Have you ever wondered why a given binary or package installed on your system does not work according to your expectations, meaning it does not function correctly as it is supposed to, or perhaps it cannot even start at all?
While downloading packages, you may face challenges such as unsteady network connections or unexpected power blackouts. This can result in the installation of a corrupted package.
Considering this an important factor in maintaining uncorrupted packages on your system, it is therefore a vital step to verify the files on the file system against the information stored in the package.
In this article, we will explain how to verify the MD5 checksums of installed packages on Debian-based distributions such as Ubuntu and Mint.
How to Verify Installed Packages Against MD5 Checksums
On Debian/Ubuntu systems, you can use the debsums tool to check the MD5 sums of installed packages. If you want to know more about the debsums package before installing it, you can use the apt-cache command as follows:
apt-cache search debsums
Next, install it using the apt command.
sudo apt install debsums
Now it’s time to learn how to use the debsums tool to verify the MD5 sum of installed packages.
Note: I have used sudo with all the commands below, because certain files may not have read permissions for regular users.
Understanding the Output of debsums
The output from the debsums command shows you the file location on the left and the check results on the right.
There are three possible results you can get:
- OK – indicates that a file’s MD5 sum is good.
- FAILED – shows that a file’s MD5 sum does not match.
- REPLACED – means that the specific file has been replaced by a file from another package.
When you run it without any options, debsums checks every file on your system against the stock MD5 sum files.
sudo debsums
Checking MD5 Sums of All Files for Changes
To enable checking every file and configuration file for changes, include the -a or --all option.
sudo debsums --all
Checking MD5 Sums of Only Configuration Files
It is also possible to check only the configuration files, excluding all other package files, by using the -e or --config option.
sudo debsums --config
Displaying Only Changed Files
To display only the changed files in the output of debsums, use the -c or --changed option.
sudo debsums --changed
Listing Missing MD5 Sums of Files
To display files that do not have MD5 sum information, use the -l or --list-missing option. On my system, this command does not show any files.
sudo debsums --list-missing
Verify the MD5 Sum of a Single Package
You can also verify the MD5 sum of a single package by specifying its name.
sudo debsums curl
Ignoring File Permission Errors in Debsums
Assuming that you are running debsums as a regular user without sudo, you can treat permission errors as warnings by using the --ignore-permissions option:
debsums --ignore-permissions
How to Generate MD5 Sums from .Deb Files
The -g option tells debsums to generate MD5 sums from the .deb contents.
Here are the additional options you can use:
missing– instructs debsums to generate MD5 sums from the.debfor packages that don’t provide one.all– directs debsums to ignore the on-disk sums and use the one present in the.debfile, or generate one from it if none exists.keep– tells debsums to write the extracted/generated sums to /var/lib/dpkg/info/package.md5sums file.nocheck– means the extracted/generated sums are not checked against the installed package.
When you look at the contents of the /var/lib/dpkg/info/ directory, you will see MD5 sums for various files that packages include, as shown below:
cd /var/lib/dpkg/info ls *.md5sums
You can generate an MD5 sum for the apache2 package by running the following command:
sudo debsums --generate=missing apache2
Since the apache2 package on my system already has MD5 sums, it will show the same output as running.
sudo debsums apache2
For more interesting options and usage information, look through the debsums man page:
man debsums
Conclusion
In this article, we shared how to verify installed Debian/Ubuntu packages against MD5 checksums. This can be useful to avoid installing and executing corrupted binaries or package files on your system by checking the files on the file system against the information stored in the package.
For any questions or feedback, feel free to use the comment form below. You can also offer one or two suggestions to make this post better.
An ignorant question, perhaps: could Linux software installation systems be designed to verify checksums automatically, as part of the service?
@christopher
Yes, it is possible, this method only works as an extra-verification measure after packages are already installed on your system.
For example apt/apt-get does that as explained here: http://superuser.com/questions/990143/how-does-apt-get-checks-for-the-integrity-of-the-files-downloaded
bill@jessie:~$ sudo debsums –changed
debsums: invalid line (1) in md5sums for open-vm-tools-desktop: \dde14951417e0e9f73b80f871e6540d1 lib/systemd/system/run-vmblock\\x2dfuse.mount
How do I fix this?
@bushpilot
This could be caused by a possible mount problem under systemd perhaps a bug. Try to find out more from here: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1448134
Try to run the command below and show us the output:
sudo systemctl status -l “run-vmblock\x2dfuse.mount”