RE: How to verify package integrity after they have been downloaded?
Hi,
If some packages are localy modified, This suggests that your local system is already compromised.
:¬
De : Alexander Konovalenko [mailto:alexkon@gmail.com]
Envoyé : samedi, 5. avril 2008 06:11
À : debian-security@lists.debian.org
Objet : How to verify package integrity after they have been downloaded?
I would like to verify that some .deb files I downloaded a while ago
(using apt) haven't been tampered with. (Actually, I'll be doing this
kind of thing more than once.) I have the appropriate Release,
Release.gpg and Packages files.
As the apt-secure(8) manual page states, apt verifies the integrity of
the .deb packages when it downloads them. But it doesn't do so when
installing from cache. To make sure, I manually modified a .deb file
in /var/cache/apt/archives/ and installed that package with apt-get.
The modified package was installed without any warnings.
(I'm working on Ubuntu 7.10 but I think there's no difference here
between Debian and Ubuntu. Please correct me if I'm wrong.)
I can verify the signature of the Release file and check the hash-sum
of the Packages file by hand. But there are a lot of .deb files to
verify. I could write a script that would parse the Packages file and
extract the checksums so that its output could be fed to the
{md5,sha1,sha256}sum -c commands. But it would take considerable
effort to make the script robust enough so that it doesn't break on
new or malicious Packages files.
Is there a simpler way to verify the integrity of .deb packages that
were downloaded with apt?
--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: