Validation of ClamAV by GnuPG

Skip Navigation

Hierarchical Navigation

Previous and Next

Abstract

In this chapter, we explain about validation of ClamAV archive by GnuPG and configuration of clamav-update

Melancholy of clamav-update and effect of GnuPG

clamav-update automatically download new version of the software and install it, so we can think that some evil people may force us to download fake source archives by fake DNS information or some crack. ClamAV is virus scanner and phishing judgment so this uncertainty must be removed.

If you have installed GnuPG, you can validate ClamAV archive. ClamAV project distribute source archive and its signature file. You can check those and public key file of its register.

Except downloading public key file, validation of ClamAV by GnuPG is routine work. So clamav-update can validate it.

Preparation

You can get GnuPG from site of GnuPG. You can also available some binary package of it released by vendors and third parties. If you use Mac OS X, "Mac GNU Privacy Guard" package is available. Of course, you can also install from source archive by step by step or clamav-update. We released configuration file for installing GnuPG. We assume that executable file GnuPG gpg is in /usr/local/bin/.

Original author (Not translator :-) ) installed some GnuPG 1.4.5 package on Mac OS X, and this version is insecure so that vulnerability is found and GnuPG project released 1.4.6. But this packager have never release 1.4.6 so he had installed it from source. Now 17th Feb 2007, they don't release 1.4.6.

The clamav Project puts the public key file of clamav archive on http://www.clamav.net/gpg/tkojm.gpg . That page is linked from a question term : How do I verify the integrity of ClamAV sources? on Support/FAQ page. And it is also linked from How do I verify the integrity of ClamAV sources? on FAQ of ClamAV Wiki. Please download the public key. We assume that you download it as tkojm.gpg.

Next, import the public key tkojm.gpg into your keyring. 2 answer says that execute bellow command on some terminal:

gpg --import tkojm.gpg

But you cannot do that for clamav-update. If you do so, the public key is imported into .gnupg/ under YOUR home directory. Because Only root user can execute clamav-update , it must be .gnupg/ under root's home directory. So if you are Mac OS X user, execute bellow commands instead of previous one.

sudo -H /usr/local/bin/gpg --import tkojm.gpg

Tips: Instead of typing tkojm.gpg , drag & drop tkojm.gpg to Terminal.app

If you are not Mac OS X user, in other words, Generally, execute bellow commands.

su -

and

gpg --import tkojm.gpg

configuration

addition

To validate source archive of clamav, put the source archive on the same directory of the signature file and execute following commands.

/usr/local/bin/gpg --verify signature_file

Then, we need to add bellow 2 action to clamav-update.conf.

  1. download signature file of the source archive to the same directory which the archive is putted on.
  2. execute command /usr/local/bin/gpg --verify signature_file.

Those must be added to phase definition function as commands. We recommend to add it to download phase. So, you have to add following description to phase definition function.

# Check archive file
push @{$Phase{download}->{method}}, (
    # download sigunature file.
    [qw(curl --silent --location -o),
        "$Setting{option}->{dst}/$Setting{option}->{name}-$LatestVersion.$Setting{option}->{ext}.sig",
        "$Setting{option}->{src}/$Setting{option}->{name}-$LatestVersion.$Setting{option}->{ext}.sig",
    ],
    # Verify package file.
    [qw(/usr/local/bin/gpg --verify),
        "$Setting{option}->{dst}/$Setting{option}->{name}-$LatestVersion.$Setting{option}->{ext}.sig",
    ]
);

If you customize phase definition function, add this to your customized function. Bellow we explain detail of how to customize phase definition function for beginner who have never customized phase definition function.

change of phase definition function from built-in

If your clamav-update.conf has following contents,

#$Setting{phase}->{specifier} = \&PhaseSpecifier4ClamAV4ClamXav;

Or

$Setting{phase}->{specifier} = \&PhaseSpecifier4General;

built-in function is used for phase definition function.

These are customized like followings. Here, we add several commented out part that we will be able to be needed.

If you use PhaseSpecifier4ClamAV4ClamXav
$Setting{phase}->{specifier} = sub {
    # use build-in specifier
    PhaseSpecifier4ClamAV4ClamXav();

    # If you use ClamAntiVirusDaemon, uncomment following lines.
    #push @{$Phase{install}->{method}}, (
    #   [qw(/Library/StartupItems/ClamAntiVirusDaemon/ClamAntiVirusDaemon restart)],
    #);

    # If you use FreshClamDaemon, uncomment following lines.
    #push @{$Phase{install}->{method}}, (
    #   [qw(/Library/StartupItems/FreshclamDaemon/FreshclamDaemon restart)]
    #);

    # other customization
    # Check archive file
    push @{$Phase{download}->{method}}, (
        # download sigunature file.
        [qw(curl --silent --location -o),
            "$Setting{option}->{dst}/$Setting{option}->{name}-$LatestVersion.$Setting{option}->{ext}.sig",
            "$Setting{option}->{src}/$Setting{option}->{name}-$LatestVersion.$Setting{option}->{ext}.sig",
        ],
        # Verify package file.
        [qw(/usr/local/bin/gpg --verify),
            "$Setting{option}->{dst}/$Setting{option}->{name}-$LatestVersion.$Setting{option}->{ext}.sig",
        ],
    );

    # return success
    1;
};
If you use PhaseSpecifier4General
$Setting{phase}->{specifier} = sub {
    # use build-in specifier
    PhaseSpecifier4General();

    # If you use clamd, uncomment following lines.
    #push @{$Phase{install}->{method}}, (
    #   [qw(/etc/rc.d/init.d/clamd restart)],
    #);

    # If you use freshclam as a daemon, uncomment following lines.
    #push @{$Phase{install}->{method}}, (
    #   [qw(/etc/rc.d/init.d/freshclam restart)]
    #);

    # other customization
    # Check archive file
    push @{$Phase{download}->{method}}, (
        # download sigunature file.
        [qw(curl --silent --location -o),
            "$Setting{option}->{dst}/$Setting{option}->{name}-$LatestVersion.$Setting{option}->{ext}.sig",
            "$Setting{option}->{src}/$Setting{option}->{name}-$LatestVersion.$Setting{option}->{ext}.sig",
        ],
        # Verify package file.
        [qw(/usr/local/bin/gpg --verify),
            "$Setting{option}->{dst}/$Setting{option}->{name}-$LatestVersion.$Setting{option}->{ext}.sig",
        ],
    );

    # return success
    1;
};

addition to directly defined phase definition function

If your clamav-update.conf has following contents:

$Setting{phase}->{specifier} = sub {

phase definition function is directly defined. If you have installed clamav-update by install.sh or install.command and have never customized any configuration files, the bellow lines are:

    # other customization

    # return success
    1;
};

change bellow lines to next line of "# other customization"

    # other customization
    # Check archive file
    push @{$Phase{download}->{method}}, (
        # download sigunature file.
        [qw(curl --silent --location -o),
            "$Setting{option}->{dst}/$Setting{option}->{name}-$LatestVersion.$Setting{option}->{ext}.sig",
            "$Setting{option}->{src}/$Setting{option}->{name}-$LatestVersion.$Setting{option}->{ext}.sig",
        ],
        # Verify package file.
        [qw(/usr/local/bin/gpg --verify),
            "$Setting{option}->{dst}/$Setting{option}->{name}-$LatestVersion.$Setting{option}->{ext}.sig",
        ]
    );

    # return success
    1;
};

Now, updating ClamAV by clamav-update become considerably secure. If you have installed Gnu MP library described in chapter 3 of Documents of FreshClamDaemon , which will engage for identity of the virus database in your OS.