Verifying Files with Pacman

tac-shell · 2016-09-05 07:24:05

pacman computes checksums and compares these to sums in a package's mtree file to determine if a file has changed since installation, which is how pacman's backup functionality is implemented. Is it possible to use this capability to compare the state of files on the system to those in a pacman cache? One could use this feature by running pacman from a live cd or bootable flash drive and use a known clean pacman cache to verify that a system hasn't been modified. After looked at the man page and wiki I've not been able to find an option to do this, have I missed it? If not, then do any of the pacman devs care to speculate on how difficult this would be to implement? I imagine it wouldn't be so hard, as the basic functionality is already present, and would be willing to submit patches if this seems like a feature that would be accepted by the pacman team.

Edit: I was mistaken, pacman does not use a package's mtree file for its backup logic. Instead it computes the checksums of files extracted from a package archive (see apg's reply).

Last edited by tac-shell (2016-09-06 14:33:17)

mpan · 2016-09-05 10:21:03

pacman -Qkk

apg · 2016-09-05 16:21:49

Neither backup file handling nor `pacman -Qkk` use checksums from the mtree file. pacman is not even capable of reading checksums from the mtree file.

tac-shell · 2016-09-06 02:46:23

According to pacman's man page

pacman -Qkk

will

perform more detailed file checking (including permissions, file sizes, and modification times) for packages that contain the needed mtree file.

This seems to imply that only metadata about files is checked and their contents are left unexamined.

To apg I ask: If pacman does not use the hash values in a package's mtree file, then how does it determine a hash to compare a file to? Does it compute the checksum from the package file? The use of an mtree isn't really the point here. Whatever the source of the hash, I want to compare the checksums of files in the filesystem with files from verified packages.

Edit: fixed typo

Last edited by tac-shell (2016-09-06 14:34:35)

Allan · 2016-09-06 10:41:05

We are waiting on libarchive to be able to read the hashes from the mtree file. Once that works, we will finish implementing the check

apg · 2016-09-06 13:12:31

tac-shell wrote:

To apg I ask: If pacman does not use the hash values in a package's mtree file, then how does it determine a hash to compare a file to? Does it compute the checksum from the package file? The use of an mtree isn't really the point here. What ever the source of the hash, I want to compare the checksums of files in the filesystem with files from verified packages.

pacman calculates the checksums for backup files when they are extracted.

tac-shell · 2016-09-06 14:29:59

Allan, thanks for the reply. Its good to hear that you all have thought of this. I think there's a good case to be made for using the package manager for this purpose: it already has a list of files installed on the system and has the ability to cryptographically verify package files and use them as the base line for the check. So there's a limitation in libarchive which prevents you from reading the contents of an archived file without extracting them, which seems to explain why the mtree file is not used by the backup code.

Arch Linux

#1 2016-09-05 07:24:05

Verifying Files with Pacman

#2 2016-09-05 10:21:03

Re: Verifying Files with Pacman

#3 2016-09-05 16:21:49

Re: Verifying Files with Pacman

#4 2016-09-06 02:46:23

Re: Verifying Files with Pacman

#5 2016-09-06 10:41:05

Re: Verifying Files with Pacman

#6 2016-09-06 13:12:31

Re: Verifying Files with Pacman

#7 2016-09-06 14:29:59

Re: Verifying Files with Pacman

Board footer