Arnaud Jacques wrote:
The .cvd files have an internal cryptographic signature that's
checked by freshclam and clamd/clamscan. If freshclam and/or clamd
accepts the files, you can be assured they are official and
unmodified. This is built into clam; no external tools are called.
Thanks, this is
Leonardo Rodrigues wrote:
the databases are digitally signed, and any modification, such in
a man-in-the-middle attack, would break the signature and freshclam
would refuse to run the files.
Sounds good. Can you please explain how this works in detail?
Apt places GPG keys in the system