Bad GPG signature warnings again

[FlyingFathead]

Hi,

Had to grab Cygwin for development purposes on Windows and noticed that this was among the most up-to-date forks of apt-cyg. However, the GPG signatures are broken, once again (this seems to have been the problem years ago already, i.e. #25 ) :

gpg: assuming signed data in `setup.bz2'
gpg: Signature made Mon Jul  5 21:04:09 2021 IDT using RSA key ID E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5640 5CF6 FCC8 1574 682A  5D56 1A69 8DE9 E2E5 6300

I found only one reference to the RSA key ID and it too seemed to have originated from the odditudes of Cygwin itself. [ Link ]

All help/advice appreciated. Thanks.

[kou1okada]

It's working and correct behavior.
The cygwin public key with the fingerprint "5640 5CF6 FCC8 1574 682A 5D56 1A69 8DE9 E2E5 6300" is still available for validating products by Cygwin.
Above "WARNING:" means that the cygwin public key is not signed by any trusted keys.

If you want to do not be warned it, do following steps:

First, make your key pair:

GNUPGHOME="$(apt-cyg pathof cache)/.apt-cyg" gpg --gen-key

Second, sign the cygwin public key with your secret key:

GNUPGHOME="$(apt-cyg pathof cache)/.apt-cyg" gpg --sign-key E2E56300

[FlyingFathead]

It's working and correct behavior.

Ah, okay, thanks a lot! I thought the other thread was speaking of something related to apt-cyg's / Cygwin's pairing on that frontier being an unsafe practice, maybe I read it wrong in a haste or misunderstood it... Cheers!