To Verify Installed Debian Packages Against MD5 Checksums

 

On Debian/Ubuntu systems, you can use the debsums tool to check the MD5 sums of installed packages. If you want to know the information about debsums package before installing it, you can use APT-CACHE like so:

$ apt-cache search debsums

 

Next, install it using apt command as follows:

$ sudo apt install debsums

 

Now its time to learn how to use debsums tool to verify MD5sum of installed packages.

 

Note: I have used sudo with all the commands below because certain files may not have read permissions for regular users.

 

In addition, the output from the debsums command shows you the file location on the left and the check results on the right. There are three possible results you can get, they include:

OK – indicates that a file’s MD5 sum is good.

FAILED – shows that a file’s MD5 sum does not match.

REPLACED – means that the specific file has been replaced by a file from another package.

 

When you run it without any options, debsums checks every file on your system against the stock md5sum files.

$ sudo debsums

 

Scans File System for MD5 Sums
----------------------------------------------------------------------------------
/usr/bin/a11y-profile-manager-indicator OK /usr/share/doc/a11y-profile-manager-indicator/copyright OK /usr/share/man/man1/a11y-profile-manager-indicator.1.gz OK /usr/share/accounts/providers/facebook.provider OK /usr/share/accounts/qml-plugins/facebook/Main.qml OK /usr/share/accounts/services/facebook-microblog.service OK /usr/share/accounts/services/facebook-sharing.service OK /usr/share/doc/account-plugin-facebook/copyright OK /usr/share/accounts/providers/flickr.provider OK /usr/share/accounts/qml-plugins/flickr/Main.qml OK /usr/share/accounts/services/flickr-microblog.service OK /usr/share/accounts/services/flickr-sharing.service OK /usr/share/doc/account-plugin-flickr/copyright OK /usr/share/accounts/providers/google.provider OK /usr/share/accounts/qml-plugins/google/Main.qml OK /usr/share/accounts/services/google-drive.service OK /usr/share/accounts/services/google-im.service OK /usr/share/accounts/services/picasa.service OK /usr/share/doc/account-plugin-google/copyright OK /lib/systemd/system/accounts-daemon.service OK /usr/lib/accountsservice/accounts-daemon OK /usr/share/dbus-1/interfaces/org.freedesktop.Accounts.User.xml OK /usr/share/dbus-1/interfaces/org.freedesktop.Accounts.xml OK /usr/share/dbus-1/system-services/org.freedesktop.Accounts.service OK /usr/share/doc/accountsservice/README OK /usr/share/doc/accountsservice/TODO OK ....

 

To enable checking of every file and configuration files for each package for any changes, including the -a or  --all option:

$ sudo debsums --all

 

Check MD5 Sums of All Configuration Files
-----------------------------------------------------------------------------------
/usr/bin/a11y-profile-manager-indicator OK /usr/share/doc/a11y-profile-manager-indicator/copyright OK /usr/share/man/man1/a11y-profile-manager-indicator.1.gz OK /etc/xdg/autostart/a11y-profile-manager-indicator-autostart.desktop OK /usr/share/accounts/providers/facebook.provider OK /usr/share/accounts/qml-plugins/facebook/Main.qml OK /usr/share/accounts/services/facebook-microblog.service OK /usr/share/accounts/services/facebook-sharing.service OK /usr/share/doc/account-plugin-facebook/copyright OK /etc/signon-ui/webkit-options.d/www.facebook.com.conf OK /usr/share/accounts/providers/flickr.provider OK /usr/share/accounts/qml-plugins/flickr/Main.qml OK /usr/share/accounts/services/flickr-microblog.service OK /usr/share/accounts/services/flickr-sharing.service OK /usr/share/doc/account-plugin-flickr/copyright OK /etc/signon-ui/webkit-options.d/login.yahoo.com.conf OK /usr/share/accounts/providers/google.provider OK /usr/share/accounts/qml-plugins/google/Main.qml OK /usr/share/accounts/services/google-drive.service OK /usr/share/accounts/services/google-im.service OK /usr/share/accounts/services/picasa.service OK /usr/share/doc/account-plugin-google/copyright OK ...

 

It is as well possible to check only the configuration file excluding all other package files by using the -e or  --config option:

$ sudo debsums --config

 

Only Check MD5 Sums of Configuration Files
------------------------------------------------------------------------------------
/etc/xdg/autostart/a11y-profile-manager-indicator-autostart.desktop OK /etc/signon-ui/webkit-options.d/www.facebook.com.conf OK /etc/signon-ui/webkit-options.d/login.yahoo.com.conf OK /etc/signon-ui/webkit-options.d/accounts.google.com.conf OK /etc/dbus-1/system.d/org.freedesktop.Accounts.conf OK /etc/acpi/asus-keyboard-backlight.sh OK /etc/acpi/events/asus-keyboard-backlight-down OK /etc/acpi/ibm-wireless.sh OK /etc/acpi/events/tosh-wireless OK /etc/acpi/asus-wireless.sh OK /etc/acpi/events/lenovo-undock OK /etc/default/acpi-support OK /etc/acpi/events/ibm-wireless OK /etc/acpi/events/asus-wireless-on OK /etc/acpi/events/asus-wireless-off OK /etc/acpi/tosh-wireless.sh OK /etc/acpi/events/asus-keyboard-backlight-up OK /etc/acpi/events/thinkpad-cmos OK /etc/acpi/undock.sh OK /etc/acpi/events/powerbtn OK /etc/acpi/powerbtn.sh OK /etc/init.d/acpid OK /etc/init/acpid.conf OK /etc/default/acpid OK ...

 

Next, to only display changed files in the output of debsums, use the -c or --changed option. I didn’t found any changed files in my system.

$ sudo debsums --changed

 

The next command prints out files that do not have md5sum info, here we use the -l and --list-missing option. On my system, the command does not show any file.

$ sudo debsums --list-missing

 

Now it’s time to verify the md5 sum of a single package by specifying its name:

$ sudo debsums apache2 

 

Check MD5 Sum of Installed Package
--------------------------------------------------------------------------------------

/lib/systemd/system/apache2.service.d/apache2-systemd.conf                    OK
/usr/sbin/a2enmod                                                             OK
/usr/sbin/a2query                                                             OK
/usr/sbin/apache2ctl                                                          OK
/usr/share/apache2/apache2-maintscript-helper                                 OK
/usr/share/apache2/ask-for-passphrase                                         OK
/usr/share/bash-completion/completions/a2enmod                                OK
/usr/share/doc/apache2/NEWS.Debian.gz                                         OK
/usr/share/doc/apache2/PACKAGING.gz                                           OK
/usr/share/doc/apache2/README.Debian.gz                                       OK
/usr/share/doc/apache2/README.backtrace                                       OK
/usr/share/doc/apache2/README.multiple-instances                              OK
/usr/share/doc/apache2/copyright                                              OK
/usr/share/doc/apache2/examples/apache2.monit                                 OK
/usr/share/doc/apache2/examples/secondary-init-script                         OK
/usr/share/doc/apache2/examples/setup-instance                                OK
/usr/share/lintian/overrides/apache2                                          OK
/usr/share/man/man1/a2query.1.gz                                              OK
/usr/share/man/man8/a2enconf.8.gz                                             OK
/usr/share/man/man8/a2enmod.8.gz                                              OK
/usr/share/man/man8/a2ensite.8.gz                                             OK
/usr/share/man/man8/apache2ctl.8.gz                                           OK

 

Assuming that you are running debsums as a regular user without sudo, you can treat permission errors as warnings by employing the --ignore-permissions option:

$ debsums --ignore-permissions 

 

How To Generate MD5 Sums from .Deb Files

 

The -g option tells debsums to generate MD5 sums from deb contents, where:

missing – instruct debsums to generate MD5 sums from the deb for packages which don’t provide one.

all – directs debsums to ignore the on disk sums and use the one present in the deb file, or generated from it if none exists.

keep – tells debsums to write the extracted/generated sums to /var/lib/dpkg/info/package.md5sums file.

nocheck – means the extracted/generated sums are not checked against the installed package.

 

When you look at the contents of the directory /var/lib/dpkg/info/, you will see md5sums for various files that package as in the image below:

$ cd /var/lib/dpkg/info
$ ls *.md5sums

 

List All MD5 Sums for Packages
-------------------------------------------

a11y-profile-manager-indicator.md5sums
account-plugin-facebook.md5sums
account-plugin-flickr.md5sums
account-plugin-google.md5sums
accountsservice.md5sums
acl.md5sums
acpid.md5sums
acpi-support.md5sums
activity-log-manager.md5sums
adduser.md5sums
adium-theme-ubuntu.md5sums
adwaita-icon-theme.md5sums
aisleriot.md5sums
alsa-base.md5sums
alsa-utils.md5sums
anacron.md5sums
apache2-bin.md5sums
apache2-data.md5sums
apache2.md5sums
apache2-utils.md5sums
apg.md5sums
apparmor.md5sums
app-install-data.md5sums
app-install-data-partner.md5sums
...

 

Remember that using -g option is the same as --generate=missing, you can try to generate a md5 sum for apache2 package by running the following command.

$ sudo debsums --generate=missing apache2 

 

Since apache2 package on my system already has md5 sums, it will show the output below, which is the same as running:

$ sudo debsums apache2

 

For more interesting options and usage info, look through the debsums man page.

$ man debsums

 

Was this answer helpful? 0 Users Found This Useful (0 Votes)