Re: securely validating installed files
On Wed, Feb 01, 2006 at 02:43:43PM -0800, Matt Taggart wrote:
>A) Is there a way to determine the validity of an installed deb?
>B) Is there a way to determine if a file you have on your system came from a
>(I suspect the ability to do A requires the ability to do B, right?)
>Most debs have md5sum files these days, and the debsums tool can compare the
>installed files against /var/lib/dpkg/info/foo.md5sum. But it isn't intended
>to be used as an integrity checker, since those files are subject to
>Is there a way to link the apt-secure checked deb to the md5sum file it
>contains in order to prove that files are OK? Like maybe a signed document
>listing the md5sums of all the md5sum files? Any other ideas?
debsums has the ability to validate on-disk files from the md5sum stored
in (or calculated from the contents) of a .deb .
There is also an option (--md5sums) to pass a list of deb checksums and
another (--root) the specify the root directory.
The idea being that you could boot the system from known safe media (say
a rescue disk/cd/usb key) which contained the archive key, gpg, debsums
etc. You could then:
* Verify the integrity of /mnt/var/lib/apt/lists/*_Releases with the
* verify /mnt/var/lib/apt/lists/*_Packages from the checksums in Releases,
* extract a list of checksums for /var/cache/apt/archives/*.deb from
* use debsums to verify the on-disk files from the debs (using
--deb-path=/mnt/var/cache/apt/archives --md5sums=LIST --root=/mnt
I never really got past adding the -m/-r options.
Using debsums in this way as a security tool (as opposed to a basic
integrity checker) has limitations.
The principal one being that verification is limited only to packages
which appear to be installed according to /var/lib/dpkg/status, i.e. it
covers your case "A" only: you miss the case where a package has been
removed from the system and replacement files installed outside of dpkg.
Case "B" would require an index of paths with validated checksums,
rather a tricky task if you're attempting to check an unstable system
some time after the last upgrade: where do you find the relevant