Fixed verification issues and added test sign files

clamd/clamd.c

@@ -160,6 +160,8 @@ int main(int argc, char **argv)
     pid_t mainpid         = 0;
     mode_t old_umask      = 0;
     const char *user_name = NULL;
+    char *cvdcertsdir        = NULL;
+    STATBUF statbuf;
 
     if (check_flevel())
         exit(1);
@@ -577,20 +579,32 @@ int main(int argc, char **argv)
             }
         }
 
-        if ((opt = optget(opts, "certsdir"))->enabled) {
-            if ((ret = cl_engine_set_str(engine, CL_ENGINE_CERTSDIR, opt->strarg))) {
-                logg(LOGG_ERROR, "cli_engine_set_str(CL_ENGINE_CERTSDIR) failed: %s\n", cl_strerror(ret));
-                ret = 1;
-                break;
-            }
-        } else {
-            if ((ret = cl_engine_set_str(engine, CL_ENGINE_CERTSDIR, CERTSDIR))) {
-                logg(LOGG_ERROR, "cli_engine_set_str(CL_ENGINE_CERTSDIR) failed: %s\n", cl_strerror(ret));
-                ret = 1;
-                break;
+        cvdcertsdir = optget(opts, "cvdcertsdir")->strarg;
+        if (NULL == cvdcertsdir) {
+            // Check if the CVD_CERTS_DIR environment variable is set
+            cvdcertsdir = getenv("CVD_CERTS_DIR");
+
+            // If not, use the default value
+            if (NULL == cvdcertsdir) {
+                cvdcertsdir = CERTSDIR;
             }
         }
 
+        if (LSTAT(cvdcertsdir, &statbuf) == -1) {
+            logg(LOGG_ERROR,
+                "ClamAV CA certificates directory is missing: %s\n"
+                "It should have been provided as a part of installation.",
+                cvdcertsdir);
+            ret = 1;
+            break;
+        }
+
+        if ((ret = cl_engine_set_str(engine, CL_ENGINE_CERTSDIR, cvdcertsdir))) {
+            logg(LOGG_ERROR, "cli_engine_set_str(CL_ENGINE_CERTSDIR) failed: %s\n", cl_strerror(ret));
+            ret = 1;
+            break;
+        }
+
         cl_engine_set_clcb_hash(engine, hash_callback);
 
         cl_engine_set_clcb_virus_found(engine, clamd_virus_found_cb);

clamscan/clamscan.c

@@ -342,6 +342,10 @@ void help(void)
     mprintf(LOGG_INFO, "    --pcre-recmatch-limit=#n             Maximum recursive calls to the PCRE match function.\n");
     mprintf(LOGG_INFO, "    --pcre-max-filesize=#n               Maximum size file to perform PCRE subsig matching.\n");
     mprintf(LOGG_INFO, "    --disable-cache                      Disable caching and cache checks for hash sums of scanned files.\n");
+    mprintf(LOGG_INFO, "    --cvdcertsdir=DIRECTORY              Specify a directory containing the root\n");
+    mprintf(LOGG_INFO, "                                         CA cert needed to verify detached CVD digital signatures.\n");
+    mprintf(LOGG_INFO, "                                         If not provided, then clamscan will look in:\n");
+    mprintf(LOGG_INFO, "                                         " CERTSDIR "\n");
     mprintf(LOGG_INFO, "\n");
     mprintf(LOGG_INFO, "Pass in - as the filename for stdin.\n");
     mprintf(LOGG_INFO, "\n");

clamscan/manager.c

@@ -1051,6 +1051,9 @@ int scanmanager(const struct optstruct *opts)
     struct engine_free_progress engine_free_progress_ctx = {0};
 #endif
 
+    char *cvdcertsdir = NULL;
+    STATBUF statbuf;
+
     /* Initialize scan options struct */
     memset(&options, 0, sizeof(struct cl_scan_options));
 
@@ -1249,20 +1252,32 @@ int scanmanager(const struct optstruct *opts)
         }
     }
 
-    if ((opt = optget(opts, "certsdir"))->enabled) {
-        if ((ret = cl_engine_set_str(engine, CL_ENGINE_CERTSDIR, opt->strarg))) {
-            logg(LOGG_ERROR, "cli_engine_set_str(CL_ENGINE_CERTSDIR) failed: %s\n", cl_strerror(ret));
+    cvdcertsdir = optget(opts, "cvdcertsdir")->strarg;
+    if (NULL == cvdcertsdir) {
+        // Check if the CVD_CERTS_DIR environment variable is set
+        cvdcertsdir = getenv("CVD_CERTS_DIR");
 
-            ret = 2;
-            goto done;
+        // If not, use the default value
+        if (NULL == cvdcertsdir) {
+            cvdcertsdir = CERTSDIR;
         }
-    } else {
-        if ((ret = cl_engine_set_str(engine, CL_ENGINE_CERTSDIR, CERTSDIR))) {
-            logg(LOGG_ERROR, "cli_engine_set_str(CL_ENGINE_CERTSDIR) failed: %s\n", cl_strerror(ret));
+    }
 
-            ret = 2;
-            goto done;
-        }
+    if (LSTAT(cvdcertsdir, &statbuf) == -1) {
+        logg(LOGG_ERROR,
+             "ClamAV CA certificates directory is missing: %s\n"
+             "It should have been provided as a part of installation.",
+             cvdcertsdir);
+
+        ret = 2;
+        goto done;
+    }
+
+    if ((ret = cl_engine_set_str(engine, CL_ENGINE_CERTSDIR, cvdcertsdir))) {
+        logg(LOGG_ERROR, "cli_engine_set_str(CL_ENGINE_CERTSDIR) failed: %s\n", cl_strerror(ret));
+
+        ret = 2;
+        goto done;
     }
 
     if ((opt = optget(opts, "database"))->active) {

common/optparser.c

@@ -286,7 +286,7 @@ const struct clam_option __clam_options[] = {
 
     {"DatabaseDirectory", "datadir", 0, CLOPT_TYPE_STRING, NULL, -1, CONST_DATADIR, 0, OPT_CLAMD | OPT_FRESHCLAM | OPT_SIGTOOL, "This option allows you to change the default database directory.\nIf you enable it, please make sure it points to the same directory in\nboth clamd and freshclam.", "/var/lib/clamav"},
 
-    {"CVDCertsDirectory", "certsdir", 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD | OPT_FRESHCLAM | OPT_SIGTOOL, "This option allows you to change the default ClamAV CA certificates directory used to verify database external digital signatures.\nIf you enable it, please make sure it points to the same directory in\nboth clamd and freshclam.", "/etc/clamav/certs"},
+    {"CVDCertsDirectory", "cvdcertsdir", 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN | OPT_FRESHCLAM | OPT_SIGTOOL, "This option allows you to change the default ClamAV CA certificates directory used to verify database external digital signatures.\nIf you enable it, please make sure it points to the same directory in\nboth clamd and freshclam.", "/etc/clamav/certs"},
 
     {"OfficialDatabaseOnly", "official-db-only", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Only load the official signatures published by the ClamAV project.", "no"},
 

etc/CMakeLists.txt

@@ -24,3 +24,17 @@ if(ENABLE_MILTER)
             ${APP_CONFIG_DIRECTORY}
         COMPONENT programs)
 endif()
+
+#
+# clamav certs directory and root CA cert
+#
+
+# Create the certs directory. This is where the root CA cert will be installed.
+# Then copy the root CA cert to the certs directory.
+install(DIRECTORY DESTINATION ${CERTS_DIRECTORY} COMPONENT programs)
+install(
+    FILES
+        ${CMAKE_CURRENT_SOURCE_DIR}/certs/ca.crt
+    DESTINATION
+        ${CERTS_DIRECTORY}
+    COMPONENT programs)

etc/certs/ca.crt

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFTzCCAzcCFG9bzRiWhD7GrtKN5++v9AZJaJ0sMA0GCSqGSIb3DQEBCwUAMGQx
+CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNRDEPMA0GA1UEBwwGTGF1cmVsMQ4wDAYD
+VQQKDAVDaXNjbzEOMAwGA1UECwwFVGFsb3MxFzAVBgNVBAMMDkNsYW1BViBSb290
+IENBMB4XDTI0MTAyNDE3MjcyNVoXDTI2MTAyNDE3MjcyNVowZDELMAkGA1UEBhMC
+VVMxCzAJBgNVBAgMAk1EMQ8wDQYDVQQHDAZMYXVyZWwxDjAMBgNVBAoMBUNpc2Nv
+MQ4wDAYDVQQLDAVUYWxvczEXMBUGA1UEAwwOQ2xhbUFWIFJvb3QgQ0EwggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDNp2WpxPv42Of3yiFUA8Bq6OiPDtjO
+bBfPcffqcx1rtsjlgsyXPLr709+ktjdPOrlOAmkuZXUnWeQ6VMltxfUiz0uzMOpV
+WR8tEQSaGLR4CBdEe8srnojB7Uwx0x8BEWzROUBBlXdDJjTteEomLduXYaRxoXc3
+S0qxIFx4jL4lfgj1uA8GCdT7oLdWK1gmmc6yijmZyLygh02b660vz8t8pTFp6dWC
+zktl4IpnYenktF5mtldfORtdJsBK6dqFhDNTRDzM8VO0nqvVItPs/keCPVCx6+xe
+9OI9pDx62NX3LZJX99CJR2Rt1IxIyo46SEBtUJudhMhDJm7xSis9Myu7almGBzpd
+YbISdU+riMlgifKAEwWhOJ3eCCqycWA2uw3m0rOAMP775A2tc9FQ56ZhhJNQf5Pc
+iZYE+Q2fjGiRDHqYzGF8Gr4YQIdDEkYLLVeq6Xkrb1QIgbzKn6PvrK1QrEgH1Ha+
+Qfpp6tkbu3CxfSnPJjTuL/cRw9jipnrcwesrMpeFS22htNgXm4wUAs8UHhnUNfry
+QYan0ver6UDrhlmRn8QN4Wikhp1aZjKE7cAKztIVyZ2H1oWh7cuFCWMOBQ7BkI1a
+UL6LYeI0VUrmDmAF7/tlIR62dDqPCJWfzHVfODAJR+I9NPxOSZmaJ5XVMbUh20vM
+SsEOasY2nqLbKQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQBkLEmFkTt+WX4nUIrY
+9uu8vDt5fLC9G/LdNRkgOoeYhSBrktokjuH+Cj1RJ4LqkzXbfpcWkXFh+VidnDi7
+RpuH9I5bQscdxYgZbqHTIDD61uAqWWre/O5r3tqw8v5Lf/qPZ+8YfQSWHI0s11EF
+qtNxMxYOshAna1nLHbqAyS8PpBw4Ia2EKjbf9uPch08jR5GS8CQ4FnTJvOysolZO
+/YtRpD2ueu5hIarBT9mvlxX59fhSvxARJ7vaG0UrS6w1Ou7lUej5Ww/CKWWfGCAl
+Yf2+BmQyM1ir6zXMuRbFwFzKSPxSMDtcTtmS+EugPtm6B0imz3OoDCm6GGNJ5LoE
+xY07cbdDxcE8RSZeQhCQSzBUjgkO8nWiZ9okfP9lOiSCjzp25ymvvdqHHRjdjQZc
+QafLdQjEWPGFV+XzHEjy5Tx5IWo8vu4G9Xp+x2jK5iR5dXwvuKV7r8jkc9WTDfgT
+A0xd9GGK3/c2XQLTNGFaJhhbYfGs8Hptdt+69cABcMib0wHBQGKPjPJ7cCFssVmZ
+FhuZRgsoqkCoDGTkcxkALlHEnjlJV58yHW71JA0XUX3sQOOHAefzTM+Zig0ip6yL
+qEHRtMbqcYAb8QKzRh7OoVgENrZgtKPbM/RmmXyxCDaj4p8yGsT2wVgekTYgZgs/
+571h1ecLkL4h0vaq5BtDjW/Drg==
+-----END CERTIFICATE-----

freshclam/freshclam.c

@@ -815,7 +815,16 @@ static fc_error_t initialize(struct optstruct *opts)
      * Verify that the clamav ca certificates directory exists.
      * Create certs directory if missing.
      */
-    fcConfig.certsDirectory = optget(opts, "certsdir")->strarg;
+    fcConfig.certsDirectory = optget(opts, "cvdcertsdir")->strarg;
+    if (NULL == fcConfig.certsDirectory) {
+        // Check if the CVD_CERTS_DIR environment variable is set
+        fcConfig.certsDirectory = getenv("CVD_CERTS_DIR");
+
+        // If not, use the default value
+        if (NULL == fcConfig.certsDirectory) {
+            fcConfig.certsDirectory = CERTSDIR;
+        }
+    }
 
     if (LSTAT(fcConfig.certsDirectory, &statbuf) == -1) {
         logg(LOGG_ERROR,