[clamav-users] GPG key where? (was: Re: GPG signature problem with clamav-0.99.2.tar.gz)

Joel Esler (jesler) jesler at cisco.com
Mon Jan 29 23:28:42 UTC 2018


That's the correct one, thank you Scott.

--
Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com>






On Jan 29, 2018, at 6:13 PM, SCOTT PACKARD <Scott.Packard at raytheon.com<mailto:Scott.Packard at raytheon.com>> wrote:

https://talosintelligence.com/about  click on box "Talos PGP Public Key".
Maybe that one works?  If it was its own URL I'd include it, but it looks like it's javascript, in the same page.

Regards, Scott

-----Original Message-----
From: clamav-users [mailto:clamav-users-bounces at lists.clamav.net] On Behalf Of Tomasz Papszun
Sent: Monday, January 29, 2018 2:26 PM
To: clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
Subject: [External] [clamav-users] GPG key where? (was: Re: GPG signature problem with clamav-0.99.2.tar.gz)

On Fri, 30 Jun 2017 at 20:12:11 +0000, Joel Esler (jesler) wrote:
Jim,

Thanks.  This look like the vulndev key.  The correct key is on the contact page of Talosintelligence.com<http://Talosintelligence.com>.

We'll take a look here.

Hi, Joel.

I went to http://www.clamav.net/downloads, got
http://www.clamav.net/downloads/production/clamav-0.99.3.tar.gz  and
http://www.clamav.net/downloads/production/clamav-0.99.3.tar.gz.sig
and wanted to verify the tarball and compile ASAP - there are bugs in
0.99.2 after all.

For half an hour or so I tried to find the public key at various places:

Talosintelligence.com, Cisco.com, http://labs.snort.org/contact.html
(linked at
https://github.com/Cisco-Talos/clamav-faq/blob/master/faq/faq-upgrade.md),
a keyserver - all to no avail.

Where is the key?



On Jun 30, 2017, at 13:46, Jim Michaud <jjmichaud at constantcontact.com> wrote:

I just downloaded clamav-0.99.2.tar.gz from
https://www.clamav.net/downloads and tried to check the signature
using the "Talos PGP Public Key" on the same page.  It looks like it
was signed with a different public key.

$ gpg --import ../Talos-PGP-Public-Key
gpg: key 0B3BB3A7: public key "vulndev at cisco.com <vulndev at cisco.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

$ gpg --verify clamav-0.99.2.tar.gz.sig clamav-0.99.2.tar.gz
gpg: Signature made Fri 22 Apr 2016 12:25:32 PM EDT using DSA key ID 260429A0
gpg: Can't check signature: No public key

I was able to do some digging and did find the key using
https://pgp.key-server.io/
(https://pgp.key-server.io/search/Talos+GPG+Key).  However that key
expired in April 2017. I'm guessing someone needs to update the
signature file using the new public key.

$ gpg --verify clamav-0.99.2.tar.gz.sig clamav-0.99.2.tar.gz
gpg: Signature made Fri 22 Apr 2016 12:25:32 PM EDT using DSA key ID 260429A0
gpg: Good signature from "Talos (Talos GPG Key) <research at sourcefire.com>"
gpg: Note: This key has expired!
Primary key fingerprint: F79F B2D0 8751 574C 5D3F  DFFB B3D5 342C 2604 29A0


--
Tomasz Papszun                                      | And it's only
tomek at lodz.tpsa.pl linkedin.com/in/tomaszpapszun | ones and zeros.
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml




More information about the clamav-users mailing list