How to Check MD5 Sums of Installed Packages in Debian/Ubuntu Linux

Have you ever wondered why a given binary or package installed on your system does not work according to you expectations, meaning it does not function correctly as it is supposed to do, perhaps it can not event start at all.

While downloading packages, you may face challenges of unsteady network connections or unexpected power blackouts, this can result into installation of corrupted package.

Considering this as an important factor in maintaining uncorrupted packages on your system, it is therefore a vital step to verify the files on the file system against the information stored in the package by using following article.

Suggested Read: Learn How to Generate and Verify Files with MD5 Checksum in Linux

How to Verify Installed Debian Packages Against MD5 Checksums

On Debian/Ubuntu systems, you can use the debsums tool to check the MD5 sums of installed packages. If you want to know the information about debsums package before installing it, you can use APT-CACHE like so:

$ apt-cache search debsums

Next, install it using apt command as follows:

$ sudo apt install debsums

Now its time to learn how to use debsums tool to verify MD5sum of installed packages.

Note: I have used sudo with all the commands below because certain files may not have read permissions for regular users.

In addition, the output from the debsums command shows you the file location on the left and the check results on the right. There are three possible results you can get, they include:

  1. OK – indicates that a file’s MD5 sum is good.
  2. FAILED – shows that a file’s MD5 sum does not match.
  3. REPLACED – means that the specific file has been replaced by a file from another package.

When you run it without any options, debsums checks every file on your system against the stock md5sum files.

$ sudo debsums
Scans File System for MD5 Sums
/usr/bin/a11y-profile-manager-indicator                                       OK
/usr/share/doc/a11y-profile-manager-indicator/copyright                       OK
/usr/share/man/man1/a11y-profile-manager-indicator.1.gz                       OK
/usr/share/accounts/providers/facebook.provider                               OK
/usr/share/accounts/qml-plugins/facebook/Main.qml                             OK
/usr/share/accounts/services/facebook-microblog.service                       OK
/usr/share/accounts/services/facebook-sharing.service                         OK
/usr/share/doc/account-plugin-facebook/copyright                              OK
/usr/share/accounts/providers/flickr.provider                                 OK
/usr/share/accounts/qml-plugins/flickr/Main.qml                               OK
/usr/share/accounts/services/flickr-microblog.service                         OK
/usr/share/accounts/services/flickr-sharing.service                           OK
/usr/share/doc/account-plugin-flickr/copyright                                OK
/usr/share/accounts/providers/google.provider                                 OK
/usr/share/accounts/qml-plugins/google/Main.qml                               OK
/usr/share/accounts/services/google-drive.service                             OK
/usr/share/accounts/services/google-im.service                                OK
/usr/share/accounts/services/picasa.service                                   OK
/usr/share/doc/account-plugin-google/copyright                                OK
/lib/systemd/system/accounts-daemon.service                                   OK
/usr/lib/accountsservice/accounts-daemon                                      OK
/usr/share/dbus-1/interfaces/org.freedesktop.Accounts.User.xml                OK
/usr/share/dbus-1/interfaces/org.freedesktop.Accounts.xml                     OK
/usr/share/dbus-1/system-services/org.freedesktop.Accounts.service            OK
/usr/share/doc/accountsservice/README                                         OK
/usr/share/doc/accountsservice/TODO                                           OK
....

To enable checking of every file and configuration files for each package for any changes, include the -a or --all option:

$ sudo debsums --all
Check MD5 Sums of All Configuration Files
/usr/bin/a11y-profile-manager-indicator                                       OK
/usr/share/doc/a11y-profile-manager-indicator/copyright                       OK
/usr/share/man/man1/a11y-profile-manager-indicator.1.gz                       OK
/etc/xdg/autostart/a11y-profile-manager-indicator-autostart.desktop           OK
/usr/share/accounts/providers/facebook.provider                               OK
/usr/share/accounts/qml-plugins/facebook/Main.qml                             OK
/usr/share/accounts/services/facebook-microblog.service                       OK
/usr/share/accounts/services/facebook-sharing.service                         OK
/usr/share/doc/account-plugin-facebook/copyright                              OK
/etc/signon-ui/webkit-options.d/www.facebook.com.conf                         OK
/usr/share/accounts/providers/flickr.provider                                 OK
/usr/share/accounts/qml-plugins/flickr/Main.qml                               OK
/usr/share/accounts/services/flickr-microblog.service                         OK
/usr/share/accounts/services/flickr-sharing.service                           OK
/usr/share/doc/account-plugin-flickr/copyright                                OK
/etc/signon-ui/webkit-options.d/login.yahoo.com.conf                          OK
/usr/share/accounts/providers/google.provider                                 OK
/usr/share/accounts/qml-plugins/google/Main.qml                               OK
/usr/share/accounts/services/google-drive.service                             OK
/usr/share/accounts/services/google-im.service                                OK
/usr/share/accounts/services/picasa.service                                   OK
/usr/share/doc/account-plugin-google/copyright                                OK
...

It is as well possible to check only the configuration file excluding all other package files by using the -e or --config option:

$ sudo debsums --config
Only Check MD5 Sums of Configuration Files
/etc/xdg/autostart/a11y-profile-manager-indicator-autostart.desktop           OK
/etc/signon-ui/webkit-options.d/www.facebook.com.conf                         OK
/etc/signon-ui/webkit-options.d/login.yahoo.com.conf                          OK
/etc/signon-ui/webkit-options.d/accounts.google.com.conf                      OK
/etc/dbus-1/system.d/org.freedesktop.Accounts.conf                            OK
/etc/acpi/asus-keyboard-backlight.sh                                          OK
/etc/acpi/events/asus-keyboard-backlight-down                                 OK
/etc/acpi/ibm-wireless.sh                                                     OK
/etc/acpi/events/tosh-wireless                                                OK
/etc/acpi/asus-wireless.sh                                                    OK
/etc/acpi/events/lenovo-undock                                                OK
/etc/default/acpi-support                                                     OK
/etc/acpi/events/ibm-wireless                                                 OK
/etc/acpi/events/asus-wireless-on                                             OK
/etc/acpi/events/asus-wireless-off                                            OK
/etc/acpi/tosh-wireless.sh                                                    OK
/etc/acpi/events/asus-keyboard-backlight-up                                   OK
/etc/acpi/events/thinkpad-cmos                                                OK
/etc/acpi/undock.sh                                                           OK
/etc/acpi/events/powerbtn                                                     OK
/etc/acpi/powerbtn.sh                                                         OK
/etc/init.d/acpid                                                             OK
/etc/init/acpid.conf                                                          OK
/etc/default/acpid                                                            OK
...

Next, to only display changed files in the output of debsums, use the -c or --changed option. I didn’t found any changed files in my system.

$ sudo debsums --changed

The next command prints out files that do not have md5sum info, here we use the -l and --list-missing option. On my system, the command does not show any file.

$ sudo debsums --list-missing

Now it’s time to verify the md5 sum of a single package by specifying its name:

$ sudo debsums apache2 
Check MD5 Sum of Installed Package
/lib/systemd/system/apache2.service.d/apache2-systemd.conf                    OK
/usr/sbin/a2enmod                                                             OK
/usr/sbin/a2query                                                             OK
/usr/sbin/apache2ctl                                                          OK
/usr/share/apache2/apache2-maintscript-helper                                 OK
/usr/share/apache2/ask-for-passphrase                                         OK
/usr/share/bash-completion/completions/a2enmod                                OK
/usr/share/doc/apache2/NEWS.Debian.gz                                         OK
/usr/share/doc/apache2/PACKAGING.gz                                           OK
/usr/share/doc/apache2/README.Debian.gz                                       OK
/usr/share/doc/apache2/README.backtrace                                       OK
/usr/share/doc/apache2/README.multiple-instances                              OK
/usr/share/doc/apache2/copyright                                              OK
/usr/share/doc/apache2/examples/apache2.monit                                 OK
/usr/share/doc/apache2/examples/secondary-init-script                         OK
/usr/share/doc/apache2/examples/setup-instance                                OK
/usr/share/lintian/overrides/apache2                                          OK
/usr/share/man/man1/a2query.1.gz                                              OK
/usr/share/man/man8/a2enconf.8.gz                                             OK
/usr/share/man/man8/a2enmod.8.gz                                              OK
/usr/share/man/man8/a2ensite.8.gz                                             OK
/usr/share/man/man8/apache2ctl.8.gz                                           OK

Assuming that you are running debsums as a regular user without sudo, you can treat permission errors as warnings by employing the --ignore-permissions option:

$ debsums --ignore-permissions 

How To Generate MD5 Sums from .Deb Files

The -g option tells debsums to generate MD5 sums from deb contents, where:

  1. missing – instruct debsums to generate MD5 sums from the deb for packages which don’t provide one.
  2. all – directs debsums to ignore the on disk sums and use the one present in the deb file, or generated from it if none exists.
  3. keep – tells debsums to write the extracted/generated sums to /var/lib/dpkg/info/package.md5sums file.
  4. nocheck – means the extracted/generated sums are not checked against the installed package.

When you look at the contents of the directory /var/lib/dpkg/info/, you will see md5sums for various files that packages as in the image below:

$ cd /var/lib/dpkg/info
$ ls *.md5sums
List All MD5 Sums for Packages
a11y-profile-manager-indicator.md5sums
account-plugin-facebook.md5sums
account-plugin-flickr.md5sums
account-plugin-google.md5sums
accountsservice.md5sums
acl.md5sums
acpid.md5sums
acpi-support.md5sums
activity-log-manager.md5sums
adduser.md5sums
adium-theme-ubuntu.md5sums
adwaita-icon-theme.md5sums
aisleriot.md5sums
alsa-base.md5sums
alsa-utils.md5sums
anacron.md5sums
apache2-bin.md5sums
apache2-data.md5sums
apache2.md5sums
apache2-utils.md5sums
apg.md5sums
apparmor.md5sums
app-install-data.md5sums
app-install-data-partner.md5sums
...

Remember that using -g option is the same as --generate=missing, you can try to generate a md5 sum for apache2 package by running the following command.

$ sudo debsums --generate=missing apache2 

Since apache2 package on my system already has md5 sums, it will show the output below, which is the same as running:

$ sudo debsums apache2

For more interesting options and usage info, look through the debsums man page.

$ man debsums

In this article, we shared how to verify installed Debian/Ubuntu packages against MD5 checksums, this can be useful in order to avoid installing and executing corrupted binaries or package files on your system by checking the files on the file system against the information stored in the package.

For any questions or feedback, take advantage of the comment form below. Imaginably, you can as well offer one or two suggestions to make this post better.

Source: tecmint.com

Be the first to comment

Leave a Reply

Your email address will not be published.


*