Credo FAQ

What are Credo files?

Credo files contain the necessary information for the scanner to detect viruses etc. They are digitally signed with a key that has been signed itself by the OpenAntivirus Project.

What means "digitally signed"?

The digital signature assures, that noone modified the file on the way from the one who signed it to you. I also makes sure, that noone else created the file. It has not influence on the quality of the file or the accuracy of the information in the file. The data cannot be tampered, but it still can be nonsense.

How can I trust the signatures?

Digital signatures rely on trust relationships between you and the one who signed the Credo file. Under real world conditions, you do not know the one who created the file. Therefore two steps are necessary. Every software from the OpenAntivirus project knows the master keys of the project maintainers. The maintainers sign the keys from everyone who wants to create a Credo file. If you get a Credo file, it contains the signed key with which the software checks the integrity of the Credo file. It does also check the validy of the signature on the key. If both succeeds, then the software trusts the Credo file.

How do I know who signed the Credo file?

Each signed key contains a description of the owner. It contains
This information is signed, too and therefore cannot be altered by third parties.

What are the different signature levels?

The OpenAntivirus project has to make sure, that the description of the key contains correct information. As we cannot meet everyone in person, we have different level to match the different relationships.

  1. Level: the signer received the key via plain email
  2. Level: the signer received the key via an untrusted signed GPG message verified with a key from a keyserver
  3. Level: the signer received the key via a trusted signed GPG message
  4. Level: the signer received the key personal and has verified the identity

Which signature levels are accepted? How can I change this?

Every software from the OpenAntivirus project trusts all signatures of level 3 and 4. You can use command line options to reduce the necessary minimum level or even completely disable the signature checking.

How can I generate a signing key? How can I get it signed by the project?

There is a separate documentation about how to generate the keys and even replace the master keys (which you do not really want, as you cannot use any standard Credo file afterwards). Send your keys to us und we will sign them. Depending on our relationship to you, you will get assigned a certain level (see above).

How can I generate an unsigned Credo file? How to I use it?

You can create your own credo files. Either read the Credo-Howto on how to create a "real" credo file or do the easy way:
  1. Create a signature text-file and name it e.g. "mysignatures.strings" (the suffix is important!)
  2. ZIP them into a file with suffix ".credo":
    zip mysignatures.credo *.strings
  3. Copy this in the subdirectory "credo" where you start ScannerDaemon, or give it on the commandline (just one filename is allowed in the current version).
  4. Use the option '-nosignature' when you start ScannerDaemon
$Id: Credo-FAQ.html,v 1.2 2002/04/15 10:43:40 kurti Exp $