How to verify deb package contents

Verify package contents by hand or use simple shell script to automate this process.

I will use rsyslog-pgsql package to show you how to explain this operation.

$ apt-get download rsyslog-pgsql

Get:1 http://deb.debian.org/debian stretch/main amd64 rsyslog-pgsql amd64 8.24.0-1 [188 kB]
Fetched 188 kB in 0s (7422 kB/s)

Manual operation

Create temporary directory.

$ mkdir contents

Extract package contents to verify md5sums.

$ dpkg -x rsyslog-pgsql_8.24.0-1_amd64.deb ./contents/

Verify MD5 hashes.

$ cd contents && md5sum -c ../md5sums

usr/lib/x86_64-linux-gnu/rsyslog/ompgsql.so: OK
usr/share/dbconfig-common/data/rsyslog-pgsql/install/pgsql: OK
usr/share/doc/rsyslog-pgsql/NEWS.Debian.gz: OK
usr/share/doc/rsyslog-pgsql/changelog.Debian.gz: OK
usr/share/doc/rsyslog-pgsql/changelog.gz: OK
usr/share/doc/rsyslog-pgsql/copyright: OK
usr/share/rsyslog-pgsql/rsyslog-pgsql.conf.template: OK

Simple shell script

This shell script uses the same method as the manual one to verify package contents.

#!/bin/bash
# verify package contents


# verify that first parameter is defined
if [ ! "$#" -eq "1" ]; then 
  echo "Verify package contents"
  echo
  echo "Usage:"
  echo "  $0 package.deb"
  exit 1
fi

# verify that first parameter is a file
if [ ! -f "$1" ] && [  -d "$1" ]; then
  echo "Parameter $1 is not a file"
  exit 1
fi

# verify that first parameter is a deb package
file_type=$(file -b "$1")
if [ !  "$file_type" == "Debian binary package (format 2.0)" ]; then
  echo "Parameter $1 is not a deb package"
  exit 1
fi

# create temporary directory and a trap
temp_dir=$(mktemp -d)
trap 'rm -rf $temp_dir' EXIT

# extract package contents
dpkg -x $1 $temp_dir

# verify package contents
dpkg --ctrl-tarfile $1 | tar -x --directory $temp_dir ./md5sums
cd $temp_dir && md5sum -c $temp_dir/md5sums

exit $?

usr/lib/x86_64-linux-gnu/rsyslog/ompgsql.so: OK
usr/share/dbconfig-common/data/rsyslog-pgsql/install/pgsql: OK
usr/share/doc/rsyslog-pgsql/NEWS.Debian.gz: OK
usr/share/doc/rsyslog-pgsql/changelog.Debian.gz: OK
usr/share/doc/rsyslog-pgsql/changelog.gz: OK
usr/share/doc/rsyslog-pgsql/copyright: OK
usr/share/rsyslog-pgsql/rsyslog-pgsql.conf.template: OK

Advanced shell script

This shell script uses more advanced methods to verify package contents and does not need to create temporary directory to extract package data.

#!/bin/bash
# verify package contents


# verify that first parameter is defined
if [ ! "$#" -eq "1" ]; then 
  echo "Verify package contents"
  echo
  echo "Usage:"
  echo "  $0 package.deb"
  exit 1
fi

# verify that first parameter is a file
if [ ! -f "$1" ] && [  -d "$1" ]; then
  echo "Parameter $1 is not a file"
  exit 1
fi

# verify that first parameter is a deb package
file_type=$(file -b "$1")
if [ !  "$file_type" == "Debian binary package (format 2.0)" ]; then
  echo "Parameter $1 is not a deb package"
  exit 1
fi

# default exit code
exit_code=0

# verify package contents
dpkg --ctrl-tarfile $1 | tar -x --to-stdout ./md5sums | while read -r line; do
  md5sum_hash=$(echo $line | cut -d " " -f 1)
  md5sum_file=$(echo $line | cut -d " " -f 2)
  extracted_file_hash=$(dpkg --fsys-tarfile $1 | tar -x --to-stdout ./$md5sum_file | md5sum | cut -d " " -f 1)
  if [ "$md5sum_hash" == "$extracted_file_hash" ]; then
    echo "${md5sum_file}: OK"
  else
    echo "${md5sum_file}: BAD"
    exit_code=2
  fi
done

exit $exit_code

usr/lib/x86_64-linux-gnu/rsyslog/ompgsql.so: OK
usr/share/dbconfig-common/data/rsyslog-pgsql/install/pgsql: OK
usr/share/doc/rsyslog-pgsql/NEWS.Debian.gz: OK
usr/share/doc/rsyslog-pgsql/changelog.Debian.gz: OK
usr/share/doc/rsyslog-pgsql/changelog.gz: OK
usr/share/doc/rsyslog-pgsql/copyright: OK
usr/share/rsyslog-pgsql/rsyslog-pgsql.conf.template: OK

It is superior to the previous one, but unfortunately it is very slow.