-----Message d'origine----- De : Julien Stuby [mailto:[EMAIL PROTECTED] Envoyé : samedi, 5. avril 2008 21:19 À : '[email protected]' Objet : RE: How to verify package integrity after they have been downloaded?
Hi, If some packages are localy modified, This suggests that your local system is already compromised. :¬ De : Alexander Konovalenko [mailto:[EMAIL PROTECTED] Envoyé : samedi, 5. avril 2008 06:11 À : [email protected] Objet : How to verify package integrity after they have been downloaded? I would like to verify that some .deb files I downloaded a while ago (using apt) haven't been tampered with. (Actually, I'll be doing this kind of thing more than once.) I have the appropriate Release, Release.gpg and Packages files. As the apt-secure(8) manual page states, apt verifies the integrity of the .deb packages when it downloads them. But it doesn't do so when installing from cache. To make sure, I manually modified a .deb file in /var/cache/apt/archives/ and installed that package with apt-get. The modified package was installed without any warnings. (I'm working on Ubuntu 7.10 but I think there's no difference here between Debian and Ubuntu. Please correct me if I'm wrong.) I can verify the signature of the Release file and check the hash-sum of the Packages file by hand. But there are a lot of .deb files to verify. I could write a script that would parse the Packages file and extract the checksums so that its output could be fed to the {md5,sha1,sha256}sum -c commands. But it would take considerable effort to make the script robust enough so that it doesn't break on new or malicious Packages files. Is there a simpler way to verify the integrity of .deb packages that were downloaded with apt? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
