I'm wondering if there's a way to verify the integrity of installed packages/programs against official repos. I did an update via synaptic about a week ago and it asked me to upgrade several packages such as login, su, passwd, groupadd, useradd, lastlog, and several others. Right away I was concerned about this, but I figured it's via synaptic, must be safe.

Well now it's a week later and I'm trying to find some "last updated" info for these packages, changlelogs, whatever, to verify that they were indeed official releases/updates, and I'm coming up empty.

Is there something I can do to verify that these files and my system are still intact?

apt-cache policy packagename

You probably want debsums.

debsums - tool for verification of installed package files against MD5 checksums

Packages update all the time, as long as you aren't using a bunch of 3rd party repos you are fine. A little paranoia goes a long way.

thank you, this was just what I was looking for.

one question though. if it checks against locally stored files wouldn't it be simple to fake?

no joke. linux does that to me though. especially when I see files like su passwd and login being changed. and even more so when I can't verify that there was an update released in documentation anywhere.

Debian, and basically all other distro's, have ways of verifying the contents of the packages on their servers. If one is compromised it'll be noted quickly and the server will be taken off-line immediately. Find and read the Debian security list to learn about untrusted servers. There where cases in the past, but not recent, to my knowledge.

PS: dev's are the worst documentation writers

There isn't a GPG signature?