On 27/07/2011 3.50, Nathan Gibbs wrote: >> No (at least atm). With the server signing code you could create >> your own key, setup a server infrastructure with signing, >> distribute your cvd files > > That would be cool, I'd like to try that. > >> , and finally a ship a modified clamav to have your db verified. >> > > There's the hangup. Let me guess, the public key or keys are > hardcoded into freshclam somewhere. If so, this is conceptually easy > to implement. Have the DB verification code work through a list of > public keys, and Add a publickey or similar option to freshclam.conf, > that adds keys to the list. 3rd parties could do there own signing. > Then they could distribute the public key and the cvd. Of, course, > then open source the cvd signing code. >
You brave! (and perhaps right) keys are hardcoded and together with the code are in libclamav/dsig.c crypto looks like rsa to me, just an hint, check this project http://www.erikyyy.de/yyyRSA/ In the past I've tried to add an additional key, but I'm not a good crypto expert. You may still be lucky by asking clamav team to release the code :) The current clamav team proposal fits perfectly with clamwin, so right now I have no real interests to known how clamav db signing works. You may also try to brute-force the key :) amazon elastic cpus are cheap Regards -- Gianluigi Tiesi <[email protected]> EDP Project Leader Netfarm S.r.l. - http://www.netfarm.it/ Free Software: http://oss.netfarm.it/ _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
