Re: Compromised system - still ok?
On Mon, Feb 07, 2005 at 06:32:12PM +0200, Ognyan Kulev wrote:
He said that after signed Fedora package is installed (by default, only
signed packages are installed), you can boot from some CD and then check
signatures of each file of each package. Thus, only having key Red Hat's
fingerprint, you can check your all installed packages.
What I'm asking is if this is possible with dpkg-sig? If not, I think it's
No it's not. The redhat approach misses the boat on what is probably the
largest part of your installation--your data & configuration files. Use
something like aide or tripwire to validate your installation.
Another thing he doesn't like is that check is based on signed MD5 hash of
content instead of based on signed content. Is it true that signed MD5 is
weaker than signed content?