Ah I see it now!
For those following along, in libclamav/dsig.c, there is an implementation of
RSA inspired by http://www.erikyyy.de/yyyRSA/, and the public parameters of an
RSA key are hard-coded in that file.
Thanks again!
- Luke
On Oct 24, 2018, at 2:01 PM, Noel Jones
Baked in.
On 10/24/2018 12:10 PM, Luke Massa wrote:
> But what are they signed *by*? If it’s using a public/private keypair, where
> is the public key? Is it baked into freshclam/clamd/clamscan somewhere?
>
> - Luke
>
>> On Oct 24, 2018, at 11:59 AM, Noel Jones wrote:
>>
>> On 10/23/2018
But what are they signed *by*? If it’s using a public/private keypair, where is
the public key? Is it baked into freshclam/clamd/clamscan somewhere?
- Luke
> On Oct 24, 2018, at 11:59 AM, Noel Jones wrote:
>
> On 10/23/2018 2:17 PM, Luke Massa wrote:
>>
>> In short, is there any way I can
On 10/23/2018 2:17 PM, Luke Massa wrote:
>
> In short, is there any way I can setup clamav/freshclam and be
> confident that a malicious user isn’t adding/removing signatures
> from the upstream mirrors?
The .cvd files have an internal cryptographic signature that's
checked by freshclam and
Hello all,
I have looked through the documentation and the source code, and there doesn’t
seem to be a way to download the clamav database in a secure way (i.e. with
https), is that the case?
Furthermore, I don’t see any mechanism by which the clamav database is verified
against a known