OpenVAS 7 running nasl script error: bad or missing signature

Question

When running the following command on OpenVAS 7 under root (where gb_iojs_detect_win.nasl is one of the OpenVAS plugins. other plugins cause the same error):

openvas-nasl gb_iojs_detect_win.nasl

causes this error:

base gpgme-Message: Setting GnuPG homedir to '/usr/local/var/lib/openvas/gnupg'
base gpgme-Message: Using OpenPGP engine version '1.4.16'
base gpgme-Message: Setting GnuPG sysconf homedir to '/usr/local/etc/openvas/gnupg'
gb_iojs_detect_win.nasl: bad or missing signature. Will not execute this script

Note that i did follow this page and set nasl_no_signature_check = yes, but this error still persists.

Thanks! Any help would be appreciated!

Answer 1

Execute the following and follow the prompts:

gpg --homedir=/usr/local/etc/openvas/gnupg --gen-key

Then execute:

wget http://www.openvas.org/OpenVAS_TI.asc -P /tmp
gpg --homedir=/usr/local/etc/openvas/gnupg --import /tmp/OpenVAS_TI.asc
gpg --homedir=/usr/local/etc/openvas/gnupg --list-keys
gpg --homedir=/usr/local/etc/openvas/gnupg --lsign-key 48DB4530

Source: http://www.openvas.org/trusted-nvts.html

Answer 2

Do what indicated above and update your feeds plugins

Answer 3

I also struggled with this, due to the documentation falling short.

You need to provide the -X flag, which means authenticated mode, which apparently means "Don't do the signature checks"

Answer 4

I was having this issue with OpenVAS 9, but based on the instructions from @D.W., I read the docs about trusted NVTs, they mention that they're going to start using a new key starting 12/1/18.

However, when I ran openvassd -f to see what it was doing, I noticed that there were only some plugin checksums that were failing, and I'm thinking they're already signing these with the new key.

checksum for /var/lib/openvas/plugins/gb_electrasoft_32bit_ftp_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_atlassian_confluence_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_synology_dsm_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_quixplorer_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_yealink_ip_phone_detect.nasl not matching
checksum for /var/lib/openvas/plugins/secpod_neon_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_torrent_trader_classic_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_simatic_s7_snmp_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_sophos_xg_detect_userportal.nasl not matching
checksum for /var/lib/openvas/plugins/gb_keycloak_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_wd_wdtv_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_get_http_banner.nasl not matching
checksum for /var/lib/openvas/plugins/gb_orion_nta_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_gather_windows_uptime.nasl not matching
checksum for /var/lib/openvas/plugins/gb_teleopti_wfm_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_asp_dotnet_core_detect_win.nasl not matching
checksum for /var/lib/openvas/plugins/eggdrop_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_f5_linerate_lros_version.nasl not matching
checksum for /var/lib/openvas/plugins/gb_mikrotik_router_routeros_consolidation.nasl not matching

However, the fix was to just use the same instructions (had to modify paths for config directory for Ubuntu/Debian), but with the newer key. After that the checksums were validated OK:

wget https://www.greenbone.net/GBCommunitySigningKey.asc -P /tmp
gpg --homedir=/etc/openvas/gnupg --import /tmp/GBCommunitySigningKey.asc
gpg --homedir=/etc/openvas/gnupg --list-keys
gpg --homedir=/etc/openvas/gnupg --lsign-key 0ED1E580
systemctl restart openvas-scanner.service

Answer 5

Your command should be like this:

openvas-nasl -Xp gb_iojs_detect_win.nasl #for parsing

openvas-nasl -Xt IP gb_iojs_detect_win.nasl #for exec

note the additional switches. For more details, visit this link