Have you ever wondered why a given binary or package installed on your system does not work according to you expectations, meaning it does not function correctly as it is supposed to do, perhaps it can not event start at all.
While downloading packages, you may face challenges of unsteady network connections or unexpected power blackouts, this can result into installation of corrupted package.
Considering this as an important factor in maintaining uncorrupted packages on your system, it is therefore a vital step to verify the files on the file system against the information stored in the package by using following article.
Suggested Read: Learn How to Generate and Verify Files with MD5 Checksum in Linux
How to Verify Installed Debian Packages Against MD5 Checksums
On Debian/Ubuntu systems, you can use the debsums tool to check the MD5 sums of installed packages. If you want to know the information about debsums package before installing it, you can use APT-CACHE like so:
$ apt-cache search debsums
Next, install it using apt command as follows:
$ sudo apt install debsums
Now its time to learn how to use debsums tool to verify MD5sum of installed packages.
Note: I have used sudo with all the commands below because certain files may not have read permissions for regular users.
In addition, the output from the debsums command shows you the file location on the left and the check results on the right. There are three possible results you can get, they include:
- OK – indicates that a file’s MD5 sum is good.
- FAILED – shows that a file’s MD5 sum does not match.
- REPLACED – means that the specific file has been replaced by a file from another package.
When you run it without any options, debsums checks every file on your system against the stock md5sum files.
$ sudo debsums
/usr/bin/a11y-profile-manager-indicator OK /usr/share/doc/a11y-profile-manager-indicator/copyright OK /usr/share/man/man1/a11y-profile-manager-indicator.1.gz OK /usr/share/accounts/providers/facebook.provider OK /usr/share/accounts/qml-plugins/facebook/Main.qml OK /usr/share/accounts/services/facebook-microblog.service OK /usr/share/accounts/services/facebook-sharing.service OK /usr/share/doc/account-plugin-facebook/copyright OK /usr/share/accounts/providers/flickr.provider OK /usr/share/accounts/qml-plugins/flickr/Main.qml OK /usr/share/accounts/services/flickr-microblog.service OK /usr/share/accounts/services/flickr-sharing.service OK /usr/share/doc/account-plugin-flickr/copyright OK /usr/share/accounts/providers/google.provider OK /usr/share/accounts/qml-plugins/google/Main.qml OK /usr/share/accounts/services/google-drive.service OK /usr/share/accounts/services/google-im.service OK /usr/share/accounts/services/picasa.service OK /usr/share/doc/account-plugin-google/copyright OK /lib/systemd/system/accounts-daemon.service OK /usr/lib/accountsservice/accounts-daemon OK /usr/share/dbus-1/interfaces/org.freedesktop.Accounts.User.xml OK /usr/share/dbus-1/interfaces/org.freedesktop.Accounts.xml OK /usr/share/dbus-1/system-services/org.freedesktop.Accounts.service OK /usr/share/doc/accountsservice/README OK /usr/share/doc/accountsservice/TODO OK ....
To enable checking of every file and configuration files for each package for any changes, include the -a or --all option:
$ sudo debsums --all
/usr/bin/a11y-profile-manager-indicator OK /usr/share/doc/a11y-profile-manager-indicator/copyright OK /usr/share/man/man1/a11y-profile-manager-indicator.1.gz OK /etc/xdg/autostart/a11y-profile-manager-indicator-autostart.desktop OK /usr/share/accounts/providers/facebook.provider OK /usr/share/accounts/qml-plugins/facebook/Main.qml OK /usr/share/accounts/services/facebook-microblog.service OK /usr/share/accounts/services/facebook-sharing.service OK /usr/share/doc/account-plugin-facebook/copyright OK /etc/signon-ui/webkit-options.d/www.facebook.com.conf OK /usr/share/accounts/providers/flickr.provider OK /usr/share/accounts/qml-plugins/flickr/Main.qml OK /usr/share/accounts/services/flickr-microblog.service OK /usr/share/accounts/services/flickr-sharing.service OK /usr/share/doc/account-plugin-flickr/copyright OK /etc/signon-ui/webkit-options.d/login.yahoo.com.conf OK /usr/share/accounts/providers/google.provider OK /usr/share/accounts/qml-plugins/google/Main.qml OK /usr/share/accounts/services/google-drive.service OK /usr/share/accounts/services/google-im.service OK /usr/share/accounts/services/picasa.service OK /usr/share/doc/account-plugin-google/copyright OK ...
It is as well possible to check only the configuration file excluding all other package files by using the -e or --config option:
$ sudo debsums --config
/etc/xdg/autostart/a11y-profile-manager-indicator-autostart.desktop OK /etc/signon-ui/webkit-options.d/www.facebook.com.conf OK /etc/signon-ui/webkit-options.d/login.yahoo.com.conf OK /etc/signon-ui/webkit-options.d/accounts.google.com.conf OK /etc/dbus-1/system.d/org.freedesktop.Accounts.conf OK /etc/acpi/asus-keyboard-backlight.sh OK /etc/acpi/events/asus-keyboard-backlight-down OK /etc/acpi/ibm-wireless.sh OK /etc/acpi/events/tosh-wireless OK /etc/acpi/asus-wireless.sh OK /etc/acpi/events/lenovo-undock OK /etc/default/acpi-support OK /etc/acpi/events/ibm-wireless OK /etc/acpi/events/asus-wireless-on OK /etc/acpi/events/asus-wireless-off OK /etc/acpi/tosh-wireless.sh OK /etc/acpi/events/asus-keyboard-backlight-up OK /etc/acpi/events/thinkpad-cmos OK /etc/acpi/undock.sh OK /etc/acpi/events/powerbtn OK /etc/acpi/powerbtn.sh OK /etc/init.d/acpid OK /etc/init/acpid.conf OK /etc/default/acpid OK ...
Next, to only display changed files in the output of debsums, use the -c or --changed option. I didn’t found any changed files in my system.
$ sudo debsums --changed
The next command prints out files that do not have md5sum info, here we use the -l and --list-missing option. On my system, the command does not show any file.
$ sudo debsums --list-missing
Now it’s time to verify the md5 sum of a single package by specifying its name:
$ sudo debsums apache2
/lib/systemd/system/apache2.service.d/apache2-systemd.conf OK /usr/sbin/a2enmod OK /usr/sbin/a2query OK /usr/sbin/apache2ctl OK /usr/share/apache2/apache2-maintscript-helper OK /usr/share/apache2/ask-for-passphrase OK /usr/share/bash-completion/completions/a2enmod OK /usr/share/doc/apache2/NEWS.Debian.gz OK /usr/share/doc/apache2/PACKAGING.gz OK /usr/share/doc/apache2/README.Debian.gz OK /usr/share/doc/apache2/README.backtrace OK /usr/share/doc/apache2/README.multiple-instances OK /usr/share/doc/apache2/copyright OK /usr/share/doc/apache2/examples/apache2.monit OK /usr/share/doc/apache2/examples/secondary-init-script OK /usr/share/doc/apache2/examples/setup-instance OK /usr/share/lintian/overrides/apache2 OK /usr/share/man/man1/a2query.1.gz OK /usr/share/man/man8/a2enconf.8.gz OK /usr/share/man/man8/a2enmod.8.gz OK /usr/share/man/man8/a2ensite.8.gz OK /usr/share/man/man8/apache2ctl.8.gz OK
Assuming that you are running debsums as a regular user without sudo, you can treat permission errors as warnings by employing the --ignore-permissions option:
$ debsums --ignore-permissions
How To Generate MD5 Sums from .Deb Files
The -g option tells debsums to generate MD5 sums from deb contents, where:
- missing – instruct debsums to generate MD5 sums from the deb for packages which don’t provide one.
- all – directs debsums to ignore the on disk sums and use the one present in the deb file, or generated from it if none exists.
- keep – tells debsums to write the extracted/generated sums to /var/lib/dpkg/info/package.md5sums file.
- nocheck – means the extracted/generated sums are not checked against the installed package.
When you look at the contents of the directory /var/lib/dpkg/info/, you will see md5sums for various files that packages as in the image below:
$ cd /var/lib/dpkg/info $ ls *.md5sums
a11y-profile-manager-indicator.md5sums account-plugin-facebook.md5sums account-plugin-flickr.md5sums account-plugin-google.md5sums accountsservice.md5sums acl.md5sums acpid.md5sums acpi-support.md5sums activity-log-manager.md5sums adduser.md5sums adium-theme-ubuntu.md5sums adwaita-icon-theme.md5sums aisleriot.md5sums alsa-base.md5sums alsa-utils.md5sums anacron.md5sums apache2-bin.md5sums apache2-data.md5sums apache2.md5sums apache2-utils.md5sums apg.md5sums apparmor.md5sums app-install-data.md5sums app-install-data-partner.md5sums ...
Remember that using -g option is the same as --generate=missing, you can try to generate a md5 sum for apache2 package by running the following command.
$ sudo debsums --generate=missing apache2
Since apache2 package on my system already has md5 sums, it will show the output below, which is the same as running:
$ sudo debsums apache2
For more interesting options and usage info, look through the debsums man page.
$ man debsums
In this article, we shared how to verify installed Debian/Ubuntu packages against MD5 checksums, this can be useful in order to avoid installing and executing corrupted binaries or package files on your system by checking the files on the file system against the information stored in the package.
For any questions or feedback, take advantage of the comment form below. Imaginably, you can as well offer one or two suggestions to make this post better.
An ignorant question, perhaps: could Linux software installation systems be designed to verify checksums automatically, as part of the service?
@christopher
Yes, it is possible, this method only works as an extra-verification measure after packages are already installed on your system.
For example apt/apt-get does that as explained here: http://superuser.com/questions/990143/how-does-apt-get-checks-for-the-integrity-of-the-files-downloaded
bill@jessie:~$ sudo debsums –changed
debsums: invalid line (1) in md5sums for open-vm-tools-desktop: \dde14951417e0e9f73b80f871e6540d1 lib/systemd/system/run-vmblock\\x2dfuse.mount
How do I fix this?
@bushpilot
This could be caused by a possible mount problem under systemd perhaps a bug. Try to find out more from here: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1448134
Try to run the command below and show us the output:
sudo systemctl status -l “run-vmblock\x2dfuse.mount”