https://talosintelligence.com/about click on box "Talos PGP Public Key". Maybe that one works? If it was its own URL I'd include it, but it looks like it's javascript, in the same page.
Regards, Scott > -----Original Message----- > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf > Of Tomasz Papszun > Sent: Monday, January 29, 2018 2:26 PM > To: clamav-users@lists.clamav.net > Subject: [External] [clamav-users] GPG key where? (was: Re: GPG signature > problem with clamav-0.99.2.tar.gz) > > On Fri, 30 Jun 2017 at 20:12:11 +0000, Joel Esler (jesler) wrote: > > Jim, > > > > Thanks. This look like the vulndev key. The correct key is on the contact > > page of Talosintelligence.com. > > > > We'll take a look here. > > Hi, Joel. > > I went to http://www.clamav.net/downloads, got > http://www.clamav.net/downloads/production/clamav-0.99.3.tar.gz and > http://www.clamav.net/downloads/production/clamav-0.99.3.tar.gz.sig > and wanted to verify the tarball and compile ASAP - there are bugs in > 0.99.2 after all. > > For half an hour or so I tried to find the public key at various places: > > Talosintelligence.com, Cisco.com, http://labs.snort.org/contact.html > (linked at > https://github.com/Cisco-Talos/clamav-faq/blob/master/faq/faq-upgrade.md), > a keyserver - all to no avail. > > Where is the key? > > > > > > > On Jun 30, 2017, at 13:46, Jim Michaud <jjmich...@constantcontact.com> > > > wrote: > > > > > > I just downloaded clamav-0.99.2.tar.gz from > > > https://www.clamav.net/downloads and tried to check the signature > > > using the "Talos PGP Public Key" on the same page. It looks like it > > > was signed with a different public key. > > > > > > $ gpg --import ../Talos-PGP-Public-Key > > > gpg: key 0B3BB3A7: public key "vuln...@cisco.com <vuln...@cisco.com>" > > > imported > > > gpg: Total number processed: 1 > > > gpg: imported: 1 (RSA: 1) > > > > > > $ gpg --verify clamav-0.99.2.tar.gz.sig clamav-0.99.2.tar.gz > > > gpg: Signature made Fri 22 Apr 2016 12:25:32 PM EDT using DSA key ID > > > 260429A0 > > > gpg: Can't check signature: No public key > > > > > > I was able to do some digging and did find the key using > > > https://pgp.key-server.io/ > > > (https://pgp.key-server.io/search/Talos+GPG+Key). However that key > > > expired in April 2017. I'm guessing someone needs to update the > > > signature file using the new public key. > > > > > > $ gpg --verify clamav-0.99.2.tar.gz.sig clamav-0.99.2.tar.gz > > > gpg: Signature made Fri 22 Apr 2016 12:25:32 PM EDT using DSA key ID > > > 260429A0 > > > gpg: Good signature from "Talos (Talos GPG Key) <resea...@sourcefire.com>" > > > gpg: Note: This key has expired! > > > Primary key fingerprint: F79F B2D0 8751 574C 5D3F DFFB B3D5 342C 2604 > > > 29A0 > > > > -- > Tomasz Papszun | And it's only > tomek at lodz.tpsa.pl linkedin.com/in/tomaszpapszun | ones and zeros. > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
