[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: securely validating installed files

On Wed, Feb 01, 2006 at 02:43:43PM -0800, Matt Taggart wrote:
>A) Is there a way to determine the validity of an installed deb?
>B) Is there a way to determine if a file you have on your system came from a 
>valid deb?
>(I suspect the ability to do A requires the ability to do B, right?)
>Most debs have md5sum files these days, and the debsums tool can compare the 
>installed files against /var/lib/dpkg/info/foo.md5sum. But it isn't intended 
>to be used as an integrity checker, since those files are subject to 
>Is there a way to link the apt-secure checked deb to the md5sum file it 
>contains in order to prove that files are OK? Like maybe a signed document 
>listing the md5sums of all the md5sum files? Any other ideas?

debsums has the ability to validate on-disk files from the md5sum stored
in (or calculated from the contents) of a .deb .

There is also an option (--md5sums) to pass a list of deb checksums and
another (--root) the specify the root directory.

The idea being that you could boot the system from known safe media (say
a rescue disk/cd/usb key) which contained the archive key, gpg, debsums
etc.  You could then:

  * Verify the integrity of /mnt/var/lib/apt/lists/*_Releases with the
    archive key,

  * verify /mnt/var/lib/apt/lists/*_Packages from the checksums in Releases,
  * extract a list of checksums for /var/cache/apt/archives/*.deb from

  * use debsums to verify the on-disk files from the debs (using
    --deb-path=/mnt/var/cache/apt/archives --md5sums=LIST --root=/mnt

I never really got past adding the -m/-r options.

Using debsums in this way as a security tool (as opposed to a basic
integrity checker) has limitations.

The principal one being that verification is limited only to packages
which appear to be installed according to /var/lib/dpkg/status, i.e. it
covers your case "A" only:  you miss the case where a package has been
removed from the system and replacement files installed outside of dpkg.

Case "B" would require an index of paths with validated checksums,
rather a tricky task if you're attempting to check an unstable system
some time after the last upgrade:  where do you find the relevant


Reply to: