How to verify package integrity after they have been downloaded?
I would like to verify that some .deb files I downloaded a while ago
(using apt) haven't been tampered with. (Actually, I'll be doing this
kind of thing more than once.) I have the appropriate Release,
Release.gpg and Packages files.
As the apt-secure(8) manual page states, apt verifies the integrity of
the .deb packages when it downloads them. But it doesn't do so when
installing from cache. To make sure, I manually modified a .deb file
in /var/cache/apt/archives/ and installed that package with apt-get.
The modified package was installed without any warnings.
(I'm working on Ubuntu 7.10 but I think there's no difference here
between Debian and Ubuntu. Please correct me if I'm wrong.)
I can verify the signature of the Release file and check the hash-sum
of the Packages file by hand. But there are a lot of .deb files to
verify. I could write a script that would parse the Packages file and
extract the checksums so that its output could be fed to the
{md5,sha1,sha256}sum -c commands. But it would take considerable
effort to make the script robust enough so that it doesn't break on
new or malicious Packages files.
Is there a simpler way to verify the integrity of .deb packages that
were downloaded with apt?
Reply to: