I’ve been researching this on the net for days and reading the gpg manual. I can’t get it to work. https://www.clamav.net/
I downloaded the source code and the sig file:
clamav-0.101.1.tar.gz
clamav-0.101.1.tar.gz.sig
gpg --verify clamav-0.101.1.tar.gz.sig clamav-0.101.1.tar.gz
gpg: Signature made Thu 20 Dec 2018 08:21:21 AM PST
gpg: using RSA key F13F9E16BCA5BFAD
gpg: Can't check signature: No public key
I’ve tried various import key command, into keyring. How do I verify the source without importing a key? The command needed.
If possible, please tell me the sha256 checksum. This I know how to do. I can’t find that information either.
gpg --verify clamav-0.101.1.tar.gz.sig clamav-0.101.1.tar.gz
gpg: Signature made Thu 20 Dec 2018 08:21:21 AM PST
gpg: using RSA key F13F9E16BCA5BFAD
gpg: Good signature from "Talos (Talos, Cisco Systems Inc.) <research@sourcefire.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 65ED 5139 93F0 8DA0 6F96 39A6 F13F 9E16 BCA5 BFAD
What is this? I have the file and the checksum(sig). The author’s key to the file’s key? I’v have no clue what you did. Please explain.
It seems to be what you did, rather than what I did.
You have checked the signature of the file. And, in turn, that depends on using a checksum. So you have also done a checksum check.
There’s one problem remaining. The signature is from Talos. But you have no idea who Talos is. For all you know, a hacker might be impersonating Talos and might have created that key to fool people like you. That’s the trust issue. There really isn’t any easy solution to that, other than to take what precautions you can. Use of a checksum file is no better, because a hacker could break into the site, set up bogus clamav zip file and set up a bogus checksum file that would show the bogus clamav file to be correct.
I don’t use clamav. But here’s what I would do if I were using it.
(1) I would load the key into my keyring as you just did. And I would use that to check the file.
(2) I would monitor for news of any hacker breakin to the site.
(3) I would then just hope all is okay.
When you next do this, it will be easier. You will already have that key on your keyring. And you will already have some confidence that it’s a good key, because you did not run into problems on your first use. Basically you build your trust out of experience.
Using GnuPG you can easily verify the authenticity of your stable release downloads by using the following method: Download the Talos PGP public key from the VRT labs site. Import the key into your local public keyring:
$ gpg --import vrt.gpg
Download the stable release AND the corresponding .sig file to the same directory. Verify that the stable release download is signed with the Talos PGP public key:
$ gpg --verify clamav-X.XX.tar.gz.sig
Please note that the resulting output should look like the following:
gpg: Signature made Wed Jan 24 19:31:26 2018 EST
gpg: using RSA key F13F9E16BCA5BFAD
gpg: Good signature from “Talos (Talos, Cisco Systems Inc.) [email address]” [unknown]
For other PGP implementation, please refer to their manual.
gpg --import vrt.gpg
gpg: can't open 'vrt.gpg': No such file or directory
gpg: Total number processed: 0
There’s more than one way to import a key. Using “gpg --recv-key” is often the easiest. But it does depend on the key being available on keyservers. And I did test that before I made the suggestion.
You click on talos key. It displays that key. How do import that?
From the website, you download the key into a file. And then you can use:
gpg --import path-to-downloaded-file
If you try that, it will probably tell you that you already have that key.
The risk with getting from the keyserver, is that a hacker may have put a bogus key there. The risk of downloading from the web site is that a hacker may have broken in and put a bogus key there. Doing both, as a cross-check is probably good but not guaranteed to be completely foolproof.
I deleted that key from the keyring, since it didn’t look to be valid. There is nothing on my keyring.
