tl;dr:

Don't use these files. Instead, fetch setup from https://cygwin.com

Discussion
==========

Obtaining a trustworthy setup executable is essential to secure Cygwin package 
distribution.

https://cygwin.com/faq.html#faq.setup.install-security

If you uncritically use the files here, you are at the mercy of the mirror you 
fetched them from being broken into and these files being replaced with 
something containing a subverted version of setup, which then in turn can 
silently fetch packages which have been tampered with (or do arbitrary other bad 
things).

So, before using the files here, you should either:

A. Verify that the gpg signature is valid *and* made by an expected key:

  gpg --status-fd=1 --verify setup-x86_64.exe.sig setup-x86_64.exe | grep -q "^\\[GNUPG:\\] VALIDSIG XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

  where X is the SHA-XXX fingerprint of the signing key.

or,

B. Verify that the AuthetiCode signature is valid *and* made by an expected 
key.

  $signature = Get-AuthenticodeSignature -FilePath $setupExe
  if (!$signature.Status -ne 'Valid' -or $signature.SignerCertificate.GetCertHashString("SHA256") -ne 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') {
    throw "Invalid CodeSign signature on the downloaded setup!"
  }

  where X is the SHA256 fingerprint of the signing certificate.


The "an expected key" part is important: It's trivial generate a key for gpg 
signing, and nearly so to obtain a CodeSign certificate.

Now that you've read and understood all the above, the passphrase for unzipping 
the archive is 'I understand and accept the risks'.

--------

tl;dr: Don't run random executables from the internet!