Index of /cygwin/setup
Name Last modified Size
![[PARENTDIR]](/icons/back.gif)
Parent Directory -
![[ ]](/icons/compressed.gif)
setup.zip 2026-01-07 16:59 2.7M
![[ ]](/icons/unknown.gif)
sha512.sum 2026-01-07 17:14 277
tl;dr:
Don't use these files. Instead, fetch setup from https://cygwin.com
Discussion
==========
Obtaining a trustworthy setup executable is essential to secure Cygwin package
distribution.
https://cygwin.com/faq.html#faq.setup.install-security
If you uncritically use the files here, you are at the mercy of the mirror
being broken into and these files being replaced with subverted versions of
setup, which then in turn can silently fetch packages which have been tampered
with (or do arbitrary other bad things).
So, before using the files here, you should either:
A. Verify that the gpg signature is valid *and* made by an expected key:
gpg --status-fd=1 --verify setup-x86_64.exe.sig setup-x86_64.exe | grep -q "^\\[GNUPG:\\] VALIDSIG XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
where X is the SHA-XXX fingerprint of the signing key.
or,
B. Verify that the AuthetiCode signature is valid *and* made by an expected
key.
$signature = Get-AuthenticodeSignature -FilePath $setupExe
if (!$signature.Status -ne 'Valid' -or $signature.SignerCertificate.GetCertHashString("SHA256") -ne 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') {
throw "Invalid CodeSign signature on the downloaded setup!"
}
where X is the SHA256 fingerprint of the signing certificate.
The "an expected key" part is important: It's trivial generate a key for gpg
signing, and nearly so to obtain a CodeSign certificate.
--------
tl;dr: Don't run random executables from the internet!