-rw-r--r--+ 1 1248787 2020-03-21 17:28:48.000000000 +0000 setup-x86.exe
-rw-r--r--+ 1     661 2020-03-21 17:29:04.000000000 +0000 setup-x86.exe.sig
-rw-r--r--+ 1 1352723 2020-03-21 17:35:04.000000000 +0000 setup-x86_64.exe
-rw-r--r--+ 1     661 2020-03-21 17:35:25.000000000 +0000 setup-x86_64.exe.sig
$ TZ=UTC sha256sum setup-x86{_64,}.exe{.sig,}
9e99b618cf6cf0e7a6efac9bff2028acebdb44fd552407e4cb7839f0867b035e
*setup-x86_64.exe.sig
2431de4597a2162f3e1d60af90f638b41677265b07cc66fcb0231fdde452c841 *setup-x86_64.exe
c7b45a34a0ef18b409a385c7157fd7bb68a799148c212bab74037e0438f5addb *setup-x86.exe.sig
d218a41a45fcec581affd0e1ccc66011aa06a3a9b299576104546074e8480064 *setup-x86.exe
$ TZ=UTC gpg2 --verify setup-x86_64.exe{.sig,}
gpg: Signature made 2020 Mar 21 Sat 17:35:25 UTC
gpg:                using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
gpg: Signature made 2020 Mar 21 Sat 17:35:25 UTC
gpg:                using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
$ TZ=UTC gpg2 --verify setup-x86.exe{.sig,}
gpg: Signature made 2020 Mar 21 Sat 17:29:04 UTC
gpg:                using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
gpg: Signature made 2020 Mar 21 Sat 17:29:04 UTC
gpg:                using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]

Same files from a month ago with same digests and signatures.
Many have downloaded and used it in that timeframe for dozens of package
installs and upgrades with no issues or reports before yours.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

More information about the Cygwin mailing list