Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. users
GPG signature problem with clamav-0.99.2.tar.gz
jjmichaud at constantcontact
Jun 30, 2017, 10:46 AM
Post #1 of 2 (327 views)
Permalink
I just downloaded clamav-0.99.2.tar.gz from
https://www.clamav.net/downloads and tried to check the signature
using the "Talos PGP Public Key" on the same page. It looks like it
was signed with a different public key.


$ gpg --import ../Talos-PGP-Public-Key
gpg: key 0B3BB3A7: public key "vulndev@cisco.com <vulndev@cisco.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

$ gpg --verify clamav-0.99.2.tar.gz.sig clamav-0.99.2.tar.gz
gpg: Signature made Fri 22 Apr 2016 12:25:32 PM EDT using DSA key ID 260429A0
gpg: Can't check signature: No public key



I was able to do some digging and did find the key using
https://pgp.key-server.io/
(https://pgp.key-server.io/search/Talos+GPG+Key). However that key
expired in April 2017. I'm guessing someone needs to update the
signature file using the new public key.



$ gpg --verify clamav-0.99.2.tar.gz.sig clamav-0.99.2.tar.gz
gpg: Signature made Fri 22 Apr 2016 12:25:32 PM EDT using DSA key ID 260429A0
gpg: Good signature from "Talos (Talos GPG Key) <research@sourcefire.com>"
gpg: Note: This key has expired!
Primary key fingerprint: F79F B2D0 8751 574C 5D3F DFFB B3D5 342C 2604 29A0
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: GPG signature problem with clamav-0.99.2.tar.gz [ In reply to ]
jesler at cisco
Jun 30, 2017, 1:12 PM
Post #2 of 2 (326 views)
Permalink
Jim,

Thanks. This look like the vulndev key. The correct key is on the contact page of Talosintelligence.com.

We'll take a look here.

--
Sent from my iPhone

> On Jun 30, 2017, at 13:46, Jim Michaud <jjmichaud@constantcontact.com> wrote:
>
> I just downloaded clamav-0.99.2.tar.gz from
> https://www.clamav.net/downloads and tried to check the signature
> using the "Talos PGP Public Key" on the same page. It looks like it
> was signed with a different public key.
>
>
> $ gpg --import ../Talos-PGP-Public-Key
> gpg: key 0B3BB3A7: public key "vulndev@cisco.com <vulndev@cisco.com>" imported
> gpg: Total number processed: 1
> gpg: imported: 1 (RSA: 1)
>
> $ gpg --verify clamav-0.99.2.tar.gz.sig clamav-0.99.2.tar.gz
> gpg: Signature made Fri 22 Apr 2016 12:25:32 PM EDT using DSA key ID 260429A0
> gpg: Can't check signature: No public key
>
>
>
> I was able to do some digging and did find the key using
> https://pgp.key-server.io/
> (https://pgp.key-server.io/search/Talos+GPG+Key). However that key
> expired in April 2017. I'm guessing someone needs to update the
> signature file using the new public key.
>
>
>
> $ gpg --verify clamav-0.99.2.tar.gz.sig clamav-0.99.2.tar.gz
> gpg: Signature made Fri 22 Apr 2016 12:25:32 PM EDT using DSA key ID 260429A0
> gpg: Good signature from "Talos (Talos GPG Key) <research@sourcefire.com>"
> gpg: Note: This key has expired!
> Primary key fingerprint: F79F B2D0 8751 574C 5D3F DFFB B3D5 342C 2604 29A0
> _______________________________________________
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

©2023 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal