In case you have a setup other than a Greenbone Community Edition (GCE) or commercial Greenbone product (GSM series), you have to take care about managing the digital signatures.
This article provides the details on how to do this.
GCE and GSMs handle the digital signatures automatically and you do not need to manage it on your own.
Digital signatures for software and content
Any content provided to users of the Greenbone Vulnerability Management solution, including the software modules themselves, are signed with a cryptographic key to allow verification of integrity and validity of the content.
This ranges from website content available via HTTPS, over signed source code archives up-to the feed content being executed by the OpenVAS Scanner. The latter is relevant because the scanner runs with high privileges and heavily accesses the network with permission. Obviously the executed test routines from the daily update should better not be compromised on their way from our feed server to your running scanner.
Enabling Signature Checks in OpenVAS Scanner
The signature verification of the OpenVAS Scanner is activated by setting
nasl_no_signature_check = no in
Whenever new Vulnerability Tests are loaded by the OpenVAS Scanner, all files are checked for integrity. If the checks succeed and a trustworthy signature is found, the individual files are considered trusted. Only fully trusted files are considered to be valid by the OpenVAS Scanner and thus loaded and executed.
Trustworthiness of a signature is determined by checking whether the signature was made with cryptographic key which is trusted on the local system.
Preparation to set trust: create key
To express trust to keys that signed NVTs (see “How to set trust” below) you need a signing key for your OpenVAS Scanner installation. You can use an existing key you already have, or you can generate a new one.
If you want to create a key for your OpenVAS Scanner installation, please follow the instructions below. The instructions below assume that your system configuration directory is located in
/etc/openvas. If you are unsure which directory this refers to, use the
openvassd -y command to display it.
Creating a Key
gpg --homedir=/etc/openvas/gnupg --gen-key
GnuPG will guide you through the key creation process by asking a number of questions about the key you wish to create. If you are unsure, it is safe to choose the default provided by GnuPG.
This needs to be done only once for a OpenVAS Scanner installation.
How to add a key
To add a key to the OpenVAS Scanner key-ring issue this command:
gpg --homedir=/etc/openvas/gnupg --import keyfile.asc
For example, if you wanted to import the Feed integrity key for the Greenbone Community Feed provided at the bottom of this page, you could download and import it using the following two commands:
gpg --homedir=/etc/openvas/gnupg --import GBCommunitySigningKey.asc
How to set trust
For OpenVAS Scanner to trust a signature, the key used to create the signature has to be valid. A key that was just imported has unknown validity and thus is not valid.
To mark a key as trusted for your purpose, you have to sign it. The recommended way is to use local signatures that remain only in the key-ring of your OpenVAS Scanner installation.
To finally sign a certificate you need to know its KEY_ID. You either get it from the table at the bottom or via a “list-keys” parameter.
For example, to express your trust in the Greenbone Community Feed integrity key you imported above, you could use the following command:
gpg --homedir=/etc/openvas/gnupg --lsign-key 0ED1E580
Before signing you should be absolutely sure that you are signing the correct key. You may use its fingerprint and other methods to convince yourself.
Overview on existing keys
|Used until November 30th, 2018|
|OpenVAS: Transfer Integrity||48DB4530||OpenVAS_TI.asc||Greenbone Networks||This key is used to sign files provided by Greenbone Networks to the community. A valid signature means that the file has not been modified on the way between the distribution point and your installation. The presence of a signature does NOT MEAN ANY JUDGEMENT of the file itself. It only helps to verify integrity after transfer. Files are provided WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the license provided with the files for more details.|
|Use starting December 1st, 2018|
|Greenbone Community Feed integrity key||0ED1E580||GBCommunitySigningKey.asc||Greenbone Networks||This key is used to sign files provided by Greenbone Networks to the community. A valid signature means that the file has not been modified on the way between the distribution point and your installation. The presence of a signature does NOT MEAN ANY JUDGEMENT of the file itself. It only helps to verify integrity after transfer. Files are provided WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the license provided with the files for more details.|