[clamav-users] ClamAV® blog: ClamAV 0.103.2 security patch release
Joel Esler (jesler)
jesler at cisco.com
Wed Apr 14 13:54:26 UTC 2021
I understand the request. The new key is signed with the old key already.
> On Apr 14, 2021, at 9:42 AM, Andrew C Aitchison <clamav at aitchison.me.uk> wrote:
>
>
> Joel,
>
> You can add a direct link to the PGP key now as this is completely independant
> of the released packages.
>
> Better yet would be to
> 1) Sign the new key with the old one (which doesn't actually expire until Monday)
> 2) Get other (public domain) software people to sign your key.
> This assumes that you can get the key to them and the signature back
> in a way that satisfies both of you that they really came from the person
> they claim to be ...
>
> 3) Put the key (presumably with the signatures above)
> on some of the public keyservers, eg
> https://pgp.mit.edu/
> https://keyserver.ubuntu.com/
>
> If a software package is signed With an unsigned key and the key and
> the package are put on the same webserver there is no advantage to users
> over just giving an MD5 or SHA checksum - we have no way of measuring
> the trust in the key.
> By getting other know parties (including the old key's owner)
> to sign the new key, we have some idea that the new key can be trusted
> and was not put up by a malicous webmaster - possibly of a spoof website.
>
> Thanks,
>
> On Wed, 7 Apr 2021, Joel Esler (jesler) via clamav-users wrote:
>
>> We’ll look into that for a future update.
>>
>> Sent from my iPhone
>>
>>> On Apr 7, 2021, at 16:58, Arjen de Korte via clamav-users <clamav-users at lists.clamav.net> wrote:
>>>
>>> Citeren "Joel Esler (jesler) via clamav-users" <clamav-users at lists.clamav.net>:
>>>
>>>> It’s available on the webpage.
>>>
>>> I already wrote that I know it is available from the website. I need to update the stored keyring in openSUSE Factory, which needs a backlink to the origin. Rather than downloading https://www.clamav.net/downloads and trimming the HTML code, a straight download link for the keyfile would make it easier to verify it.
>>>
>>>>>> On Apr 7, 2021, at 4:29 PM, Arjen de Korte via clamav-users <clamav-users at lists.clamav.net> wrote:
>>>>>
>>>>> Citeren "Joel Esler (jesler) via clamav-users" <clamav-users at lists.clamav.net>:
>>>>>
>>>>> It seems the package is now signed with a different PGP key. Is there a location from where I can directly download the public key, rather than copying it from the webpage?
>>>>>
>>>>> Best regards, Arjen
>
> --
> Andrew C. Aitchison Kendal, UK
> andrew at aitchison.me.uk
More information about the clamav-users
mailing list