I can’t download that key. There is no direct download, only the sig file and source code. I tried copying the key into a text file. All these names won’t work: clamav clamav.txt clamav.asc clamav.key
gpg --import filename
gpg --recv-key filename
[Talos PGP Public Key](https://www.clamav.net/downloads#collapsePGP)
-----BEGIN PGP PUBLIC KEY BLOCK-----
It is not valid on a technicality – that you have not sworn to the software that you consider it to be valid.
There is nothing on my keyring.
That’s part of why the key was not valid. At some time, you should create your own key. And then you can use that to sign the clamav key – that will make it valid.
I tried copying the key into a text file.
That works.
So I copied (using copy/paste) into the file “xxx.pgp”.
And then I imported that, with:
% gpg --import xxx.pgp
gpg: key F13F9E16BCA5BFAD: "Talos (Talos, Cisco Systems Inc.) <research@sourcefire.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
I could have used any filename, as long as I used the same name in the “gpg --import” command.
As you can see, it tells me what key it found. But it says that it made not changes. That’s because I already had that key on my keyring from the “gpg --recv-key” that I used a few days ago.
That the downloaded key is the same key does provide some basis for trusting that it is the correct key and not a bogus key.
You need to have GnuPG installed before you can verify signatures. If you are using Mac OS X, you can install it from https://www.gpgtools.org/. If you are using Linux, then it’s probably you already have GnuPG in your system, as most Linux distributions come with it preinstalled.
output:
#gpg --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290
gpg: key 4E2C6E8793298290: 70 duplicate signatures removed
gpg: key 4E2C6E8793298290: 217 signatures not checked due to missing keys
gpg: key 4E2C6E8793298290: 2 signatures reordered
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) <torbrowser@torproject.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
#gpg --fingerprint 0x4E2C6E8793298290
pub rsa4096 2014-12-15 [C] [expires: 2020-08-24]
EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
sub rsa4096 2018-05-26 [S] [expires: 2020-09-12]
I followed the instructions and output is different. ??
gpg keys come in encrypt and decrypt pair. When you sign a document, a checksum similar to sha256 checksum is added to the document.
public key = encrypt code, private key= decrypt code
There is a steep learning curve for PGP/GPG. But it is worth the effort.
When I first started using it, I created several keys and then sent encrypted email to myself. After getting the hang of things, I deleted the keyring, and started over. It was a good way to learn.
If you are a “tor” user, then your really should learn how to use GPG.
As for you tests with the “tor” key, I am seeing similar output to what you get.
I think it is fine.
There were major changes to “gpg” over the last two years. They stopped using some older less-secure hashs. The fingerprint is a hash. So the change in hash will change the fingerprint.
If I take the same key, and check it’s fingerprint on Leap 42.3 or on Ubuntu 16.04, I should get the old fingerprint, and I expect that will be the same as what the website shows. If I find time, I’ll try that later today. I still have one 42.3 system left that I can use for checking.
I have to create GPG keys to add checksum to the file. How do I create sig file using gpg? Similar to what I did to create a scanvirus checksum. Do I need to add an email address to create a sig file? And a pass phrase?
Signing a file produces a checksum – actually an encrypted checksum. That’s called a signature.
You will first need to create your own key, if you have not already done so. You don’t have to use an email address. You can just use a name (doesn’t have to be your real name). You should use a passphrase.
Once you have a key, then to sign a file you can use:
You can change “signature.asc” to any name you want. That’s where the signature will go. You can omit the “–armor” and you will then get a binary (unprintable) signature. I usually prefer a printable signature, which “–armor” does.
Anybody can check the file against the signature, as long as they have your public key. It requires the private to be able to sign.
Here’s is the sig I made. I then deleted the keys right after. Please check to see if you can verify this. I checked the file download to see if matched my sha256 sig. I matches.
#gpg --verify scanvirus.asc
gpg: assuming signed data in 'scanvirus'
gpg: Signature made Fri 29 Mar 2019 01:42:20 PM PDT
gpg: using RSA key 0516EFA75BF3BA97DDD9D37776C5EE74901AF44A
gpg: Good signature from "Lord Valarian <ab340@mail.com>" [ultimate]
I had trouble deleting the keys. How do I delete both keys in one line?
