[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

some sort of validation about a .deb package when a .deb package is installed.

Hi all,

I had asked this at
but just putting it for record. If there is a bug or feature request
already opened up about the issue please direct me to it, if not would
a bug-report be entertained ?

I was not able to elaborate my query as time was short hence
elaborating herein.

Sometimes, you go to a remote location and need to install a package
or group of packages and internet is not available. So the only way
I'm able to install the package or group of packages is by doing
either -

$ sudo dpkg -i filename.deb filename2.deb and so on and so forth


$ sudo apt install filename.deb filename2.deb

Now for the sake of argument and to make it easier, let's also assume
that the package index is updated remotely. If nothing else then just
copying the lists which are generated and kept in /var/lib/apt/lists .
If both the systems share the same hardware architecture i.e. i386 or
amd-64 then there shouldn't be any problem. At least there hasn't been
as I have done it in few places.

Now the only problem is when I'm installing the .deb package either
using dpkg or apt install there doesn't seem to be a way to know that
the package hasn't been compromised in any way or is there?

I am assuming and presuming that the package lists at
/var/lib/apt/lists have not just the name, release version,
description but also checksums such as md5, sha1sum, sha256sum and so
on an so forth.

Most of the tools do show that information, for instance -

[$] axi-cache show apt

Package: apt
Version: 1.3~pre2
Installed-Size: 3319
Maintainer: APT Development Team <deity@lists.debian.org>
Architecture: amd64
Replaces: apt-utils (<< 1.3~exp2~), bash-completion (<<
1:2.1-4.2+fakesync1), manpages-it (<< 2.80-4~), manpages-pl (<<
20060617-3~), openjdk-6-jdk (<< 6b24-1.11-0ubuntu1~), sun-java5-jdk
(>> 0), sun-java6-jdk (>> 0)
Depends: libapt-pkg5.0 (>= 1.3~pre2), libc6 (>= 2.15), libgcc1 (>=
1:3.0), libstdc++6 (>= 5.2), init-system-helpers (>= 1.18~),
debian-archive-keyring, gpgv | gpgv2, adduser
Recommends: gnupg | gnupg2
Suggests: aptitude | synaptic | wajig, dpkg-dev (>= 1.17.2), apt-doc,
python-apt, powermgmt-base
Breaks: apt-utils (<< 1.3~exp2~), manpages-it (<< 2.80-4~),
manpages-pl (<< 20060617-3~), openjdk-6-jdk (<< 6b24-1.11-0ubuntu1~),
sun-java5-jdk (>> 0), sun-java6-jdk (>> 0)
Description-en: commandline package manager
 This package provides commandline tools for searching and
 managing as well as querying information about packages
 as a low-level access to all features of the libapt-pkg library.
 These include:
  * apt-get for retrieval of packages and information about them
    from authenticated sources and for installation, upgrade and
    removal of packages together with their dependencies
  * apt-cache for querying available information about installed
    as well as installable packages
  * apt-cdrom to use removable media as a source for packages
  * apt-config as an interface to the configuration settings
  * apt-key as an interface to manage authentication keys
Description-md5: 9fb97a88cb7383934ef963352b53b4a7
Tag: admin::package-management, devel::lang:ruby, hardware::storage,
 hardware::storage:cd, implemented-in::c++, implemented-in::perl,
 implemented-in::ruby, interface::commandline, network::client,
 protocol::ftp, protocol::http, protocol::ipv6, role::program,
 scope::application, scope::utility, sound::player, suite::debian,
 use::downloading, use::organizing, use::searching, works-with::audio,
 works-with::software:package, works-with::text
Section: admin
Priority: important
Filename: pool/main/a/apt/apt_1.3~pre2_amd64.deb
Size: 1148190
MD5sum: 0637dc1788fbc25b50b8d6c3b3be0e6c
SHA1: 5c0457544cd8d5a2e60b3f6814c9a781374fa040
SHA256: 94e0b7f05b7170dc35e1a39ddbb11b4641adeea8de622fbb7a3a9fa3b0fe7018

Now when installation is happening and the index is updated, if I do
either a $sudo dpkg -i Packagename.deb or $ sudo apt install
packagename.deb is there some checksumming to know if the package
being installed is correct or fishy ?

What if I were an evil man . I could easily extract the archived .deb
package, extract it, add $ my evil thingie (say a key logger), re-pack
it  and then copy the same in the other person's lappy without him
knowing (A classic man-in-middle attack) . Even if the sha256sum is
there as can be seen by invoking any packagename in $ axi-cache show
$PACKAGE-NAME it wouldn't trigger that a false .deb has been trying to
install . Is this true ?

Look forward to know more.

          Shirish Agarwal  शिरीष अग्रवाल
  My quotes in this email licensed under CC 3.0
EB80 462B 08E1 A0DE A73A  2C2F 9F3D C7A4 E1C4 D2D8

Reply to: