The officially official Devuan Forum!

You are not logged in.

#1 2018-05-10 09:53:25

slashmais
Member
Registered: 2018-05-10
Posts: 9  

md5sums for packages

I need to these so I can verify the packages on my installation are OK.
Where can I find them for the various releases?

Offline

#2 2018-05-10 11:37:46

Panopticon
Member
Registered: 2018-01-27
Posts: 306  

Re: md5sums for packages

what packages? Devuan packages? Doesn't make sense what you are asking to me, maybe if you were packaging them yourself from upstream perhaps?

Maybe have a read of this as Devuan is a fork of Debian...

https://debian-handbook.info/browse/sta … ation.html

Last edited by Panopticon (2018-05-10 12:16:06)

Offline

#3 2018-05-10 17:56:02

KatolaZ
Member
Registered: 2017-03-11
Posts: 79  

Re: md5sums for packages

I am not sure I fully understand your question, but the sources of all the packages are available from the corresponding deb-src repos (as in Debian).  Moreover, all the packages forked by Devuan are available at https://git.devuan.org/devuan-packages  You can download the source or each package and rebuild it on your own if you like. Moreover, it's git, so you have the whole change history there.

You are sure that the packages installed in your system through dpkg/apt/apt-get/aptitude/synaptic/ come actually from the original Devuan repository because the Release files in the repo are signed with the Devuan archive signing key (the corresponsding public key is distributed within the devuan-keyring package and is available under /usr/share/keyrings/devuan-archive.gpg). apt checks if the Release files you download from a mirror are signed with one of the configured keys. If the signatures are not valid, apt will exit and refuse to install anything.Each Release file contains the SHA256SUMs of all the Packages.gz files in the corresponding suite. Those Packages.gz files contain an RFC822 stanza for each package, and one of the fields in the stanza is the SHA256SUM of the corresponding binary package. That SHA256SUM is checked by dpkg/apt/apt-get/aptitude/synaptic before actually installing the package. If it does not match, the package is not installed. 

In a word: if you trust strong encryption and strong hash functions, you should be almost certain that the stuff you have in your system comes from Devuan. If you don't trust Devuan, you can always download the source and build the packages on your own. If this is still not enough, you'd better try another distro :-)

HTH

KatolaZ

Offline

#4 2018-05-10 18:52:14

rolfie
Member
Registered: 2017-11-25
Posts: 1,047  

Re: md5sums for packages

Hi there,

checksums are normally available only for complete CD/DVD media. Have a look at: https://files.devuan.org/.

Cheers, rolfie

Last edited by rolfie (2018-05-10 18:53:41)

Online

#5 2018-05-11 09:16:55

Panopticon
Member
Registered: 2018-01-27
Posts: 306  

Re: md5sums for packages

^ and Devuan only use sha256 checksum not md5 if i am not mistaken.

slashmais, i believe you would do well to read and try to understand that link i left before commenting any further. The only way you be able to verify an individual package is to package it yourself, Devuan/Debian has taken all that hard work away by creating a packaging system called apt. It is based on trust and there is a security team looking after the vulnerabilities and bugs that may appear from time to time.

Offline

#6 2018-05-11 14:27:48

slashmais
Member
Registered: 2018-05-10
Posts: 9  

Re: md5sums for packages

I've the occasional 'odd' behaviour on my box, and chkrootkit & rkhunter report warnings on some files
as far as I know they were all installed using the official repo's/mirrors, but I'm not the only one using
this box and I'm now also suspicious (paranoid really) of the paths to the mirrors from this box,
and for this reason do not want to go the normal apt & aptitude route, but rather direct to those files/packages
to check the marked files against the true distro packages, md5sums being the quickest & easiest, but will
use this SHA256SUM (need to google it) if need be, if those values are displayed alongside the files
(@panopticon: sorry I was a bit riled)

Offline

#7 2018-05-11 15:28:19

Panopticon
Member
Registered: 2018-01-27
Posts: 306  

Re: md5sums for packages

If chrootkit and rkhunter are reporting warnings maybe you should join their mailing list and report them there. Im not familar with rkhunter but it is a package in devuan stable, interesting.

For rkhunter see this link.

https://unix.stackexchange.com/question … ebi/385904

rkhunter needs to know what package manager you are using.

Create or edit /etc/rkhunter.conf and add the following line:

PKGMGR=DPKG

If you are not on Debian or Ubuntu, then change DPKG for your actual package manager.

This way, rkhunter will know to expect those executables to be scripts, and not flag the false positive.

It will ensure that if the files are tampered with, then a new positive result will show.

I appended the /etc/rkhunter.conf line (read line 405 to 435) to....

# The PKGMGR option tells rkhunter to use the specified package manager to
# obtain the file property information. This is used when updating the file
# properties file ('rkhunter.dat'), and when running the file properties check.
# For RedHat/RPM-based systems, 'RPM' can be used to get information from the
# RPM database. For Debian-based systems 'DPKG' can be used, for *BSD systems
# 'BSD' can be used, and for Solaris systems 'SOLARIS' can be used. No value,
# or a value of 'NONE', indicates that no package manager is to be used.
#
# The current package managers, except 'SOLARIS', store the file hash values
# using an MD5 hash function. The Solaris package manager includes a checksum
# value, but this is not used by default (see USE_SUNSUM below).
#
# The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
# The 'RPM' package manager additionally provides values for the inode,
# file permissions, uid, gid and other values. The 'SOLARIS' also provides
# most of the values, similar to 'RPM', but not the inode number.
#
# For any file not part of a package, rkhunter will revert to using the
# HASH_CMD hash function instead.
#
# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
#
# The default value is 'NONE'.
#
# Also see the PKGMGR_NO_VRFY and USE_SUNSUM options.
#
# NONE is the default for Debian as well, as running --propupd takes
# about 4 times longer when it's set to DPKG
#
PKGMGR=DPKG

Last edited by Panopticon (2018-05-11 15:44:50)

Offline

#8 2018-05-12 21:29:07

emanym
Member
Registered: 2018-04-08
Posts: 35  

Re: md5sums for packages

<standard disclaimer>
If the machine was rooted, you can't really trust any information it gives you, at the very least you would have to check things with the harddisk in an other computer with a known clean install...
</disclaimer>

I don't think there is a central file with all md5sums for all files from every package, that would be rather large...

Anyway,

1
md5 checksums for installed packeges are in /var/lib/dpkg/info/*md5sums

root@sybilla:/usr/src# cat /var/lib/dpkg/info/cryptsetup.md5sums 
d7601c3ba089035ece91bcac56049fe7  lib/cryptsetup/askpass
0af8af57267ce774b654f463306304ea  lib/cryptsetup/checks/blkid
e7b8f6fbc0dde4ce51901db4df751128  lib/cryptsetup/checks/ext2
743e38e5c3fdb18ba8b59817e0c3debe  lib/cryptsetup/checks/swap

(but you can't really trust those anymore...)

2
You can extract the md5sums for installed files from a .deb package with:

dpkg-deb -e cryptsetup_2%3a1.7.3-4_amd64.deb  cryptsetup-temp

oot@sybilla:/usr/src# head cryptsetup-temp/md5sums 
d7601c3ba089035ece91bcac56049fe7  lib/cryptsetup/askpass
0af8af57267ce774b654f463306304ea  lib/cryptsetup/checks/blkid
e7b8f6fbc0dde4ce51901db4df751128  lib/cryptsetup/checks/ext2
743e38e5c3fdb18ba8b59817e0c3debe  lib/cryptsetup/checks/swap

You would have to download every package you have installed on the pc, and extract the control files...

3
You could find the md5sums for the files that are actually really on your disk with:

find -type f -exec md5sum {} \;
 ...
d7601c3ba089035ece91bcac56049fe7  ./cryptsetup/lib/cryptsetup/askpass
0af8af57267ce774b654f463306304ea  ./cryptsetup/lib/cryptsetup/checks/blkid
e7b8f6fbc0dde4ce51901db4df751128  ./cryptsetup/lib/cryptsetup/checks/ext2
743e38e5c3fdb18ba8b59817e0c3debe  ./cryptsetup/lib/cryptsetup/checks/swap
de97fc546de78c0b93d1d660fe91939b  ./cryptsetup/lib/cryptsetup/checks/un_blkid
 ...

You could then compare the lists from 2 and 3, but it wouldn't really solve  the "was it rooted" problem:

* a malicious file could be anywhere on your harddrive, have any name, etc..
* there are many ways to start something at boot time (/etc/inittab, custom /etc/init.d/*files...

It is probably less work to wipe and reinstall, but i guess that is not an option?

Last edited by emanym (2018-05-12 21:46:49)

Offline

#9 2018-05-13 14:24:30

slashmais
Member
Registered: 2018-05-10
Posts: 9  

Re: md5sums for packages

alas I think emanym is right, clean install is the only real option
& then nit-pick everything in the various home-dirs & study-up on hardening.
thx all

Offline

Board footer