[clamav-users] GPG signature problem with clamav-0.99.2.tar.gz
Jim Michaud
jjmichaud at constantcontact.com
Fri Jun 30 17:46:22 UTC 2017
I just downloaded clamav-0.99.2.tar.gz from
https://www.clamav.net/downloads and tried to check the signature
using the "Talos PGP Public Key" on the same page. It looks like it
was signed with a different public key.
$ gpg --import ../Talos-PGP-Public-Key
gpg: key 0B3BB3A7: public key "vulndev at cisco.com <vulndev at cisco.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
$ gpg --verify clamav-0.99.2.tar.gz.sig clamav-0.99.2.tar.gz
gpg: Signature made Fri 22 Apr 2016 12:25:32 PM EDT using DSA key ID 260429A0
gpg: Can't check signature: No public key
I was able to do some digging and did find the key using
https://pgp.key-server.io/
(https://pgp.key-server.io/search/Talos+GPG+Key). However that key
expired in April 2017. I'm guessing someone needs to update the
signature file using the new public key.
$ gpg --verify clamav-0.99.2.tar.gz.sig clamav-0.99.2.tar.gz
gpg: Signature made Fri 22 Apr 2016 12:25:32 PM EDT using DSA key ID 260429A0
gpg: Good signature from "Talos (Talos GPG Key) <research at sourcefire.com>"
gpg: Note: This key has expired!
Primary key fingerprint: F79F B2D0 8751 574C 5D3F DFFB B3D5 342C 2604 29A0
More information about the clamav-users
mailing list