How can Verify the integrity of my arch system repos and kernel ?

Succulent of your garden · 2024-03-30 19:20:31

Hi everyone

Since this issue https://bbs.archlinux.org/viewtopic.php?id=292265 I'm trying to work to see if my wayland machine works with the LTS Kernel. So today I made the change from hardened to LTS to see if my wayland machine works well and avoid the udev bug. But before changing my kernel I checked what kernel was updated and it was 6.7.9 hardened version D: (The issue starts after 6.6.8 release of the kernel). Maybe some days ago I was very bussy and didn't notice the upgrade in pacman -Syu, but I was always downgrading the kernel to 6.6.8. I want to be sure if that's the case and if my system is fine. I want to verify the url of the repos and also the binaries of the kernels downloaded so I can confirm that nothing malicious is my wayland machine (As far it seems is okey, but hey how knows ? ), also to check if pacman utils is fine. Any help in orentation with this will be very helpfull, so I can finish to post in the linked post the results about this issue using wayland + Hyprland in this case.

Btw, I will do rkhunter and lynis check after checking the integrity of pacman,repos and kernel binaries ( I didn't delete the other kernel binaries of hardened version, so I can still make a checksum).

Many Thanks in advance!

Last edited by Succulent of your garden (2024-03-30 19:53:34)

V1del · 2024-03-30 20:49:54

I can't make heads or tails of your post.

How did you downgrade back to 6.6.8? If you used the pacman package from January you'll have used that same version as it was vetted at that time. Just from that there should be no inherent indication your compromised in any form

Succulent of your garden · 2024-03-31 14:06:35

Hi V1del

After reading this again with finally 8 hours of sleep in my head, I'll explain my needs more in detail:

Since I was troubleshooting my Wayland machine with the issue with udev explained in the post linked, I was just downgrading everytime the kernel using pacman -U /var/cache/pacman/ to get the cache version of kernel hardened to 6.6.8 in every update of the system, so I can boot properly without the udev issue the next boot time. Some weeks after (My wayland machine is not my main one), when I was going to install the LTS version of the kernel instead of the hardened, so I can finally test if LTS version does not have the issue for my machine and simple use -Syu in every update, I realized by terminal that my current kernel was 6.7.9 hardened. This seems a bit strange for me, because I'm been always downgrading the kernel to 6.6.8. Maybe in some very tired day I forget to use pacman -U and install the 6.7.9 version, which it seems solved the issue. But I'm not completely sure about that, so I want to check the integrity of my system in any case, and also because I just read today about the xz backdoor, just in case

Yesterday I want to check the repos url list, like in debian system /etc/apt/sources.list. It seems that in Arch you can see by /etc/pacman.conf that the repos are in /etc/pacman.d/mirrorlist . I want to know where I can find the official repos url so I can check these files has not been modifed, and also check the certificates with openssl to see inside if everything is fine with the encryption and pgp keys. I'm not sure where can I find the ceritificates for the repos, and how to check the certificates to see there are fine, but I know how to use openssl to see the content. Also I want to know if there someway to check with sha256sum or similars the checksum of my kernel binaries, especially the 6.7.9 which is still in cache. So I can be sure that everything is fine. I'm not sure if pacman is a binary, if that's the case I want to check the checksum in any case.

Have a nice day!

Last edited by Succulent of your garden (2024-03-31 14:08:42)

loqs · 2024-03-31 14:36:26

Arch sign's all packages in the official repositories so provided you have not disabled signature verification pacman will not install packages from any remote source without a valid signature. That does not rely on the mirror or your connection to it being secure in any way.

# pacman -Qkk linux-hardened

Will check files owned by the linux-hardened package. Running this on a compromised system would of course be pointless. Also note the kernel in /boot is not owned by the kernel package.

Arch Linux

#1 2024-03-30 19:20:31

How can Verify the integrity of my arch system repos and kernel ?

#2 2024-03-30 20:49:54

Re: How can Verify the integrity of my arch system repos and kernel ?

#3 2024-03-31 14:06:35

Re: How can Verify the integrity of my arch system repos and kernel ?

#4 2024-03-31 14:36:26

Re: How can Verify the integrity of my arch system repos and kernel ?

Board footer