Re: [clamav-users] ClamAV® blog: ClamAV 0.103.2 security patch release

[Andrew C Aitchison via clamav-users]

Joel,

You can add a direct link to the PGP key now as this is completely independant
of the released packages.

Better yet would be to
1) Sign the new key with the old one (which doesn't actually expire until 
Monday)
2) Get other (public domain) software people to sign your key.
This assumes that you can get the key to them and the signature back
in a way that satisfies both of you that they really came from the person
they claim to be ...

3) Put the key (presumably with the signatures above)
on some of the public keyservers, eg
  https://pgp.mit.edu/
  https://keyserver.ubuntu.com/

If a software package is signed With an unsigned key and the key and
the package are put on the same webserver there is no advantage to users
over just giving an MD5 or SHA checksum - we have no way of measuring
the trust in the key.
By getting other know parties (including the old key's owner)
to sign the new key, we have some idea that the new key can be trusted
and was not put up by a malicous webmaster - possibly of a spoof website.

Thanks,

On Wed, 7 Apr 2021, Joel Esler (jesler) via clamav-users wrote:

We’ll look into that for a future update.

Sent from my iPhone

On Apr 7, 2021, at 16:58, Arjen de Korte via clamav-users 
<clamav-users@lists.clamav.net> wrote:

Citeren "Joel Esler (jesler) via clamav-users" 
<clamav-users@lists.clamav.net>:

It’s available on the webpage.

I already wrote that I know it is available from the website. I need to update 
the stored keyring in openSUSE Factory, which needs a backlink to the origin. 
Rather than downloading https://www.clamav.net/downloads and trimming the HTML 
code, a straight download link for the keyfile would make it easier to verify 
it.

On Apr 7, 2021, at 4:29 PM, Arjen de Korte via clamav-users 
<clamav-users@lists.clamav.net> wrote:

Citeren "Joel Esler (jesler) via clamav-users" <clamav-users@lists.clamav.net>:

It seems the package is now signed with a different PGP key. Is there a 
location from where I can directly download the public key, rather than copying 
it from the webpage?

Best regards, Arjen

--
Andrew C. Aitchison                                     Kendal, UK
                        and...@aitchison.me.uk

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml