Mailing List Archive: ClamAV: win32

Authentication of downloaded binary

Index | Next | Previous | View Threaded

henman at tech

Jun 16, 2007, 3:55 PM

Post #1 of 9 (1824 views)
Permalink

Authentication of downloaded binary

I just downloaded "clamAV.msi" but could not find out anyway to verify its
authenticity from the website.. Since this is a very sensitive program
that goes
scanning important binaries, I need to authenticate it.

I expect there to be gpg signature files and SHA1 and MD5 sums available
to aid in
verification but could find none.

Pleaser advise me on how to authenticate the binary msi I downloaded.

regards,
d. henman
_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32

_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32

henman at tech

Jun 16, 2007, 4:03 PM

Post #2 of 9 (1741 views)
Permalink

Re: Authentication of downloaded binary [In reply to]

I didn't see this get into the archives and received mail from
"clamav-win32-bounces [at] lists"

Which makes me think it bounced. Why?

henman wrote:
> I just downloaded "clamAV.msi" but could not find out anyway to verify its
> authenticity from the website.. Since this is a very sensitive program
> that goes
> scanning important binaries, I need to authenticate it.
>
> I expect there to be gpg signature files and SHA1 and MD5 sums available
> to aid in
> verification but could find none.
>
> Pleaser advise me on how to authenticate the binary msi I downloaded.
>
> regards,
> d. henman

_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32

henman at tech

Jun 17, 2007, 1:32 AM

Post #3 of 9 (1753 views)
Permalink

Re: Authentication of downloaded binary [In reply to]

Sorry, I am new to the list and assumed that the archive was in new to
old order and not the reverse. I did search through once and didn't
catch my mail. And secondly the mail I received was from
"clamav-win32-bounces [at] list", and the "bounces" word has
significance in the e-mail world akin to mail that has "bounced" and not
been received.

Sorry for any duplicate transmissions. Still waiting for helpful
responses.

Regards

"clamav-win32-bounces [at] lists"

> I didn't see this get into the archives and received mail from
> "clamav-win32-bounces [at] lists"
>
> Which makes me think it bounced. Why?
>
_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32

henman at tech

Jun 20, 2007, 12:13 AM

Post #4 of 9 (1730 views)
Permalink

Re: Authentication of downloaded binary [In reply to]

There have been absolutely no responses to my question of how to
authenticate binaries download from you site.

Do you not provide for positive identification for binaries with md5sum
or sha1sum or gpg signatures?

If not I ask why? Due to the critical nature of the software that you
open up as binaries, why don't you provide a way to authenticate it?

Regards
_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32

michael.m.minor at gmail

Jun 20, 2007, 7:00 AM

Post #5 of 9 (1724 views)
Permalink

Re: Authentication of downloaded binary [In reply to]

I agree this is important and could probably be automated as well, but
remember that this is free software developed on a volunteer basis so even
good ideas are not always implemented quickly.

On 6/20/07, henman <henman [at] tech> wrote:
>
> There have been absolutely no responses to my question of how to
> authenticate binaries download from you site.
>
> Do you not provide for positive identification for binaries with md5sum
> or sha1sum or gpg signatures?
>
> If not I ask why? Due to the critical nature of the software that you
> open up as binaries, why don't you provide a way to authenticate it?
>
> Regards
> _______________________________________________
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32
>

--

Michael M. Minor
_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32

jason at emeraldtechnologyinc

Jun 20, 2007, 4:43 PM

Post #6 of 9 (1722 views)
Permalink

Re: Authentication of downloaded binary [In reply to]

>>Do you not provide for positive identification for binaries with md5sum
>>or sha1sum or gpg signatures?

It's pretty simple. If these are REQUIREMENTS for you, don't use the
system.

This is a user supported system (FREE). If you MUST have it then I am sure
you can get commercial providers to charge you and provide that service.

_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32

henman at tech

Jun 20, 2007, 11:09 PM

Post #7 of 9 (1721 views)
Permalink

Re: Authentication of downloaded binary [In reply to]

From: "Jason S Short, Ph.D." <jason [at] emeraldtechnologyinc>

>>Do you not provide for positive identification for binaries with md5sum
>>or sha1sum or gpg signatures?