So, I need a place to download both the keys(public and private key), download, and signature. You need two downloads to verify a file. Or, keys and file appended with the signature.
Do you mean both public and private key? I’m not sure if you can delete both in a single command.
This should delete both keys. It might delete just the public key only.
I’m pretty sure that only deletes the public key. However, checking the man page, I see that there is:
gpg --delete-secret-and-public-key key-id
There is a gpg and gpg2? GPG2 is mostly for servers.
OpenSUSE has been using “gpg2” for some time now. And “gpg” is just a symbolic link to “gpg2”. Ubuntu kept them separate, up through Ubuntu 16.04 (and maybe later). But Ubuntu 18.04 is now using “gpg2”. I think “gpg” (if not a link to “gpg2”) is no longer supported.
#gpg --gen-key
gpg: key 771EFCBA8330F2A7 marked as ultimately trusted
gpg: revocation certificate stored as '/home/username/.gnupg/openpgp-revocs.d/EE847A1AD5E6059EAC48CC80771EFCBA8330F2A7.rev'
public and secret key created and signed.
pub rsa2048 2019-04-02 [SC] [expires: 2021-04-01]
EE847A1AD5E6059EAC48CC80771EFCBA8330F2A7
uid Lord Valarian <scanvirusb6@mail.com>
sub rsa2048 2019-04-02 [E] [expires: 2021-04-01]
#gpg --armor --output scanvirus.asc --detach-sign scanvirus
#gpg --verify scanvirus.asc
gpg: assuming signed data in 'scanvirus'
gpg: Signature made Mon 01 Apr 2019 08:17:02 PM PDT
gpg: using RSA key EE847A1AD5E6059EAC48CC80771EFCBA8330F2A7
gpg: Good signature from "Lord Valarian <scanvirusb6@mail.com>" [ultimate]
This is the results a user should expect in valid signature.
#gpg --armor --export scanvirusb6@mail.com > scanvirus.key
#gpg --delete-secret-key EE847A1AD5E6059EAC48CC80771EFCBA8330F2A7
#gpg --delete-key EE847A1AD5E6059EAC48CC80771EFCBA8330F2A7
#gpg --list-keys
#gpg --import scanvirus.key
gpg: key 771EFCBA8330F2A7: public key "Lord Valarian <scanvirusb6@mail.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
#gpg --verify scanvirus.asc
gpg: assuming signed data in 'scanvirus'
gpg: Signature made Mon 01 Apr 2019 08:17:02 PM PDT
gpg: using RSA key EE847A1AD5E6059EAC48CC80771EFCBA8330F2A7
gpg: Good signature from "Lord Valarian <scanvirusb6@mail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EE84 7A1A D5E6 059E AC48 CC80 771E FCBA 8330 F2A7
The output doesn’t match. Why? The problem looks simular to the original one.
The only important difference there is in the last 3 lines, with a warning that the signing key is not trusted.
Here’s the issue. I could create a new gpg key with your name and email address. But it would not be your key. It would be a bogus forged key.
When somebody is checking a signature, how can they tell that the signature was not made with a bogus forged key? The software cannot solve that problem. That something that user has to resolve. When you decide that a key can be trusted (is not forged), then you will know that you can ignore that warning. Or you can yourself sign the key, and then the software will recognize that you trust it.
How you decide that you can trust a key is another difficult question. And that’s because it really isn’t a technical question; it’s a human relations question.
My own practice: I do not import a key into my main keyring unless I at least tentatively trust it. I have used alternative keyrings for keys that I have no reason to trust. If I strongly trust a key, I sign it. Usually I sign with only a local signature
gpg --lsign-key keyname
A local signature is not normally included when you export a key to a file or upload it to a keyserver. For keys where I want people to see that I have signed the key, I use a normal signature instead of a local one.
If it will help, we could exchange keys via email.