On 7/16/2015 7:33 PM, Joel Esler (jesler) wrote:
On Jul 16, 2015, at 2:45 PM, Bowie Bailey
<bowie_bai...@buc.com<mailto:bowie_bai...@buc.com>> wrote:
On 7/16/2015 1:30 PM, Al Varnell wrote:
Start with the Documentation page for Upgrading ClamAV:
<http://www.clamav.net/doc/upgrade.html>
• How do I verify the integrity of ClamAV sources?
Using GnuPG you can easily verify the authenticity of your stable release downloads
by using the following method: Download the Sourcefire VRT key from the VRT labs site
<http://labs.snort.org/contact.html>. Import the key into your local public
keyring: $ gpg --import vrt.gpg.
Download the stable release AND the corresponding .sig file to the same directory.
Verify that the stable release download is signed with the Sourcefire VRT key
<http://labs.snort.org/contact.html>: $ gpg --verify clamav-X.XX.tar.gz.sig
Please note that the resulting output should look like the following:
gpg: Signature made <some date> using DSA key ID 15497F03
gpg: Good signature from Sourcefire VRT <email address>
On Thu, Jul 16, 2015 at 08:21 AM, Bowie Bailey wrote:
Where can I find the gpg key for the clamav tarball? I've poked through the
website and sourceforge and can't find it anywhere.
Wow. They certainly buried it well enough! You would think they would put a
link on the download page or somewhere a bit more visible. I skimmed through a
bunch of the documentation previously, but I guess I missed it. Interesting
that they don't even mention checking the signature in the install
instructions. I even had to dig the sig file out of the sourceforge project
page. As far as I can tell, it's not linked from the main site at all.
Hey guys sorry about this, I read the email and thought I responded because I
started looking into fixing the problem, and got sidetracked with some other
stuff.
Anyway, we’re going to put it on the main site. Also going to move the
downloads off of SourceForge. No time frame yet.
Thanks for the update, Joel.
I don't have a problem with SourceForge. My main complaint was that
there was a link to the main tarball on the clamav.net website, but no
obvious links to the sig file or the gpg key. I do think it is a good
idea to store the key file and sig files in different locations for
security.
FYI, SourceForge seems to be having some problems since yesterday
afternoon. The ClamAV project page and downloads are available, but it
shows the current version as 0.98.6. You can still download 0.98.7 if
you have a direct link.
--
Bowie
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
