tl;dr:

Don't use these files. Instead, fetch setup from https://cygwin.com

Discussion
==========

Obtaining a trustworthy setup executable is essential to secure Cygwin package 
distribution.

https://cygwin.com/faq.html#faq.setup.install-security

If you uncritically use the files here, you are at the mercy of the mirror you 
fetched them from. For example, if the mirror was broken into and these files 
were replaced with something containing a subverted version of setup, which then 
in turn can silently fetch packages which have been tampered with (or do 
arbitrary other bad things).

So, before using the files here, you should either:

A. Verify that the gpg signature is valid *and* made by an expected key:

  gpg --status-fd=1 --verify setup-x86_64.exe.sig setup-x86_64.exe | grep -q "^\\[GNUPG:\\] VALIDSIG XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

  where XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX is the SHA-1 fingerprint of the 
signing key.

or,

B. Verify that the AuthetiCode signature is valid *and* made by an expected 
key.

  $signature = Get-AuthenticodeSignature -FilePath $setupExe
  if (!$signature.Status -ne 'Valid' -or $signature.SignerCertificate.GetCertHashString("SHA256") -ne 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') {
    throw "Invalid CodeSign signature on the downloaded setup!"
  }

  where XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX is the 
SHA256 fingerprint of the signing certificate.


The "an expected key" part is important here: It's trivial to generate a key for 
gpg signing, and nearly so to obtain a CodeSign certificate.

Now that you've read and understood all the above, the passphrase for unzipping 
the archive is 'I understand and accept the risks'.

--------

tl;dr: Don't run random executables from the internet!