[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Integrity check against package repository?


Thank you for starting this thread!!!

The command that you are referring to is (would be) a functional
equivalent to Red Hat's "rpm -v all" command. Reference -

I have looked into doing this in Debian and am very sad to see that
there is no equivalent command in Debian, further *disappointed* when I
discovered how Debian is doing integrity checks!!! (And with myself for
not knowing this sooner)

It has been a few weeks since I looked into this, and I do not have the
time to do it again, but from what I recall, apt et, al. check the
downloaded *.deb files' hash against what was in the index file
downloaded from the same server; the Packages or Release files I

So, it really depends on how you define integrity...

	If you consider integrity to be paired with authenticity, as I do..
then bad news.
	If you consider integrity to be uncorrupted yet possibly unauthentic
data, then I bet we would not be having this conversation

So, until *Debian starts signing all packages* we have to do this a hard
and suboptimal way that is still defeat-able but not as easily as if we
did not intervene.

My suggestion, is develop some scripts around some N of N type logic... 

Make a central "update server" - perhaps implemented by mirroring the
appropriate directories for your stuff on a Debian mirror. 

Using completely separate infrastructure, retrieve the packages and
release files from the same Debian mirror, and others.

Repeat the above line on a third separate infrastructure.

Run a diff on the index files independently retrieved and see if there
is a quorum on what the expected hash for each package is. If that has
matches the hash you just mirrored locally, then I think you can feel
comfortable that you are not installing any malicious package...

Now that you have (great?) reason to believe the debs' you are about to
install are legitimate I suggest you continue the concept and extract
not install those files to a specific location, then create a hash from
the resulting files.

Patch some test servers, and compare the newly installed files against
what you created in the line above.

A Debian package integrity checker is essentially what you would have
made if you did the above, at least it seems to me.

The tools you mentioned for file integrity checking are all doing the
same thing really, with the huge exception that doing what I have put
forth would provide you with data you can consider authentic for which
your file integrity checkers can validate against. Such a shame they
lack the necessary logic... ;)

It's not about the hash, it's about the authenticity.


Oh Debian admins/developers,

What say you?

Is this something you are currently creating a better solution to?

Is some of the logic I have suggested something that can be added to apt
or better, dpkg? Excluding the "completely separate infrastructure" bit,
perhaps requiring some type of quorum? Perhaps resolving each Debian
mirror's IP address using different and random DNS servers from a list
of pubicaly accessible recursive DNS servers?


So I was just looking around on a mirror, and it seems that Debian is
already fixing this large problem. I say that because if you look at the
InRelease file, it is signed.

However, I do not see aptitude update retrieving the InRelease file,
only the Release file.

Even then, it is an HTTP connection, and we still rely on what one
server says and the GPG signature is provided on by the same server...
Something needs to be signed.

Putting the GPG key in a TXT record a Debian.org's namespace seem like a
cool idea for instance when apt/dpkg knows to check it. Signed Zones
would be expected and necessary of course but, I think that would be

This way, Debian controls authenticity by providing signed data we can
use to validate packages, and packages can still be distributed freely
over http by all the great mirror providers, without diminishing
security. It make a three party system.

Thanks for the topic adrelanos!!!

On Tue, 2013-04-30 at 01:29 +0000, adrelanos wrote:
> Hi!
> When there are security updates, I review and install them as soon as
> possible and think about using automatic updates.
> >From time to time I want to boot from a clean boot CD and check if the
> system has been compromised.
> For that reason, I want to check if any packages / binaries have been
> modified, check the bootloader, check for rootkits.
> Let's suppose I booted from a clean boot CD and mounted the hdd filesystem.
> How can I get list of all sha256 hash sums of all installed binaries and
> configuration files and check them against the versions from Debian
> repository?
> I have looked into intrusion detection systems (debsums,) Afick, AIDE,
> FCheck, Integrit, Osiris, OSSEC, Samhain, Tripwire, but they all have in
> common, that they want to create a known-good database before auditing.
> This doesn't scale very well, because updates are pretty frequent, which
> render that known-good database less useful. Re-creating the known-good
> database after updating isn't very safe either - let's say apt-get had a
> bug and installed a malicious package, then the checksum of that
> malicious package would end up in the known-good database.
> I think the real solution is checking against the distribution's package
> repository. How can I do that?
> Cheers,
> adrelanos

Reply to: