[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Compromised system - still ok?

On Mon, Feb 07, 2005 at 06:32:12PM +0200, Ognyan Kulev wrote:
He said that after signed Fedora package is installed (by default, only signed packages are installed), you can boot from some CD and then check signatures of each file of each package. Thus, only having key Red Hat's fingerprint, you can check your all installed packages.

What I'm asking is if this is possible with dpkg-sig? If not, I think it's desirable feature.

No it's not. The redhat approach misses the boat on what is probably the
largest part of your installation--your data & configuration files. Use
something like aide or tripwire to validate your installation.

Another thing he doesn't like is that check is based on signed MD5 hash of content instead of based on signed content. Is it true that signed MD5 is weaker than signed content?


Mike Stone

Reply to: