Mailing List Archive: Cannot "decode" a SHA256 signature

Cannot "decode" a SHA256 signature

Sep 12, 2023, 1:27 AM

Post #1 of 3 (161 views)

I found a rejection based on vhxtdQ.sigs.InterServer.net.SHA256.21881
in my mail.log and wanted to check what the signature searches for.

So I took out ye olde sigtool - and failed:

# /usr/local/bin/sigtool --find-sigs vhxtdQ.sigs.InterServer.net.SHA256.21881 | /usr/local/bin/sigtool --decode-sigs
ERROR: decodesig: Invalid or not supported signature format
TOKENS COUNT: 3

# /usr/local/bin/sigtool --find-sigs vhxtdQ.sigs.InterServer.net.SHA256.21881
[interserver256.hdb] 90cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21:17174:vhxtdQ.sigs.InterServer.net.SHA256.21881

The source of which is:
https://rbldata.interserver.net/interserver256.hdb

looking at that file I realised that these signatures ar merely SHA256
checksums, so there's not much to decode. But should sigtool --decode-sigs
really throw an error in that case?

I'm using the official deb packages from clamav.net:

# dpkg -l |fgrep clam
ii clamav 1.2.0-1 amd64 ClamAV open source email, web, and end-point anti-virus toolkit.

--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration
Invalidenstraße 120/121 | D-10115 Berlin

Tel. +49 30 450 570 155
ralf.hildebrandt@charite.de
https://www.charite.de
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: Cannot "decode" a SHA256 signature [ In reply to ]

clamav-users at lists

Sep 12, 2023, 2:42 AM

Post #2 of 3 (161 views)

Permalink

Sent from my iPad

On Sep 12, 2023, at 01:29, Ralf Hildebrandt via clamav-users <clamav-users@lists.clamav.net> wrote:
> should sigtool --decode-sigs really throw an error in that case?

Perhaps not, but it's been the case for as long as I've been using clamav...decades now.

Just my approach, but I always start with -f (or --find-signs) and only move to --decode-sigs if I feel the need to do so.

-Al-
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [ext] Re: Cannot "decode" a SHA256 signature [ In reply to ]

clamav-users at lists

Sep 12, 2023, 2:56 AM

Post #3 of 3 (161 views)

Permalink

* Al Varnell via clamav-users <clamav-users@lists.clamav.net>:
> Sent from my iPad
>
> On Sep 12, 2023, at 01:29, Ralf Hildebrandt via clamav-users <clamav-users@lists.clamav.net> wrote:
> > should sigtool --decode-sigs really throw an error in that case?
>
> Perhaps not, but it's been the case for as long as I've been using clamav...decades now.

Yeah, I never tried that before on a SHA256 signature, so it's a first for me.

> Just my approach, but I always start with -f (or --find-signs) and only move to --decode-sigs if I feel the need to do so.

--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration
Invalidenstraße 120/121 | D-10115 Berlin

Tel. +49 30 450 570 155
ralf.hildebrandt@charite.de
https://www.charite.de
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat