[vox-tech] Verify Ubuntu files

Rick Moen rick at linuxmafia.com
Tue Aug 12 01:30:48 PDT 2008


Quoting Brian Lavender (brian at brie.com):

> I thoguht maybe with a live CD, that you could verify against a deb
> package repository.

Hmm, interesting problem.  Let's think about it.

The most obvious way would probably not be practical:  The binary .debs
you originally installed from were were in many cases shipped with the
md5sum values of all included files.  _If_ you were (hypothetically)
able to trust /var/lib/dpkg/info/*.md5sums , then "debsums -ca" would
check md5sum signatures against those files -- but those md5sum files
cannot be trusted on a suspect system any more than /var/lib/rpm/* can
on an RPM-based system.[1]

_If_ you could rebuild an equivalent of /var/lib/dpkg/info/*.md5sums
inside your live CD, working from repository info, then you could run
"debsums -ca" against that.  But the independent clause ("if...") of
that conditional sounds problematic.  ;->

If you had on trustworthy media, or could re-fetch, the .deb files from
which you had built your system, you could try this on them, which
Joey Hess said (a couple of years ago) that he keeps around as shell 
script "verifydeb":

#!/bin/sh
dpkg --fsys-tarfile $1 | tar -C / -d


Anthony Towns's script apt-check-sigs is also worth looking through (though
I've not looked at it in years:
http://people.debian.org/~ajt/apt-check-sigs

Apologies for not being able to give you a definitive answer, but I'm
dead-tired, and hope the URL pointers are useful.


[1] As this topic has come up more than a few times on various mailing
lists, I have more on the subject here:  "Package Signing" on
http://linuxmafia.com/kb/Debian/


More information about the vox-tech mailing list