I just downloaded clamav-0.99.2.tar.gz from https://www.clamav.net/downloads and tried to check the signature using the "Talos PGP Public Key" on the same page. It looks like it was signed with a different public key.
$ gpg --import ../Talos-PGP-Public-Key gpg: key 0B3BB3A7: public key "vuln...@cisco.com <vuln...@cisco.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) $ gpg --verify clamav-0.99.2.tar.gz.sig clamav-0.99.2.tar.gz gpg: Signature made Fri 22 Apr 2016 12:25:32 PM EDT using DSA key ID 260429A0 gpg: Can't check signature: No public key I was able to do some digging and did find the key using https://pgp.key-server.io/ (https://pgp.key-server.io/search/Talos+GPG+Key). However that key expired in April 2017. I'm guessing someone needs to update the signature file using the new public key. $ gpg --verify clamav-0.99.2.tar.gz.sig clamav-0.99.2.tar.gz gpg: Signature made Fri 22 Apr 2016 12:25:32 PM EDT using DSA key ID 260429A0 gpg: Good signature from "Talos (Talos GPG Key) <resea...@sourcefire.com>" gpg: Note: This key has expired! Primary key fingerprint: F79F B2D0 8751 574C 5D3F DFFB B3D5 342C 2604 29A0 _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
