On Wed, Jul 10, 2002 at 02:45:41PM +1000, Anthony Towns wrote: > On Mon, Jul 08, 2002 at 09:04:07PM +0200, Jakub Turski wrote: > > 3/ Mr X changes proper line in Packages. It is not signed, so the change > > remains unknown. Now Packages point to the malicious version of package. > > [aj@cyan ~]$ lynx -source http://ftp.debian.org/debian/dists/woody/Release | grep main/binary-i386/Packages.gz > 056de733d23e09c0b57c65aae294266f 1775249 main/binary-i386/Packages.gz > 75dfe094198e0e6d48508cba2a926db151317c9e 1775249 main/binary-i386/Packages.gz > > The former is an md5sum, the latter is an SHA1 checksum. The Release file > has a detached signature in the Release.gpg file in the same location. > > > 4/ I do 'apt-get update'. Apt download changed Packages file. > > You can verify what apt-get update downloaded using: > > http://people.debian.org/~ajt/apt-check-sigs > and > http://ftp-master.debian.org/ziyi_key_2002.asc > > It's not incredibly straightforward or particularly documented. > > Cheers, > aj I finally got your script working with the attached patch. My version of md5sum (sid) add a '-' after the sum when the input is the standart input. That's a good thing to have this kind of check. Would it be possible to integrate this kind of check around 'apt-get update' ? Thanks, Christophe -- Christophe Barbé <christophe.barbe@ufies.org> GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E Cats are intented to teach us that not everything in nature has a function. --Garrison Keillor
--- apt-check-sigs Sun Jan 27 10:32:46 2002 +++ apt-check-sigs Wed Jul 10 11:53:18 2002 @@ -37,7 +37,7 @@ local LOOKUP="$2" Y="`get_md5sumsize Release "$LOOKUP"`" - Y="`echo "$Y" | sed 's/^ *//;s/ */ /g'`" + Y="`echo "$Y" | sed 's/-//;s/^ *//;s/ */ /g'`" if [ ! -e "/var/lib/apt/lists/$FILE" ]; then if [ "$Y" = "" ]; then @@ -55,7 +55,7 @@ return fi X="`md5sum < /var/lib/apt/lists/$FILE` `wc -c < /var/lib/apt/lists/$FILE`" - X="`echo "$X" | sed 's/^ *//;s/ */ /g'`" + X="`echo "$X" | sed 's/-//;s/^ *//;s/ */ /g'`" if [ "$X" != "$Y" ]; then echo "$FILE" >>BAD echo "BAD"
Attachment:
pgpHVDyHPGj6Y.pgp
Description: PGP signature