[SOLVED] How to verify all packages downloaded via mirrors via md5 or sha

yvesjv · 04-12-2024, 08:46 PM

Hello everyone,

Was traveling for the last few days and while residing in a hotel, I suspect they had a web proxy in between all clients and the internet.
While in the hotel, did the usual slackpkg update followed with the upgrade-all.
Then noticed quite a few md5 errors on the downloaded packages...

Quick question:-
Days later how do I go about verifying all packages downloaded and installed haven't been messed around with by comparing to the packages on the main repository?

Thanks in advance.

SlackCoder · 04-13-2024, 05:07 AM

Did you check whether you still have the packages you installed on disk? Slackpkg stores them under /var/cache/packages. You can check those against ones from a Slackware mirror.

allend · 04-13-2024, 05:26 AM

I would do it by reinstalling suspect packages.

Petri Kaukasoina · 04-13-2024, 05:46 AM

The default /etc/slackpkg/slackpkg.conf has this set:

Code:

# If CHECKGPG is "on", the system will verify the GPG signature of each package
# before install/upgrade/reinstall is performed.
CHECKGPG=on

It checks the GPG signatures against the security@slackware.com public key you have earlier imported. The hotel doesn't have Patrick's private key to sign the messed around packages.

The md5 errors are possible if you downloaded from a mirror which was updating (or its update had been interrupted) and CHECKSUMS.md5 and the packages did not match at the moment.

henca · 04-13-2024, 05:59 AM

I would do the following:

Download the file CHECKSUMS.md5 for your version of Slackware
Download the file CHECKSUMS.md5.asc, also from your favorite mirror
Validate the file CHECKSUMS.md5 with the command: "gpg --verify CHECKSUMS.md5"
Once you can trust the big file CHECKSUMS.md5, make a copy and in that copy only keep the lines of the files that you want to test. You might also want to edit the paths to those files if you have stored them somewhere else.
Run the command "md5sum -c my_copy_of_CHECKSUMS.md5"

The following assumes that you since previously have stored the public GPG-KEY in your keyring. If you already haven't done so and don't trust your downloads, you will be able to find that file on old official installation media if you happen to have any such laying around. The man page of gpg describes how to add such a public key to your keyring.

regards Henrik

chrisretusn · 04-13-2024, 07:32 AM

Quote:

Originally Posted by SlackCoder

Did you check whether you still have the packages you installed on disk? Slackpkg stores them under /var/cache/packages. You can check those against ones from a Slackware mirror.

Only if DELALL=off. The default is DELALL=on.

From slackpkg.conf.

Code:

# If DELALL is "on", all downloaded files will be removed after install.
DELALL=on

TheTKS · 04-13-2024, 08:36 AM

If you want to check which installed packages have a problem before taking any other action or because you didn't save the list of packages with md5sum error warnings, then do as @henca wrote first.

If you saved the list of files with md5sum error warnings, and you still want to go through those steps, it might save a bit of your time to skip step 4 and change the last command to

Code:

$ md5sum -c --quiet CHECKSUMS.md5

If what you're actually trying to do is most quickly make sure all upgraded packages are verified and installed correctly, then this set of steps probably takes the least amount of your time:

With the list of packages that showed those errors, do as @allend wrote and use slackpkg to try reinstalling each one individually.

Code:

# slackpkg reinstall [packagename1] [packagename2] ... [packagenameN]

ex.

Code:

# slackpkg reinstall curl

You can, but don't need to, write out the full packagename without its extension
ex.

Code:

# slackpkg curl-8.7.1-x86_64-1_slack15.0

If many packages from a set showed md5sum error warning, it might save you more of your time to reinstall the whole set.

If the warnings are because your mirror was syncing while you were upgrading packages or had some other problem, you will have to wait until that's resolved to reinstall, or you could temporarily pick another mirror in /etc/slackpkg/mirrors that is up to date.

TheTKS

viel · 04-13-2024, 09:31 AM

Quote:

Originally Posted by henca

I would do the following:

Download the file CHECKSUMS.md5 for your version of Slackware
Download the file CHECKSUMS.md5.asc, also from your favorite mirror
Validate the file CHECKSUMS.md5 with the command: "gpg --verify CHECKSUMS.md5"
Once you can trust the big file CHECKSUMS.md5, make a copy and in that copy only keep the lines of the files that you want to test. You might also want to edit the paths to those files if you have stored them somewhere else.
Run the command "md5sum -c my_copy_of_CHECKSUMS.md5"

The following assumes that you since previously have stored the public GPG-KEY in your keyring. If you already haven't done so and don't trust your downloads, you will be able to find that file on old official installation media if you happen to have any such laying around. The man page of gpg describes how to add such a public key to your keyring.

regards Henrik

In commands:

Code:

mkdir /tmp/check.md5
cd /tmp/check.md5/
wget -c https://mirrors.slackware.com/slackware/slackware64-15.0/CHECKSUMS.md5
wget -c https://mirrors.slackware.com/slackware/slackware64-15.0/CHECKSUMS.md5.asc
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 40102233
gpg CHECKSUMS.md5.asc
md5sum /opt/slackware-repositories/x86/slackware/slackware64-15.0/slackware64/a/bash-5.1.016-x86_64-1.txz
grep bash-5.1.016-x86_64-1.txz CHECKSUMS.md5

Change bash for your packages files.

yvesjv · 04-13-2024, 06:31 PM

Thanks everyone.
My bad I did not print-screen as I was in a hurry to go into a meet.
Just to be sure, I've decided to download the repo reinstall the packages from scratch.

But OTOH, what mechanisms are in place to thwart a mirror being compromised OR having an mitm such as a packetlogic (nowadays sandvine) hijack the downloads?

hazel · 04-14-2024, 12:21 AM

Quote:

Originally Posted by yvesjv

But OTOH, what mechanisms are in place to thwart a mirror being compromised OR having an mitm such as a packetlogic (nowadays sandvine) hijack the downloads?

Every package is signed by Patrick's private key, and the corresponding public key is downloaded from a different source, not from the repository itself. Even if the repository were compromised by rogue packages with corresponding md5sums, they couldn't be signed correctly. But this depends on users not switching off signature checking in slackpkg.

yvesjv · 04-14-2024, 01:14 PM

Quote:

Originally Posted by hazel

But this depends on users not switching off signature checking in slackpkg.

Awesome info.

SlackCoder · 04-15-2024, 10:46 AM

Quote:

Originally Posted by yvesjv

Hello everyone,

While in the hotel, did the usual slackpkg update followed with the upgrade-all.
Then noticed quite a few md5 errors on the downloaded packages...

Thanks in advance.

I just dug a bit deeper into this, having run into this before myself.

Slackpkg doesn't install packages when an MD5 check fails. An attempt is made to download a package multiple times. Each time a package check fails after download, the error is reported, but when it tries again and succeeds, its installed.

GazL · 04-16-2024, 07:28 AM

Quote:

Originally Posted by hazel

Every package is signed by Patrick's private key, and the corresponding public key is downloaded from a different source, not from the repository itself. Even if the repository were compromised by rogue packages with corresponding md5sums, they couldn't be signed correctly. But this depends on users not switching off signature checking in slackpkg.

What that won't protect against is a downgrade attack: where a repo is MITM'd to an older state containing older known to be vulnerable packages (complete with their genuine signatures). To prevent that sort of thing Pat would have to start including an incremental sequence number in the signed CHECKSUMS.md5 that could be checked by update tools.