[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to securely verify that package-installed files match originals?

I haven't tried it with your use case, but you may be able to use
debsums[1] for this.  I know it has a bunch of options, including
options to specify a list of checksums and directory to check.

[1] https://tracker.debian.org/pkg/debsums

On Thu, Jan 14, 2021 at 05:56:29PM +0700, Erik Poupaert wrote:
> I understand that I can run the following command to verify the
> installation footpring of a package:
> dpkg -V <package>
> The reason why I am carrying out this audit is, however, because I somehow
> suspect that the system could be compromised.
> If the attacker has managed to subvert <package>, he could also have
> managed to subvert the dpkg audit command itself. Therefore, I cannot trust
> the self-referential audit:
> dpkg -V dpkg
> Therefore, I want to run the self-audit of the dpkg command from another
> system.
> So, I mount the disk of this computer as folder /mnt/audit in my second
> computer, which I still trust. Now, I want to audit the installation foot
> print of dpkg in /mnt/audit from this second computer.
> What command do I execute next on my second computer? Is there an option
> that allows me to do something similar to the following:
> dpkg -V dpkg --remote-target /mnt/audit
> Is there a way to audit the installation footprint of a package on one
> computer from a second computer?

GPG: 5CDD 0C9C F446 BC1B 2509  8791 1762 E022 7034 CF84

Reply to: