tl;dr:

Don't use these files. Instead, fetch setup from https://cygwin.com

Discussion
==========

Obtaining a trustworthy setup executable is essential to secure Cygwin package 
distribution.

https://cygwin.com/faq.html#faq.setup.install-security

If you uncritically use the files here, you are at the mercy of the mirror 
being broken into and these files being replaced with subverted versions of 
setup, which then in turn can silently fetch packages which have been tampered 
with (or do arbitrary other bad things).

So, before using the files here, you should either:

A. Verify that the gpg signature is valid *and* made by an expected key:

  gpg --status-fd=1 --verify setup-x86_64.exe.sig setup-x86_64.exe | grep -q "^\\[GNUPG:\\] VALIDSIG XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

  where X is the SHA-XXX fingerprint of the signing key.

or,

B. Verify that the AuthetiCode signature is valid *and* made by an expected 
key.

  $signature = Get-AuthenticodeSignature -FilePath $setupExe
  if (!$signature.Status -ne 'Valid' -or $signature.SignerCertificate.GetCertHashString("SHA256") -ne 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') {
    throw "Invalid CodeSign signature on the downloaded setup!"
  }

  where X is the SHA256 fingerprint of the signing certificate.


The "an expected key" part is important: It's trivial generate a key for gpg 
signing, and nearly so to obtain a CodeSign certificate.


--------

tl;dr: Don't run random executables from the internet!