Re: How to verify package integrity after they have been downloaded?

To: "Alexander Konovalenko" <alexkon@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: How to verify package integrity after they have been downloaded?
From: Goswin von Brederlow <goswin-v-b@web.de>
Date: Thu, 17 Apr 2008 08:09:39 +0200
Message-id: <[🔎] 87iqyh3tcs.fsf@frosties.localdomain>
In-reply-to: <[🔎] c7b40f9d0804042111jac8dd65m1cce2fecf8fe8d9a@mail.gmail.com> (Alexander Konovalenko's message of "Sat, 5 Apr 2008 10:11:13 +0600")
References: <[🔎] c7b40f9d0804042111jac8dd65m1cce2fecf8fe8d9a@mail.gmail.com>

"Alexander Konovalenko" <alexkon@gmail.com> writes:

> I would like to verify that some .deb files I downloaded a while ago
> (using apt) haven't been tampered with. (Actually, I'll be doing this
> kind of thing more than once.) I have the appropriate Release,
> Release.gpg and Packages files.

>From the top of my head:

grep-dctrl "" -s Filename,Size,MD5sum dists/lenny/*/binary-*/Packages \
| paste -s -d"   \n"
| while read FILE SIZE MD5SUM; do
    NAME=$(basename $FILE | cut -d_ -f1)
    VER=$(basename $FILE | cut -d_ -f2)
    ARCH=$(basename $FILE | cut -d_ -f3)
    find dir/with/debs -name ${NAME}_*${VER}_${ARCH} \
    | while read F; do
        MD5=$(md5sum $F | cut -b-32)
        S=$(wc -c < $F)
        if ! [ $MD5SUM = $MD5 ]; then
          echo MD5sum mismatch in $F
        fi
        if ! [ $SIZE = $S ]; then
          echo Size mismatch in $F
        fi
      done
  done

MfG
        Goswin

Reply to:

References:
- How to verify package integrity after they have been downloaded?
  - From: "Alexander Konovalenko" <alexkon@gmail.com>

Prev by Date: Re: cmake vs DEB_BUILD_HARDENING vs 64-bit
Next by Date: ClamAV concerns
Previous by thread: Re: How to verify package integrity after they have been downloaded?
Next by thread: TR: How to verify package integrity after they have been downloaded?
Index(es):
- Date
- Thread