# B14 — scripts/installCygwin.ps1: Cygwin installer + mirror over plain HTTP

Bug ref      : always.md B.14 ; pharo.md §7
Severity     : CRITICAL (Windows build-time RCE if cygwin.com is MITM'd)
File         : scripts/installCygwin.ps1
Lines (HEAD) : 7-10 (`$installerURL`, `$cygwinMirror`)

## Problem

```powershell
$installerURL  = "http://cygwin.com/$installerName"
$cygwinMirror  = "http://cygwin.mirror.constant.com"
```

Both the cygwin installer and the package mirror are fetched over
plain HTTP. The downloaded installer is then executed with broad
admin permissions on the Windows CI runner.

## Fix

Switch to HTTPS. cygwin.com serves HTTPS; pick an HTTPS mirror from
the official mirror list.

```diff
diff --git a/scripts/installCygwin.ps1 b/scripts/installCygwin.ps1
index aaacd234f..596694f67 100644
--- a/scripts/installCygwin.ps1
+++ b/scripts/installCygwin.ps1
@@ -4,14 +4,14 @@ $ErrorActionPreference = 'stop'
 # Parse some arguments and set some variables.
 $installerName = $args[0]
 $cygwinArch = $args[1]
-$installerURL = "http://cygwin.com/$installerName"
+$installerURL = "https://cygwin.com/$installerName"
 $cygwinRoot = 'c:\cygwin'
-$cygwinMirror ="http://cygwin.mirror.constant.com"
+$cygwinMirror ="https://mirrors.kernel.org/sourceware/cygwin/"
 
 if($installerName -eq $null)
  {
 	 $thisScript = $MyInvocation.MyCommand.Name
-     Write-Host "Cygwin installer name is not specified. Please choose an appropriate name based on http://cygwin.com/<installer_name>
+     Write-Host "Cygwin installer name is not specified. Please choose an appropriate name based on https://cygwin.com/<installer_name>
 For example:
 	$thisScript setup-x86_64.exe <arch>"
 	 exit 1
```

Additionally, drop `-q` from the cygwin setup invocation so signature
warnings are no longer suppressed (see B24).

## Test plan

- Run the Windows GitHub Actions job; verify cygwin install
  succeeds end-to-end.
- Replace the mirror with a non-existent HTTPS host: install fails
  with a clear network error rather than silently picking up a
  different server.

## Risk notes

- mirrors.kernel.org is one of the long-running, official Cygwin
  mirrors and supports HTTPS. Any HTTPS-supporting mirror from the
  upstream mirror list is acceptable.
- The change is configuration only; cygwin install behaviour
  otherwise unchanged.