>It's pretty simple. If these are REQUIREMENTS for you, don't use the
>system.
>This is a user supported system (FREE). If you MUST have it then I am
sure
>you can get commercial providers to charge you and provide that service.

Jason, all ,uppercased FREE, software as you put it, that is worth its
salt, provides
for md5 or sha1 checksums, at the least and some provide gpg signature
files.

I would be glad to instruct you as to how to generate an md5 or sha1
checksum, but this is so
trivial that "not" providing one detracts from your honesty.

Most responsible "Free" software provide md5sums, sha1sums and a gpg
signature.

Such a lack of concern, puts the validity of "clamav-win32" in serious
question.;

Go ahead and visit any properly published code. They offer, md5sums,
sha1sums and a signature.
Would it be so hard for you to honestly protect the code provided by the
developers, or have some devious person inflict users with bad code that
may ruin their system.

Seems to me that, the little time required to provide a more secure
binary would be becoming
to a program that "proclaims" to ferret out bad programs.

Action and not excuses are called for.

Regards,
D.Henman
--- end of Jasons mail
_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32

jason at emeraldtechnologyinc

Jun 21, 2007, 12:21 AM

Post #8 of 9 (1706 views)
Permalink

Re: Authentication of downloaded binary [In reply to]

>> Jason, all ,uppercased FREE, software as you put it, that is worth
>> its salt, provides for md5 or sha1 checksums, at the least and some
>> provide gpg signature files.

I am a USER of the software, just like you. I have NOTHING to do with them
generating or not generating anything.

I am merely pointing out that your claim the software is not useable by you
because of this limitation is not true. It is your requirement, not the
rest of the world. I don't care if you use it or not. I am a user, have
been for a very long time. No problems. Support is great, product is
great, community is great.

If you have a requirement for something and this does not meet that
requirement. Move on.

>>I would be glad to instruct you as to how to generate an md5 or sha1
>>checksum, but this is so trivial that "not" providing one detracts from
your honesty.

Really? That makes me laugh. Detracts from honesty? Please, move on to
another project.

Jason Short, Ph.D. - Yes, my PhD is in computer science... I KNOW how to
generate md5 (useless) and sha1 checksums. They don't provide ANY security.
And don't bother to reply. If it does not meet your needs, MOVE ON.

_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32

bret.miller at wcg

Jun 21, 2007, 6:59 AM

Post #9 of 9 (1721 views)
Permalink

Re: Authentication of downloaded binary [In reply to]

> Jason, all ,uppercased FREE, software as you put it, that is
> worth its salt, provides
> for md5 or sha1 checksums, at the least and some provide gpg
> signature files.

Just out of curiosity, if someone can hijack the download location so
that you get an infected version of this product, do you think they'll
be unable to provide MD5 or SHA1 checksums for it on a forged web page
as well? I'm really not sure how or why you think this increases
security. Especially since both the web page and the download are on the
same server.

GPG signing is a little better in that you obtain the key once and it
must remain consistent in order to pass the check. At least there, if
you get the correct public key to begin with, you can be somewhat sure
the code is legit as long as the signature verifies. Doing so using a
publicly verifiable cert would be even better...

Nevertheless, doing all this takes time. It's something Nigel could add
to his to-do list, but since he seems to struggle just keeping up with
releases, I rather doubt that it'll get done any time soon.

Note that the release cycle here does NOT match the main ClamAV project.
It is always built from the latest CVS code, not from a released
snapshot, so the versions don't match either. Honestly, I don't think
Nigel intends this as mission-critical software. Not that some of us
don't use it that way. So I can see why no effort has been made to
generate signatures.

That said, I can see your point too. Certainly, setting up GPG,
providing a public key and signatures for the downloads isn't all that
difficult and many other public projects do just that. I'm sure a simple
batch file could be created that would generate the GPG signature of a
file so that once set up, the effort would be minimal.

GPG is available for Windows. I use it here to verify SpamAssassin rule
updates. Even there, it's not requried. But it was easy to set up, so I
did. A little extra security on stuff you depend on is always welcome.

Enough rambling for today...

Bret

_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads