Hi, i wrote: > > Others here will surely have proposals how to verify a whole pool tree.
Brian wrote: > I can get the MD5sum for each file in the ISO and for each extracted > file. I suppose it is a matter of meaningfully comaparing both lists. If you only want to know whether the extraction worked flawlessly, you could simply compare the files in the mounted ISO and the extracted pool tree. Command "diff -q -r" should be able to do this. But actually i meant the Debian package verification mechanisms. Like what is described in https://debian-handbook.info/browse/stable/sect.package-authentication.html xorriso wrote: > Not a single file with MD5 checksum was found. (There is no MD5 checksum > array loaded.) As said in my previous mail, the production of the ISO by debian-cd or live-wrapper does not tell xorriso to compute and store MD5 sums. So there are none to read when the ISO metadata get loaded, and none present when you execute the -check_md5_r command. > If it is of consquence, the ISO was made by jigdo. Charles Curley wrote: > Doesn't jigdo verify each file as jigdo pulls it in? It does implicitely by the MD5s in the .jigdo file, which are used to find the package names by the MD5s which are placeholders in the .template file. $ file debian-8.8.0-amd64-netinst.jigdo debian-8.8.0-amd64-netinst.jigdo: gzip compressed data, max compression, from Unix $ gunzip <debian-8.8.0-amd64-netinst.jigdo ... [Parts] d9uPSqhxXD7UHdoHFGcsNQ=Debian:pool/main/m/mtdev/libmtdev1-udeb_1.1.5-1_amd64.udeb ... lots of more lines ... The encoding is base64, not hex. One may convert by $ echo 'd9uPSqhxXD7UHdoHFGcsNQ' | base64 -d | od -A n -v -t x1 | sed -e 's/ //g' base64: invalid input 77db8f4aa8715c3ed41dda0714672c35 Despite the complaint from base64, the result is correct: $ wget https://debian.ues.edu.sv/debian/pool/main/m/mtdev/libmtdev1-udeb_1.1.5-1_amd64.udeb ... $ md5sum libmtdev1-udeb_1.1.5-1_amd64.udeb 77db8f4aa8715c3ed41dda0714672c35 libmtdev1-udeb_1.1.5-1_amd64.udeb I am not sure whether the Jigdo download tools check the packages by the means of Debian package verification. As said, MD5 is good enough for detecting unintended mishaps, but not for detecting intentional and skillfully camouflaged alteration. Have a nice day :) Thomas
