|
Hotmail live connector bug again ... > Hi, > > If some packages are localy modified, This suggests that your local system is already compromised. > :¬ > > De : Alexander Konovalenko [mailto:alexkon@gmail.com] > Envoyé : samedi, 5. avril 2008 06:11 > À : debian-security@lists.debian.org > Objet : How to verify package integrity after they have been downloaded? > > I would like to verify that some .deb files I downloaded a while ago > (using apt) haven't been tampered with. (Actually, I'll be doing this > kind of thing more than once.) I have the appropriate Release, > Release.gpg and Packages files. > > As the apt-secure(8) manual page states, apt verifies the integrity of > the .deb packages when it downloads them. But it doesn't do so when > installing from cache. To make sure, I manually modified a .deb file > in /var/cache/apt/archives/ and installed that package with apt-get. > The modified package was installed without any warnings. > > (I'm working on Ubuntu 7.10 but I think there's no difference here > between Debian and Ubuntu. Please correct me if I'm wrong.) > > I can verify the signature of the Release file and check the hash-sum > of the Packages file by hand. But there are a lot of .deb files to > verify. I could write a script that would parse the Packages file and > extract the checksums so that its output could be fed to the > {md5,sha1,sha256}sum -c commands. But it would take considerable > effort to make the script robust enough so that it doesn't break on > new or malicious Packages files. > > Is there a simpler way to verify the integrity of .deb packages that > were downloaded with apt? > > > -- > To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > > |