How to Add a CertificateManaging NVT signaturesThe Signature FormatThe Signature Verification Process

The Signature Verification Process

Signature verification in OpenVAS is set with the "nasl_no_signature_check = no" directive in the OpenVAS-Server configuration file (see section *).

At start-up the openvas daemon (openvasd) verifies all signatures. In this mode, only fully verified files are trusted by the server and thus loaded and made available to the OpenVAS client.

The trust check uses a special list of certificates managed for the OpenVAS server. It is a standard GnuPG keyring located by default in /etc/openvas/gnupg.

When OpenVAS performs the verification process it checks all signatures in the signature file. All signatures must be valid. This means that all of the following criteria must be fulfilled for all signatures for a particular file:

If any of the signatures does not meet all of these criteria, that file is considered untrustworthy and will not be executed. If all signatures meet the criteria, the script is trusted and may execute all functions. If no signature file exists, the file is considered untrustworthy and the script is not executed.

Again, please note the difference to Nessus: For Nessus signatures, three levels were distinguished: no signature, a bad signature and a good signature. Plugins with no signature were still executed, but in a "restricted" mode where no functions that were regarded critical could be executed. OpenVAS explicitly only distinguishes between fully trusted and untrusted files.


How to Add a CertificateManaging NVT signaturesThe Signature FormatThe Signature Verification Process