[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: securely validating installed files

On Wed, Feb 01, 2006 at 02:43:43PM -0800, Matt Taggart wrote:
> (courtesy CC requested, I'm not on the list, thanks)

Mail-Followup-To: recommended :)

> A) Is there a way to determine the validity of an installed deb?
> B) Is there a way to determine if a file you have on your system came from a 
> valid deb?

Depends what you want "validity" to mean -- you need to define a trust
path for this to mean anything.

Even if every deb came with an md5sums file (and you trusted md5, which
you shouldn't) you can't validate your files unless you're willing to
trust the md5sums on your disk haven't also been altered.


    * include hash in the deb
        + already doable and done
        + always matches the stuff you've got installed
        - copes badly with hashes being obsoleted
        - extra failure mode if the .deb's hashes don't match its files

    * generate hashes for files on the archive, include in Contents like file
        + not very difficult to do
        + highly adaptable
        + easy to recheck independently of the install
        + easy to associate with Debian
        - lots of irrelevant stuff to download
        - hard to validate out of date information

    * generate and save hashes at install time
        + works for everything as soon as it's implemented
        + no irrelevant information needed
        + no concerns about locally generated or out of date packages
        - somewhat difficult to do (assumes you're not already compromised,
          dpkg changes needed, etc)
        - hard to keep the generated hashes safe

Generating the hashes from the files in a .deb directly at verify time
is also possible, but may be overly awkward.

> I would like to have this ability for an auditing tool I'm writing.


Attachment: signature.asc
Description: Digital signature

Reply to: