Prev-20 Home Next-20 2 msg cmake vs DEB_BUILD_HARDENING vs 64-bit 3 msg Recent problem with security repository? 1 msg Re: [SECURITY] [DSA 1546-1] New gnumeric packag... 13 msg oCERT 1 msg Passez vos annonces gratuitement 1 msg AW: [SECURITY] [DSA 1543-1] New vlc packages fi... 1 msg GOOD DAY TR: How to verify package integrity after they ... \ Julien Stuby (5 Apr 2008) . \ Julien Stuby (5 Apr 2008) . \ Julien Stuby (5 Apr 2008) . . \ Johannes Wiedersich (7 Apr 2008) . . . \ Julien Stuby (7 Apr 2008) . . . . \ Julien Stuby (7 Apr 2008) 10 msg How to verify package integrity after they have... 1 msg Bug#474267: xulrunner: use system expat? 1 msg Bug#474266: iceweasel: use system expat? 1 msg Bug#474268: icedove: use system expat? 1 msg Bug#474265: iceape: use system expat? 1 msg MD Directory in the US 1 msg |>entists Listing in the US 1 msg Re: [Technik] [SECURITY] [DSA 1533-1] New exift... 1 msg Re: [SECURITY] [DSA 1529-1] New Firebird packag... 2 msg Re: [SECURITY] [DSA 1530-1] New cupsys packages... 1 msg Re: [SECURITY] [DSA 1527-1] New debian-goodies ... 1 msg Re: debian sarge, rkhunter, pd-admin Prev-20 Home Next-20

Prev-Msg Prev-Thread Debian-security Apr-2008 Next-Thread Next-Msg Subject: TR: How to verify package integrity after they have been downloaded? Group: Debian-security From: Julien Stuby Date: 5 Apr 2008 -----Message d'origine----- De : Julien Stuby [mailto:julien.stuby] Envoyé : samedi, 5. avril 2008 21:19 À : 'debian-security' Objet : RE: How to verify package integrity after they have been downloaded? Hi, If some packages are localy modified, This suggests that your local system is already compromised. :¬ De : Alexander Konovalenko [mailto:alexkon] Envoyé : samedi, 5. avril 2008 06:11 À : debian-security Objet : How to verify package integrity after they have been downloaded? I would like to verify that some .deb files I downloaded a while ago (using apt) haven't been tampered with. (Actually, I'll be doing this kind of thing more than once.) I have the appropriate Release, Release.gpg and Packages files. As the apt-secure(8) manual page states, apt verifies the integrity of the .deb packages when it downloads them. But it doesn't do so when installing from cache. To make sure, I manually modified a .deb file in /var/cache/apt/archives/ and installed that package with apt-get. The modified package was installed without any warnings. (I'm working on Ubuntu 7.10 but I think there's no difference here between Debian and Ubuntu. Please correct me if I'm wrong.) I can verify the signature of the Release file and check the hash-sum of the Packages file by hand. But there are a lot of .deb files to verify. I could write a script that would parse the Packages file and extract the checksums so that its output could be fed to the {md5,sha1,sha256}sum -c commands. But it would take considerable effort to make the script robust enough so that it doesn't break on new or malicious Packages files. Is there a simpler way to verify the integrity of .deb packages that were downloaded with apt? -- To UNSUBSCRIBE, email to debian-security-REQUEST with a subject of "unsubscribe". Trouble? Contact listmaster Prev-Msg Prev-Thread Debian-security Apr-2008 Next-Thread Next-Msg

© 2004-2008 readlist.com