Re: [Clamav-users] Re: Digital signatures for virus database files

Fri, 24 Nov 2006 10:23:50 -0800 

On Wed, 22 Nov 2006 at 16:37:43 -0600, René Berber wrote:
> 
> sigtool does the checking.
> 
> Man sigtool says: "It's  also  to  verify digital signatures of databases...",
> and option -i or --info does "Print a CVD information and verify MD5 and a
> digital  signature."
> 
> How it does it?  I don't know, I haven't checked, but no mention is made that 
> it
>  may need an Internet connection. To be sure you'll have to try it or perhaps
> look at the source code.  I did once compared the MD5 checksum showed with the
> output of the usual md5sum, and they are different.
> - --

This is because the MD5 checksum shown by sigtool is of the "naked" 
database, i.e. before prepending it with the CVD header.
Once you remove the header, md5sum(1) of the database is the same as 
printed by sigtool.

As (e.g.)  http://www.clamav.net/doc/0.88.5/html/node45.html  says:

"CVD format

   CVD (ClamAV Virus Database) is a digitally signed tarball file that
   contains one or more databases. The header is a 512 bytes long string
   with colon separated fields:
   ClamAV-VDB:build time:version:number of signatures:functionality
   level required:MD5 checksum:digital signature:builder name:build time 
   (sec)".


How we can compare both checksums:

First we'll print the MD5 checksum with sigtool (cutting off the string 
"MD5: " for easier comparing later).
Then we'll take all but first 512 bytes of the CVD file (to remove the 
header).
Finally we'll generate the MD5 checksum of the "naked" database.
The result: both checksums are identical.

$ sigtool -i /var/lib/clamav/main.cvd | grep MD5 | cut -d " " -f 2
bbd0a1fe83da562a1d6b43e22f4c0626

$ tail -c +513 /var/lib/clamav/main.cvd > main.cvd.tmp

$ md5sum main.cvd.tmp
bbd0a1fe83da562a1d6b43e22f4c0626  main.cvd.tmp

-- 
 Tomasz Papszun    SysAdm @ TP S.A. Lodz, Poland    | And it's only
 tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros.
 tomek at clamav.net   http://www.ClamAV.net/   A GPL virus scanner
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Reply via email to