search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.19k stars 684 forks source link

Expired GPG Public key for verifying ClamAV signature for gzipped source #890

Open j-flat opened 1 year ago

j-flat commented 1 year ago

Describe the bug

The public key signature has expired for ClamAV public key making it impossible to verify the signature for gzipped source. When attempting to verify the signature for e.g. v1.0.1 I get this error:

gpg: Good signature from "Talos (Talos, Cisco Systems Inc.) <research@sourcefire.com>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: E34D B95B 374B 3157 0496  CD3F 609B 024F 2B3E DD07
result: [GNUPG:] NEWSIG
[GNUPG:] KEYEXPIRED 1680210220
[GNUPG:] KEY_CONSIDERED E34DB95B374B31570496CD3F609B024F2B3EDD07 0
[GNUPG:] KEYEXPIRED 1680210220
[GNUPG:] SIG_ID a4I0vf/aZHfqHezi2S04d1QZ5Ss 2023-02-13 1676298482
[GNUPG:] KEYEXPIRED 1680210220
[GNUPG:] KEY_CONSIDERED E34DB95B374B31570496CD3F609B024F2B3EDD07 0
[GNUPG:] EXPKEYSIG 609B024F2B3EDD07 Talos (Talos, Cisco Systems Inc.) <research@sourcefire.com>
[GNUPG:] VALIDSIG E34DB95B374B31570496CD3F609B024F2B3EDD07 2023-02-13 1676298482 0 4 0 1 2 00 E34DB95B374B31570496CD3F609B024F2B3EDD07

How to reproduce the problem

On our docker-image building process we download the source and build ClamAV binaries with shell-script close to following:

SOURCECODE_URL="https://www.clamav.net/downloads/production/clamav-1.01.tar.gz"
SIGNATURE_URL="https://www.clamav.net/downloads/production/clamav-1.01.tar.gz.sig"

wget  $SOURCECODE_URL
wget  $SIGNATURE_URL

gpg --status-fd 1 --verify clamav-1.01.tar.gz.sig clamav-1.01.tar.gz

The gpg command outputs the above mentioned error. Since we rely on exit code 0 on the build-process our build fails on this.

Attachments

N/A

amsnek commented 1 year ago

similiar issue , one cant verify due to missing public key?

gpg --import talos-pgp.key
gpg: key CCE0DFD21EC1A9BF: 1 signature not checked due to a missing key
gpg: key CCE0DFD21EC1A9BF: "Talos (Talos, Cisco Systems Inc.) <research@sourcefire.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

will result in 

gpg --verify clamav-1.0.1.linux.x86_64.rpm.sig clamav-1.0.1.linux.x86_64.rpm
gpg: Signature made Mon Feb 13 14:28:00 2023 UTC
gpg:                using RSA key 609B024F2B3EDD07
gpg: Can't check signature: No public key

-> currently there seems no way to verify signatures?

micahsnyder commented 1 year ago

@j-flat @amsnek I'm asking for guidance internally. The files were signed with the old GPG key before it expired, and we haven't re-signed stuff in the past after keys expired. But I'm not sure what is best practice. I have a feeling we need to upload new GPG sigs with the new key. I'll let you know what happens.

j-flat commented 1 year ago

Great to hear that you're on it @micahsnyder !

j-flat commented 1 year ago

Any updates on this one?

himanshukumar4642 commented 1 year ago

@micahsnyder we are also facing the same issues . Can you please provide any updates ?

jdlinux commented 9 months ago

I know this is an old thread, but was looking for answers myself with the same errors given attempting to get a trusted signature showing. ClamAV does give their public key which was able to use to verify the .deb download. I followed the following site for some how-to's: https://www.linuxbabe.com/security/verify-pgp-signature-software-downloads-linux

https://www.clamav.net/downloads Scroll down to Trusted PGP Public Key.

Dayvy11 commented 1 month ago

At https://www.clamav.net/downloads, bottom of the site you have Talos PGP Public Key. Copy it and, by using Kleopatra, paste it to its notepad and import notepad. After this done you simply decrypt/check files by selecting the installation file (.deb, .rpm, etc). Just make sure signature file is within the same folder/catalog.