[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

securely validating installed files

(courtesy CC requested, I'm not on the list, thanks)

Hi debian-dpkg,

I know you can use apt-secure to determine the validity of a not yet installed 

A) Is there a way to determine the validity of an installed deb?
B) Is there a way to determine if a file you have on your system came from a 
valid deb?

(I suspect the ability to do A requires the ability to do B, right?)

Most debs have md5sum files these days, and the debsums tool can compare the 
installed files against /var/lib/dpkg/info/foo.md5sum. But it isn't intended 
to be used as an integrity checker, since those files are subject to 

Is there a way to link the apt-secure checked deb to the md5sum file it 
contains in order to prove that files are OK? Like maybe a signed document 
listing the md5sums of all the md5sum files? Any other ideas?

I would like to have this ability for an auditing tool I'm writing.


Matt Taggart

Reply to: