Can dpkg verify files from an installed package?

linux ubuntu debian rpm dpkg

42,062

Solution 1

I don't thinks so, in Ubuntu md5 checksums are only stored for certain files. For any given package the list of files that have checksums can be found in

/var/lib/dpkg/info/<package>.md5sums

e.g

/var/lib/dpkg/info/openssh-server.md5sums

These generally don't contain a complete list of the files that have been installed by a package e.g. openssh-server.md5sums

bb5096cf79a43b479a179c770eae86d8  usr/lib/openssh/sftp-server
42da5b1c2de18ec8ef4f20079a601f28  usr/sbin/sshd
8c5592e0d522fa0f8f55f3c104479ef5  usr/share/lintian/overrides/openssh-server
cfcb67f58bcd1edcaa5a770863e49304  usr/share/man/man5/sshd_config.5.gz
71a51cbb514da3044b277e05a3ceaf0b  usr/share/man/man8/sshd.8.gz
222d4da61fcb3c65b4e6e83944752f20  usr/share/man/man8/sftp-server.8.gz

You can use the debsums command (sudo apt-get install debsums) to check the files that have md5 signatures

debsums openssh-server
/usr/lib/openssh/sftp-server                                                  OK
/usr/sbin/sshd                                                                OK
/usr/share/lintian/overrides/openssh-server                                   OK
/usr/share/man/man5/sshd_config.5.gz                                          OK
/usr/share/man/man8/sshd.8.gz                                                 OK
/usr/share/man/man8/sftp-server.8.gz                                          OK

Solution 2

As in dpkg/1.17.2, it implements --verify option, according to this debian bug report.

Note this is a relatively new change to dpkg. Date: Thu, 05 Dec 2013 04:56:31 +0100 line in the dpkg v1.17.2 package shows this.

Here is a brief description of --verify action quoted from the man page of dpkg.

   -V, --verify [package-name...]
          Verifies  the integrity of package-name or all packages if omit‐
          ted, by comparing information from the installed paths with  the
          database metadata.

          The output format is selectable with the --verify-format option,
          which by default uses the rpm format, but that might  change  in
          the  future,  and  as  such programs parsing this command output
          should be explicit about the format they expect.

So you may just use similar syntax as in yum to perform verifications, and get results in rpm format. For example:

dpkg --verify openssh-server

or just use dpkg --verify to verify every single packge installed on you system.

P.S.

Running, say dpkg --verify bash, on my machine gave me something like this. (I'm running dpkg/1.17.5)

??5?????? c /etc/bash.bashrc
??5?????? c /etc/skel/.bashrc

It seems that .deb packages only contain md5sums metadata for verification.

Solution 3

There is tool debsums you can check out.

# apt-cache search debsums
debsums - tool for verification of installed package files against MD5 checksums

Solution 4

Normally I have a list of files that I want to verify.
So here's a simple bash function that does more or less what you want:

dpkg-verify() {
    exitcode=0
    for file in $*; do
        pkg=`dpkg -S "$file" | cut -d: -f 1`
        hashfile="/var/lib/dpkg/info/$pkg.md5sums"
        if [ -s "$hashfile" ]; then
            rfile=`echo "$file" | cut -d/ -f 2-`
            phash=`grep -E "$rfile\$" "$hashfile" | cut -d\  -f 1`
            hash=`md5sum "$file" | cut -d\  -f 1`
            if [ "$hash" = "$phash" ]; then
                echo "$file: ok"
            else
                echo "$file: CHANGED"
                exitcode=1
            fi
        else
            echo "$file: UNKNOWN"
            exitcode=1
        fi
    done
    return $exitcode
}

Use like this:

dpkg-verify /bin/ls /usr/bin/ld

Output on my environment:

/bin/ls: ok
/usr/bin/ld: UNKNOWN

Of course, it should be fairly simple to write a similar alias/script to check the files from a specific package.

Solution 5

I use this command to check all the packages:
dpkg -l | awk {'print $2'} | xargs | debsums | grep -v 'OK'

You should need install debsumbs, gawk and findutils packages.

View more solutions

42,062

Sandra

Updated on September 18, 2022

Comments

Sandra over 1 year
With rpm -qV openssh-server I will get a list of files that have changed compared to default.
```
~$ rpm -qV openssh-server
S.?....T.  c /etc/ssh/sshd_config
~$ 
```
Can dpkg on Ubuntu do the same?
psusi over 12 years

The md5sums omit config files ( ones in /etc ) because you are expected to change those.
user9517 over 12 years

Yes, the file /etc/ssh/sshd_config for example is generated by a script. Under CentOS though the default config files do have md5sums.
bain over 9 years

The md5 checksums for config files are stored in /var/lib/dpkg/status. "dpkg -V" will verify the checksums of all files on the system including the conf files.
Magentron over 7 years

Open to improvements at https://gist.github.com/Magentron/e9a85ffebd07bdf29047218fc6‌8e31f6
rubo77 over 4 years

what does these lines mean? ??5?????? c...
rubo77 over 4 years

I add some errors (although as root): debsums: can't open fwupd file /var/lib/polkit-1/localauthority/10-vendor.d/fwupd.pkla (Permission denied) debsums: can't open geoclue-2.0 file /var/lib/polkit-1/localauthority/10-vendor.d/geoclue-2.0.pkl‌a (Permission denied)
pallxk over 4 years

@rubo77 See ftp.rpm.org/max-rpm/s1-rpm-verify-output.html for the cryptic format.
rubo77 over 4 years

OK, so ??5?????? means: the MD5 Checksum was different and c="it is a config file"
rubo77 over 4 years

If you want only warnings of modified packages, (not modified config files) use sudo dpkg -V | grep -v '??5?????? c'
NetVicious over 2 years

With the commands I wrote it checks all the files on all packages. Any file changed, deleted or with problems accessing it (like your errors say) are writed to the console. You should check those files permissions. If you're root user you should not have any problem accessing they. Try to check with dpkg -S geoclue-2.0.pkla command on which package those files are.