I tend to get keys via GPG's "--recv-key" command, since it often is
not clear from the Web site where to get the key.

E.g., when "gpg --verify" reports the key is missing, the command below
will usually retrieve it (when it is provided, of course, with the right
fingerprint in place of "BCA5BFAD"):

  ~/Downloads/Linux/ClamAV> gpg --recv-key BCA5BFAD
  gpg: requesting key BCA5BFAD from hkp server keys.gnupg.net
  gpg: key BCA5BFAD: public key "Talos (Talos, Cisco Systems Inc.)
  <resea...@sourcefire.com>" imported gpg: Total number processed: 1
  gpg:               imported: 1  (RSA: 1)

This approach works in almost all situations. I don't know whether a
fake key being planted on the key server is more or less likely than
the software's Web page being compromised. I suppose one could get the
alleged key both ways (when possible) and compare the two results.




On Mon, 29 Jan 2018 23:13:16 +0000
SCOTT PACKARD <scott.pack...@raytheon.com> wrote:

> https://talosintelligence.com/about  click on box "Talos PGP Public
> Key". Maybe that one works?  If it was its own URL I'd include it,
> but it looks like it's javascript, in the same page.
> 
> Regards, Scott
> 
> > -----Original Message-----
> > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net]
> > On Behalf Of Tomasz Papszun Sent: Monday, January 29, 2018 2:26 PM
> > To: clamav-users@lists.clamav.net
> > Subject: [External] [clamav-users] GPG key where? (was: Re: GPG
> > signature problem with clamav-0.99.2.tar.gz)
> > 
> > On Fri, 30 Jun 2017 at 20:12:11 +0000, Joel Esler (jesler) wrote:
> > > Jim,
> > >
> > > Thanks.  This look like the vulndev key.  The correct key is on
> > > the contact page of Talosintelligence.com.
> > >
> > > We'll take a look here.
> > 
> > Hi, Joel.
> > 
> > I went to http://www.clamav.net/downloads, got
> > http://www.clamav.net/downloads/production/clamav-0.99.3.tar.gz  and
> > http://www.clamav.net/downloads/production/clamav-0.99.3.tar.gz.sig
> > and wanted to verify the tarball and compile ASAP - there are bugs
> > in 0.99.2 after all.
> > 
> > For half an hour or so I tried to find the public key at various
> > places:
> > 
> > Talosintelligence.com, Cisco.com, http://labs.snort.org/contact.html
> > (linked at
> > https://github.com/Cisco-Talos/clamav-faq/blob/master/faq/faq-upgrade.md),
> > a keyserver - all to no avail.
> > 
> > Where is the key?
> > 
> > 
> > >
> > > > On Jun 30, 2017, at 13:46, Jim Michaud
> > > > <jjmich...@constantcontact.com> wrote:
> > > >
> > > > I just downloaded clamav-0.99.2.tar.gz from
> > > > https://www.clamav.net/downloads and tried to check the
> > > > signature using the "Talos PGP Public Key" on the same page.
> > > > It looks like it was signed with a different public key.
> > > >
> > > > $ gpg --import ../Talos-PGP-Public-Key
> > > > gpg: key 0B3BB3A7: public key "vuln...@cisco.com
> > > > <vuln...@cisco.com>" imported gpg: Total number processed: 1
> > > > gpg:               imported: 1  (RSA: 1)
> > > >
> > > > $ gpg --verify clamav-0.99.2.tar.gz.sig clamav-0.99.2.tar.gz
> > > > gpg: Signature made Fri 22 Apr 2016 12:25:32 PM EDT using DSA
> > > > key ID 260429A0 gpg: Can't check signature: No public key
> > > >
> > > > I was able to do some digging and did find the key using
> > > > https://pgp.key-server.io/
> > > > (https://pgp.key-server.io/search/Talos+GPG+Key).  However that
> > > > key expired in April 2017. I'm guessing someone needs to update
> > > > the signature file using the new public key.
> > > >
> > > > $ gpg --verify clamav-0.99.2.tar.gz.sig clamav-0.99.2.tar.gz
> > > > gpg: Signature made Fri 22 Apr 2016 12:25:32 PM EDT using DSA
> > > > key ID 260429A0 gpg: Good signature from "Talos (Talos GPG Key)
> > > > <resea...@sourcefire.com>" gpg: Note: This key has expired!
> > > > Primary key fingerprint: F79F B2D0 8751 574C 5D3F  DFFB B3D5
> > > > 342C 2604 29A0
> > >
> > 
> > --
> >  Tomasz Papszun                                      | And it's only
> >  tomek at lodz.tpsa.pl linkedin.com/in/tomaszpapszun | ones and
> > zeros. _______________________________________________

_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to