securely validating installed files
(courtesy CC requested, I'm not on the list, thanks)
I know you can use apt-secure to determine the validity of a not yet installed
A) Is there a way to determine the validity of an installed deb?
B) Is there a way to determine if a file you have on your system came from a
(I suspect the ability to do A requires the ability to do B, right?)
Most debs have md5sum files these days, and the debsums tool can compare the
installed files against /var/lib/dpkg/info/foo.md5sum. But it isn't intended
to be used as an integrity checker, since those files are subject to
Is there a way to link the apt-secure checked deb to the md5sum file it
contains in order to prove that files are OK? Like maybe a signed document
listing the md5sums of all the md5sum files? Any other ideas?
I would like to have this ability for an auditing tool I'm writing.