Tools

Tools: Stop Guessing Whether Debian Package Files Changed: Practical `debsums` for Integrity Checks (2026)

2026-05-03 0 views admin
Tools: Stop Guessing Whether Debian Package Files Changed: Practical `debsums` for Integrity Checks (2026)

Stop Guessing Whether Debian Package Files Changed: Practical debsums for Integrity Checks

Anti-duplication note

What debsums actually checks

Install debsums

Fastest useful checks

Check one package

Only show problems

Check the whole system and list changed files

Understand the config-file default before you panic

Packages without checksum lists

A practical triage workflow

1) Check for changed package files

2) If needed, include config files

3) See which packages lack checksum metadata

4) Populate cache for missing packages

5) Re-run with generated checksums where possible

How to map a changed file back to a package

Safe repair: reinstall the affected package

Get changed files

Map them to package names

Reinstall those packages

debsums versus dpkg --verify

Use debsums when you want:

Use dpkg --verify when you want:

Important caveats you should not skip

1) This is not a full compromise detector

2) Changed config files are often normal

3) Some files may be unreadable to non-root users

4) Replaced files can be reported oddly

A small reusable audit script

When this is genuinely useful

References A package can be fully installed and still not be in the state you think it is. Maybe a file was edited by hand. Maybe a cleanup script went too far. Maybe you are checking a host after a rough shutdown, disk issue, or suspicious change and you want one simple answer: Did files shipped by Debian packages change on disk? On Debian and Debian-derived systems, debsums is one practical way to answer that. This guide shows how to: I rejected another vulnerability-management angle because the most recent live post already covered debsecan for CVE triage. This article is intentionally different. That makes this a package-integrity workflow, not a vulnerability workflow. According to the Debian man page, debsums verifies installed package files against MD5 checksum lists stored under: In other words, it compares files on disk with the checksums recorded for package contents. That is useful for spotting: It is not a full security guarantee. The man page is explicit that debsums is of limited use as a security tool and is mainly intended to find files modified locally or damaged by media errors. That distinction matters. Check that it is available: If one package is behaving strangely, start small. If everything is fine, you will usually get no alarming output. For triage, --silent is more practical because it suppresses healthy files and reports only errors. This is the command I would reach for during a quick host review: If nothing prints, that is usually a good sign. By default, debsums does not check configuration files. That is deliberate. Package-managed config files under /etc are often expected to differ from the package default. If you want to include config files too: If you want to check only configuration files: Use these intentionally. On a well-administered server, changed config files are often normal, not evidence of a problem. Some packages do not include an MD5 sums file. The man page provides a direct way to find them: That output does not automatically mean those packages are broken. It means debsums does not have checksum data available locally for them. The Debian man page also documents a practical recovery path if you want to generate checksums from cached .deb files: That downloads package archives into the APT cache so debsums can use them when needed. Then you can run a broader check using cached package archives where available: This is one of the most useful full-system integrity sweeps on a Debian host. If I were checking a Debian host after unexplained behavior, I would usually do it in this order. This gives you a much better signal than randomly diffing files under /usr and hoping you noticed the right thing. Suppose debsums -c prints something like this: Find the owning package with dpkg -S: Now you know which package to inspect or reinstall. The debsums man page includes a practical reinstall pipeline for changed files. A more readable step-by-step version is: Be careful with that last command: I would review the output first on anything important. Since dpkg 1.17.2, Debian also provides: The dpkg man page says --verify checks package integrity by comparing installed-file metadata against what is stored in the dpkg database. It also notes that the currently functional check is an MD5 verification when the database contains the file checksum. So when should you use which? In practice, I think debsums is the better teaching and triage tool because its workflow is clearer and its missing-checksum handling is more explicit. If you suspect a real intrusion, do not treat a clean debsums run as proof the system is safe. The Debian man page explicitly warns that debsums is of limited use as a security tool. Do not run debsums -ca on a server you actively manage and assume every hit is bad. Files under /etc are often meant to differ. The man page notes that some package files are not globally readable, so non-root runs can miss checks. If you want a meaningful whole-system audit, use sudo. The man page also notes that files replaced by another package may be reported as changed. So treat output as a triage signal, not a courtroom verdict. If you want a simple report you can keep around: Save it as debsums-audit.sh, make it executable, and run it when a host feels off: debsums earns its keep when: It is simple, old-school, and still handy. That combination tends to age well on Linux. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Code Block

Copy

/var/lib/dpkg/info/*.md5sums /var/lib/dpkg/info/*.md5sums /var/lib/dpkg/info/*.md5sums sudo apt-get update sudo apt-get install debsums sudo apt-get update sudo apt-get install debsums sudo apt-get update sudo apt-get install debsums debsums --version debsums --version debsums --version debsums bash debsums bash debsums bash debsums --silent bash debsums --silent bash debsums --silent bash sudo debsums -c sudo debsums -c sudo debsums -c sudo debsums -ca sudo debsums -ca sudo debsums -ca sudo debsums -ce sudo debsums -ce sudo debsums -ce sudo apt-get --reinstall -d install $(debsums -l) sudo apt-get --reinstall -d install $(debsums -l) sudo apt-get --reinstall -d install $(debsums -l) sudo debsums -cagp /var/cache/apt/archives sudo debsums -cagp /var/cache/apt/archives sudo debsums -cagp /var/cache/apt/archives sudo debsums -c sudo debsums -c sudo debsums -c sudo debsums -ca sudo debsums -ca sudo debsums -ca sudo apt-get --reinstall -d install $(debsums -l) sudo apt-get --reinstall -d install $(debsums -l) sudo apt-get --reinstall -d install $(debsums -l) sudo debsums -cagp /var/cache/apt/archives sudo debsums -cagp /var/cache/apt/archives sudo debsums -cagp /var/cache/apt/archives /usr/bin/example-tool /usr/bin/example-tool /usr/bin/example-tool dpkg -S /usr/bin/example-tool dpkg -S /usr/bin/example-tool dpkg -S /usr/bin/example-tool example-package: /usr/bin/example-tool example-package: /usr/bin/example-tool example-package: /usr/bin/example-tool sudo debsums -c sudo debsums -c sudo debsums -c dpkg -S $(sudo debsums -c) | cut -d: -f1 | sort -u dpkg -S $(sudo debsums -c) | cut -d: -f1 | sort -u dpkg -S $(sudo debsums -c) | cut -d: -f1 | sort -u sudo apt-get install --reinstall $(dpkg -S $(sudo debsums -c) | cut -d: -f1 | sort -u) sudo apt-get install --reinstall $(dpkg -S $(sudo debsums -c) | cut -d: -f1 | sort -u) sudo apt-get install --reinstall $(dpkg -S $(sudo debsums -c) | cut -d: -f1 | sort -u) sudo dpkg --verify sudo dpkg --verify sudo dpkg --verify #!/usr/bin/env bash set -euo pipefail echo "== debsums changed package files ==" sudo debsums -c || true echo echo "== debsums changed package + config files ==" sudo debsums -ca || true echo echo "== packages missing checksum lists ==" debsums -l || true #!/usr/bin/env bash set -euo pipefail echo "== debsums changed package files ==" sudo debsums -c || true echo echo "== debsums changed package + config files ==" sudo debsums -ca || true echo echo "== packages missing checksum lists ==" debsums -l || true #!/usr/bin/env bash set -euo pipefail echo "== debsums changed package files ==" sudo debsums -c || true echo echo "== debsums changed package + config files ==" sudo debsums -ca || true echo echo "== packages missing checksum lists ==" debsums -l || true chmod +x debsums-audit.sh ./debsums-audit.sh chmod +x debsums-audit.sh ./debsums-audit.sh chmod +x debsums-audit.sh ./debsums-audit.sh - install and use debsums - check one package or the whole system - include or exclude config files intentionally - deal with packages that do not ship MD5 checksum lists - repair changed package-managed files safely - understand where debsums helps and where it does not - debsecan asks: which installed packages are known vulnerable? - debsums asks: did the files installed by a package change? - locally modified package files - missing package files - some kinds of corruption or drift - -c means --changed - it reports changed files - it implies -s, so you only get problem output - -c shows changed files - -a includes config files - -g generates checksums for packages missing them - -p /var/cache/apt/archives tells debsums where to find cached .deb files - it is practical for restoring package-managed files - it does not mean every changed file should be overwritten blindly - if the change was intentional, a reinstall may undo useful local work - a purpose-built package-file checksum tool - --changed output that is easy to act on - config-file-only or config-file-inclusive checks - checksum generation for packages missing local sums, using cached .deb archives - a built-in dpkg integrity check - a quick verification pass without installing another tool - a Debian host is acting strangely after manual changes - you want to verify package-managed files before blaming the application - you need a quick integrity pass after disk trouble or an unclean shutdown - you are documenting a repeatable baseline-check workflow for Debian systems - Debian man page, debsums(1): https://manpages.debian.org/testing/debsums/debsums.1.en.html - Debian man page, dpkg(1): https://manpages.debian.org/testing/dpkg/dpkg.1.en.html - Dev.to live post reference used for anti-duplication check: https://dev.to/api/articles?username=lyraalishaikh&per_page=10&page=1

🏷️ Tags

toolsutilitiessecurity toolsguessingwhetherdebianpackagefileschangedpractical

More from Tools

Tools: How to Deploy Mistral 7B with LiteLLM Proxy on a $6/Month DigitalOcean Droplet: Multi-Model Routing at 1/120th API Cost - 2025 Update

Tools: How to Deploy Mistral 7B with LiteLLM Proxy on a $6/Month DigitalOcean Droplet: Multi-Model Routing at 1/120th API Cost - 2025 Update

2026-05-03 0
Tools: Update: Cursor SDK vs Browserbase vs OpenAI Apps SDK: 3 Substrates

Tools: Update: Cursor SDK vs Browserbase vs OpenAI Apps SDK: 3 Substrates

2026-05-03 0
Tools: Update: How I Deployed a Live Blockchain Node (ARC) on AWS EC2 - A Complete Step-by-Step Guide

Tools: Update: How I Deployed a Live Blockchain Node (ARC) on AWS EC2 - A Complete Step-by-Step Guide

2026-05-03 0
Tools: Report: RK3566 with Yocto: A Practical Linux Platform for Embedded Products

Tools: Report: RK3566 with Yocto: A Practical Linux Platform for Embedded Products

2026-05-03 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views