Noticed that when I was poking around. -- Joel Esler Manager, Threat Intelligence and Open Source Talos Group Sent from my iPhone
On Jul 17, 2015, at 9:10 AM, Bowie Bailey <bowie_bai...@buc.com<mailto:bowie_bai...@buc.com>> wrote: On 7/16/2015 7:33 PM, Joel Esler (jesler) wrote: On Jul 16, 2015, at 2:45 PM, Bowie Bailey <bowie_bai...@buc.com<mailto:bowie_bai...@buc.com><mailto:bowie_bai...@buc.com>> wrote: On 7/16/2015 1:30 PM, Al Varnell wrote: Start with the Documentation page for Upgrading ClamAV: <http://www.clamav.net/doc/upgrade.html> • How do I verify the integrity of ClamAV sources? Using GnuPG you can easily verify the authenticity of your stable release downloads by using the following method: Download the Sourcefire VRT key from the VRT labs site <http://labs.snort.org/contact.html>. Import the key into your local public keyring: $ gpg --import vrt.gpg. Download the stable release AND the corresponding .sig file to the same directory. Verify that the stable release download is signed with the Sourcefire VRT key <http://labs.snort.org/contact.html>: $ gpg --verify clamav-X.XX.tar.gz.sig Please note that the resulting output should look like the following: gpg: Signature made <some date> using DSA key ID 15497F03 gpg: Good signature from Sourcefire VRT <email address> On Thu, Jul 16, 2015 at 08:21 AM, Bowie Bailey wrote: Where can I find the gpg key for the clamav tarball? I've poked through the website and sourceforge and can't find it anywhere. Wow. They certainly buried it well enough! You would think they would put a link on the download page or somewhere a bit more visible. I skimmed through a bunch of the documentation previously, but I guess I missed it. Interesting that they don't even mention checking the signature in the install instructions. I even had to dig the sig file out of the sourceforge project page. As far as I can tell, it's not linked from the main site at all. Hey guys sorry about this, I read the email and thought I responded because I started looking into fixing the problem, and got sidetracked with some other stuff. Anyway, we’re going to put it on the main site. Also going to move the downloads off of SourceForge. No time frame yet. Thanks for the update, Joel. I don't have a problem with SourceForge. My main complaint was that there was a link to the main tarball on the clamav.net<http://clamav.net> website, but no obvious links to the sig file or the gpg key. I do think it is a good idea to store the key file and sig files in different locations for security. FYI, SourceForge seems to be having some problems since yesterday afternoon. The ClamAV project page and downloads are available, but it shows the current version as 0.98.6. You can still download 0.98.7 if you have a direct link. -- Bowie _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml