securely validating installed files

To: debian-dpkg@lists.debian.org
Subject: securely validating installed files
From: Matt Taggart <taggart@debian.org>
Date: Wed, 01 Feb 2006 14:43:43 -0800
Message-id: <[🔎] 20060201224343.156D11AA562@cyrix.home.bogus>

(courtesy CC requested, I'm not on the list, thanks)

Hi debian-dpkg,

I know you can use apt-secure to determine the validity of a not yet installed 
deb.

A) Is there a way to determine the validity of an installed deb?
B) Is there a way to determine if a file you have on your system came from a 
valid deb?

(I suspect the ability to do A requires the ability to do B, right?)

Most debs have md5sum files these days, and the debsums tool can compare the 
installed files against /var/lib/dpkg/info/foo.md5sum. But it isn't intended 
to be used as an integrity checker, since those files are subject to 
manipulation.

Is there a way to link the apt-secure checked deb to the md5sum file it 
contains in order to prove that files are OK? Like maybe a signed document 
listing the md5sums of all the md5sum files? Any other ideas?

I would like to have this ability for an auditing tool I'm writing.

Thanks,

-- 
Matt Taggart
taggart@debian.org

Reply to:

Follow-Ups:
- Re: securely validating installed files
  - From: Brendan O'Dea <bod@debian.org>
- Re: securely validating installed files
  - From: Anthony Towns <aj@azure.humbug.org.au>

Prev by Date: Re: pylibs and pydeps: shlibs-like support for Python extensions
Next by Date: Re: Create a project on Alioth and choose a RCS?
Previous by thread: Re: pylibs and pydeps: shlibs-like support for Python extensions
Next by thread: Re: securely validating installed files
Index(es):
- Date
- Thread