While using Openvas-9, I have found that we can add hashes of any new or modified scripts into sha256sums and sign it. I wanted to know if there is any way of separating custom scripts and existing scripts while hashing or signing sha256sums.
For example, Can we sign the hashes of custom scripts with one key and rest of them with another?
Signing of .nasl files are not related to the .nasl scripts (where the Vulnerability Tests category is about) but a functionality within the scanner so i have moved this thread to the correct category for now.
To get an answer to your question you could have a look at the following tag https://community.greenbone.net/tags/signature or do a search like e.g. https://community.greenbone.net/search?q=signature to see if some of the existing threads about this topic are giving you an answer.
Hello, I didn’t get any response till now after changing the category. Should I post the same problem again?
Actually, I’m not quite sure what you intend to do.
The sha256sums file contains the sha256sum from each VT. This sha256sums file ia aigned with the GBCommunitySigningKey.asc .
If you modify the sha256sums file, the signature file does not match, so no validation is possible leading the scanner to refuse to load the VTs.
Easiest way to get own or modified scripts to work is to enable “nasl_no_signature_check” in the scanner configuration.
I have the same kind of use case which I’m struggling to understand how to accomplish.
I want to have signature checking enabled, all the time.
At the same time we are making a few of our own tests against our software to scan for in OV9.
In OV8 we could have multi signing keys, as we could use the Community sign key to validate the community feed test. And then sign our own tests with our own key.
Each test had its own .asc, hence this use case worked for us.
But in OV9 we cant figure out how to accomplish this.
As we have our custom tests we would need to re-seign the sha256sums file after every community update, just to have our own tests in the feed AND have signature checking enabled.
Isn’t there a way to support custom tests AND the community feed tests, while having signature checking enabled AND using the community key + our own key?
Any ideas on how to solve this?