[clamav-users] GPG key where? (was: Re: GPG signature problem with clamav-0.99.2.tar.gz)

Tomasz Papszun tomek-clam-users at lodz.tpsa.pl
Mon Jan 29 22:26:04 UTC 2018 

On Fri, 30 Jun 2017 at 20:12:11 +0000, Joel Esler (jesler) wrote:
> Jim,
> 
> Thanks.  This look like the vulndev key.  The correct key is on the contact page of Talosintelligence.com. 
> 
> We'll take a look here.  

Hi, Joel.

I went to http://www.clamav.net/downloads, got 
http://www.clamav.net/downloads/production/clamav-0.99.3.tar.gz  and
http://www.clamav.net/downloads/production/clamav-0.99.3.tar.gz.sig
and wanted to verify the tarball and compile ASAP - there are bugs in 
0.99.2 after all.

For half an hour or so I tried to find the public key at various places:

Talosintelligence.com, Cisco.com, http://labs.snort.org/contact.html 
(linked at 
https://github.com/Cisco-Talos/clamav-faq/blob/master/faq/faq-upgrade.md), 
a keyserver - all to no avail.

Where is the key?


> 
> > On Jun 30, 2017, at 13:46, Jim Michaud <jjmichaud at constantcontact.com> wrote:
> > 
> > I just downloaded clamav-0.99.2.tar.gz from
> > https://www.clamav.net/downloads and tried to check the signature
> > using the "Talos PGP Public Key" on the same page.  It looks like it
> > was signed with a different public key.
> > 
> > $ gpg --import ../Talos-PGP-Public-Key
> > gpg: key 0B3BB3A7: public key "vulndev at cisco.com <vulndev at cisco.com>" imported
> > gpg: Total number processed: 1
> > gpg:               imported: 1  (RSA: 1)
> > 
> > $ gpg --verify clamav-0.99.2.tar.gz.sig clamav-0.99.2.tar.gz
> > gpg: Signature made Fri 22 Apr 2016 12:25:32 PM EDT using DSA key ID 260429A0
> > gpg: Can't check signature: No public key
> > 
> > I was able to do some digging and did find the key using
> > https://pgp.key-server.io/
> > (https://pgp.key-server.io/search/Talos+GPG+Key).  However that key
> > expired in April 2017. I'm guessing someone needs to update the
> > signature file using the new public key.
> > 
> > $ gpg --verify clamav-0.99.2.tar.gz.sig clamav-0.99.2.tar.gz
> > gpg: Signature made Fri 22 Apr 2016 12:25:32 PM EDT using DSA key ID 260429A0
> > gpg: Good signature from "Talos (Talos GPG Key) <research at sourcefire.com>"
> > gpg: Note: This key has expired!
> > Primary key fingerprint: F79F B2D0 8751 574C 5D3F  DFFB B3D5 342C 2604 29A0
> 

-- 
 Tomasz Papszun                                      | And it's only
 tomek at lodz.tpsa.pl linkedin.com/in/tomaszpapszun | ones and zeros.

More information about the clamav-users mailing list