Skip to content

Commit

Permalink
Update GnuPG verification instructions, and embed Talos GPG public key
Browse files Browse the repository at this point in the history
  • Loading branch information
micahsnyder committed Aug 12, 2024
1 parent fb5f938 commit 045fa6b
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 18 deletions.
33 changes: 15 additions & 18 deletions src/faq/faq-upgrade.md
Original file line number Diff line number Diff line change
Expand Up @@ -61,28 +61,27 @@ Please refer to our [End-of-Life (EOL) policy](faq-eol.md).

### How do I verify the integrity of ClamAV sources?

Using [GnuPG] you can easily verify the authenticity of your stable release downloads by using the following method: Download the [Talos PGP public key] from the VRT labs site. Import the key into your local public keyring:

```bash
gpg --import vrt.gpg
```

Download the stable release AND the corresponding `.sig` file to the same directory. Verify that the stable release download is signed with the [Talos PGP public key]:

```bash
gpg --verify clamav-X.XX.tar.gz.sig
```

Please note that the resulting output should look like the following:

You can verify the authenticity of ClamAV release packages provided [on the ClamAV downloads page](https://www.clamav.net/downloads) using [GnuPG](http://www.gnupg.org/).

1. Install GnuPG.
2. Download the [Cisco Talos GPG public key](../manual/cisco-talos.gpg).
3. Import the key into your local public keyring:
```bash
gpg --import cisco-talos.gpg
```
4. Download the ClamAV package AND the corresponding `.sig` file to the same directory.
5. Verify that the stable release download is signed with the [Cisco Talos GPG public key]:
```bash
gpg --verify clamav-X.XX.tar.gz.sig
```

The resulting output should look something like this. The specific details will differ, as we rotate the GPG key every couple of years:
```bash
gpg: Signature made Wed Jan 24 19:31:26 2018 EST
gpg: using RSA key F13F9E16BCA5BFAD
gpg: Good signature from "Talos (Talos, Cisco Systems Inc.) [email address]" [unknown]
```

For other PGP implementation, please refer to their manual.

### Where can I get the latest release, beta, or release candidate of ClamAV?

Visit the [source download page].
Expand All @@ -92,8 +91,6 @@ Visit the [source download page].
ClamAV supports a wide variety of compilers, hardware and operating systems. Our core compiler is GCC with Linux on 32 and 64 bit Intel platforms, LLVM/Clang on macOS, and MSVC on Windows.


[GnuPG]: http://www.gnupg.org/
[sources]: https://github.com/Cisco-Talos/clamav
[pre-compiled packages]: http://www.clamav.net/download.html#otherversions
[Talos PGP public key]: http://www.clamav.net/downloads#collapsePGP
[source download page]: http://www.clamav.net/downloads
24 changes: 24 additions & 0 deletions src/manual/Installing.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
- [Windows](#windows)
- [Official ClamAV Docker Images](#official-clamav-docker-images)
- [Installing from Source](#installing-from-source)
- [Verifying ClamAV.net Downloads with GPG](#verifying-clamavnet-downloads-with-gpg)
- [What now?](#what-now)

## Installing with a Package Manager
Expand Down Expand Up @@ -120,6 +121,29 @@ If you need, you can also compile and install ClamAV from source:
- [Unix/Linux/Mac Instructions](Installing/Installing-from-source-Unix.md)
- [Windows Instructions](Installing/Installing-from-source-Windows.md)

## Verifying ClamAV.net Downloads with GPG

You can verify the authenticity of ClamAV release packages provided [on the ClamAV downloads page](https://www.clamav.net/downloads) using [GnuPG](http://www.gnupg.org/).

1. Install GnuPG.
2. Download the [Cisco Talos GPG public key](../manual/cisco-talos.gpg).
3. Import the key into your local public keyring:
```bash
gpg --import cisco-talos.gpg
```
4. Download the ClamAV package AND the corresponding `.sig` file to the same directory.
5. Verify that the stable release download is signed with the [Cisco Talos GPG public key]:
```bash
gpg --verify clamav-X.XX.tar.gz.sig
```

The resulting output should look something like this. The specific details will differ, as we rotate the GPG key every couple of years:
```bash
gpg: Signature made Wed Jan 24 19:31:26 2018 EST
gpg: using RSA key F13F9E16BCA5BFAD
gpg: Good signature from "Talos (Talos, Cisco Systems Inc.) [email address]" [unknown]
```

## What now?

Now that ClamAV is installed, you will want to customize your configuration and perhaps set up some scanning automation and alerting mechanisms.
Expand Down

0 comments on commit 045fa6b

Please sign in to comment.