Join Log in
Score:0
Haris avatar Ubuntu

download individual `.deb` package file for integrity verification

fm flag
Haris

I have system runtime measurements which shows what files of the packages have been executed by the system. I want to verify the checksum calculated by the Linux kernel's Integrity Management Architecture (IMA) against official checksum of the package files from ubuntu repos.

example of measurements below:

10 bae6e0fe76b1eb0864410323fc013c83ca626a66 ima-ng sha256:c1b65dd1aae2d422d1c6a3b9ae4c50f9cbf25108b8051c5be280ebfe32981456 /usr/bin/dircolors
10 71e4941190fb8601a55f5bc8b6ab284d40df3be9 ima-ng sha256:00fba26dcaa2f6832987e9421c9aa42d9f4d47652e4a25fdf1b92f935ac81989 /usr/bin/sudo
10 d8eb38a20ee87ddf87f20218642cc9059f74cefa ima-ng sha256:212eabe6f44f9e8b720b105c9dbcb9fc67fcc7be5250e608b88b33e8ac436d5a /usr/bin/su
10 a80c90a7f139cd62a1cb0f40adc6dae4f11e535b ima-ng sha256:b4642f4f56e37a506f758a0fce4054ed91470e6ac35fe940eaf18da4883d2d95 /usr/bin/groups
10 5fa6842bd391b0ea52448754bf78cad87754df73 ima-ng sha256:5ae83908197820124d467db6ecc821402d667dd4617d8fab3f0e30dc5ef5a074 /usr/bin/git
10 76101b9b21175328d4f2df1b3aa8002492c7a7b3 ima-ng sha256:65481459b05f8898299b7ef354138dc2ab674438d74cc4c8bf5aeef09a0331e8 /usr/bin/nano
10 84e18b01843fda8fd130e0a500607e55e3aeb16a ima-ng sha256:c2a2db43da333527632872c629465e0fb3f5cbf87115836a7fcda428877589a5 /usr/bin/python3.11
10 45737dc3d038bac2a5e40d085accdd545a692fbd ima-ng sha256:afd18e93eaf9dbea58ce345a2add190efc1b000558dba084417904415439e875 /usr/bin/tpm2
10 b3e35da87c02c9841d2f991e816feb055874d190 ima-ng sha256:db905ca30da311c0bcd005b3d475d22e6fa395c3205ff5f17cdd9a02d830e1fb /usr/bin/x86_64-linux-gnu-g++-12

where do I find the checksum of individual files of an Ubnutu package. Lets suppose there is a package g++-12 and I can clearly see its provided sha1 & sha256 checksums. But Is there any resource which also provides the checksum of all the individual files of the package? I can of course download the .deb file and extracts the contents and calculate manually but its not very efficient solution of my use case.

79
1 + 2
deb
Artur Meinild avatar
vn flag
Artur Meinild
Maybe explain why you need the checksum of individual files, since right now we don't know your usecase.
0
Reply
Haris avatar
fm flag
Haris
Thanks for attention the description has been updated for clear understanding.
0
Reply
Score:1
Artur Meinild avatar Ubuntu
vn flag
Artur Meinild

The Debian package system (dpkg and .deb packages) generates MD5 sums internally when packages are installed. Unfortunately, your output only generates SHA1 and SHA256 sums. For this to work, you have to get the measurement to provide MD5 sums for the files.

What happens is that when you install a package with apt/dpkg, an .md5sums file is generated for the package inside the directory /var/lib/dpkg/info.

This means you can easily check the MD5 sum for all files as they were when the packages was installed. This can be used to determine if any of the files have been altered after the packages was installed.

An example from my own system (Ubuntu 22.04.2). If I run cat /var/lib/dpkg/info/sudo.md5sums I get this:

e8e2fd5938804db1abb67773f84f5549  usr/bin/cvtsudoers
8176b78ba666fb64e72a3ae6a4851793  usr/bin/sudo
7cd774a8abe0586bdd75fb90c8bcaec7  usr/bin/sudoreplay
3f90917a245d4aafe98bb39a1fb9fa09  usr/include/sudo_plugin.h
9eb3041fcbb7ba1a64664d7a7a13cc15  usr/lib/tmpfiles.d/sudo.conf
8ccb24178b5cef512ac3fef3ad3b44f1  usr/libexec/sudo/audit_json.so
fc97536f5bf479b310cbffd9c5f030ec  usr/libexec/sudo/group_file.so
4410a4f7ce928d5cbc79b5881e26194b  usr/libexec/sudo/libsudo_util.so.0.0.0
c087bda8ff9210f79a94176ca817a4c8  usr/libexec/sudo/sample_approval.so
d8d8ca3f48bda0bb8a3e782379230284  usr/libexec/sudo/sesh
091c0ce05a872050dbe145bf156cea90  usr/libexec/sudo/sudo_intercept.so
d42066a08c1877f738c4c55c570f78e7  usr/libexec/sudo/sudo_noexec.so
4e920ee4b000c0bd9a1659a4368d5fdf  usr/libexec/sudo/sudoers.so
59df52d5f1b4b01740df4abb34294711  usr/libexec/sudo/system_group.so
2f3db27567e8b72955cdccafb8d4750b  usr/sbin/sudo_logsrvd
8f778373024750a98f7412593ac7fa39  usr/sbin/sudo_sendlog
e46edcfbb954c4bd8a599d3d76d53d9a  usr/sbin/visudo

... (33 more lines omitted)

If you could get measurement you run to provide MD5 sums for the files, you could check this value against the values provided in the .md5sums file.

If this is not possible, then it's unfortunate that the dpkg utility uses the old MD5 hashes, while the kernel can not output these. In this case there might not be a better solution than to calculate the SHA256 checksums yourself directly from the .deb files.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.