GCF: Managing the digital signatures


#1

In case you have a setup other than a Greenbone Community Edition (GCE) or commercial Greenbone product (GSM series), you have to take care about managing the digital signatures.
This article provides the details on how to do this.

GCE and GSMs handle the digital signatures automatically and you do not need to manage it on your own.

Digital signatures for software and content

Any content provided to users of the Greenbone Vulnerability Management solution, including the software modules themselves, are signed with a cryptographic key to allow verification of integrity and validity of the content.

This ranges from website content available via HTTPS, over signed source code archives up-to the feed content being executed by the OpenVAS Scanner. The latter is relevant because the scanner runs with high privileges and heavily accesses the network with permission. Obviously the executed test routines from the daily update should better not be compromised on their way from our feed server to your running scanner.

Enabling Signature Checks in OpenVAS Scanner

The signature verification of the OpenVAS Scanner is activated by setting nasl_no_signature_check = no in /etc/openvas/openvassd.conf.

Whenever new Vulnerability Tests are loaded by the OpenVAS Scanner, all files are checked for integrity. If the checks succeed and a trustworthy signature is found, the individual files are considered trusted. Only fully trusted files are considered to be valid by the OpenVAS Scanner and thus loaded and executed.

Trustworthiness of a signature is determined by checking whether the signature was made with cryptographic key which is trusted on the local system.

Preparation to set trust: create key

To express trust to keys that signed NVTs (see “How to set trust” below) you need a signing key for your OpenVAS Scanner installation. You can use an existing key you already have, or you can generate a new one.

If you want to create a key for your OpenVAS Scanner installation, please follow the instructions below. The instructions below assume that your system configuration directory is located in /etc/openvas. If you are unsure which directory this refers to, use the openvassd -y command to display it.

Creating a Key

gpg --homedir=/etc/openvas/gnupg --gen-key

GnuPG will guide you through the key creation process by asking a number of questions about the key you wish to create. If you are unsure, it is safe to choose the default provided by GnuPG.

This needs to be done only once for a OpenVAS Scanner installation.

How to add a key

To add a key to the OpenVAS Scanner key-ring issue this command:

gpg --homedir=/etc/openvas/gnupg --import keyfile.asc

For example, if you wanted to import the Feed integrity key for the Greenbone Community Feed provided at the bottom of this page, you could download and import it using the following two commands:

wget https://www.greenbone.net/GBCommunitySigningKey.asc
gpg --homedir=/etc/openvas/gnupg --import GBCommunitySigningKey.asc

How to set trust

For OpenVAS Scanner to trust a signature, the key used to create the signature has to be valid. A key that was just imported has unknown validity and thus is not valid.

To mark a key as trusted for your purpose, you have to sign it. The recommended way is to use local signatures that remain only in the key-ring of your OpenVAS Scanner installation.

To finally sign a certificate you need to know its KEY_ID. You either get it from the table at the bottom or via a “list-keys” parameter.

For example, to express your trust in the Greenbone Community Feed integrity key you imported above, you could use the following command:

gpg --homedir=/etc/openvas/gnupg --lsign-key 0ED1E580

Before signing you should be absolutely sure that you are signing the correct key. You may use its fingerprint and other methods to convince yourself.

Overview on existing keys

Key Name ID Download Owner(s) Description
Used until November 30th, 2018
OpenVAS: Transfer Integrity 48DB4530 OpenVAS_TI.asc Greenbone Networks This key is used to sign files provided by Greenbone Networks to the community. A valid signature means that the file has not been modified on the way between the distribution point and your installation. The presence of a signature does NOT MEAN ANY JUDGEMENT of the file itself. It only helps to verify integrity after transfer. Files are provided WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the license provided with the files for more details.
Use starting December 1st, 2018
Greenbone Community Feed integrity key 0ED1E580 GBCommunitySigningKey.asc Greenbone Networks This key is used to sign files provided by Greenbone Networks to the community. A valid signature means that the file has not been modified on the way between the distribution point and your installation. The presence of a signature does NOT MEAN ANY JUDGEMENT of the file itself. It only helps to verify integrity after transfer. Files are provided WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the license provided with the files for more details.