checking if .deb's match Packages
>>>>> Henrique de Moraes Holschuh <hmh@debian.org> writes:
[…]
> The Debian mirror in mirrors.kernel.org, on the other hand... While
> the apt signature will protect users downloading packages through the
> package manager, users that get binary packages directly are not
> protected.
FWIW, personally, I download both the binary packages /and/ the
signed lists.
[…]
> Do we have a automated way to signature-check every binary and source
> package in a repository against the hashes in the signed release
> files?
sha1sum(1) and sha256sum(1) will do. As for the input format
conversion, the following GNU Awk bit may help:
--cut: packages2sha256.awk --
! /./ {
if (fn != "" && sha256 != "") {
print sha256, "*" fn;
}
fn = ""; sha256 = "";
}
/^Filename: / { fn = $2; next; }
/^SHA256: / { sha256 = $2; next; }
--cut: packages2sha256.awk --
It may also be combined with grep-dctrl(1) to check a subset of
packages, like:
$ find dists/wheezy/ \
-type f -name Packages.bz2 -exec bzcat -- {} + \
| grep-dctrl -s Filename,SHA256 \
-F Priority --regex --pattern=required\\\|important \
| gawk packages2sha256.awk \
| sha256sum -c
--
FSF associate member #7257 Coming soon: Software Freedom Day
http://mail.sf-day.org/lists/listinfo/ planning-ru (ru), sfd-discuss (en)
Reply to: