Re: Compromised system - still ok?

[Michael Stone <mstone@debian.org>]

On Mon, Feb 07, 2005 at 06:32:12PM +0200, Ognyan Kulev wrote:
> He said that after signed Fedora package is installed (by default, only 
> signed packages are installed), you can boot from some CD and then check 
> signatures of each file of each package.  Thus, only having key Red Hat's 
> fingerprint, you can check your all installed packages.
>
> What I'm asking is if this is possible with dpkg-sig?  If not, I think it's 
> desirable feature.  

No it's not. The redhat approach misses the boat on what is probably the
largest part of your installation--your data & configuration files. Use
something like aide or tripwire to validate your installation.

> Another thing he doesn't like is that check is based on signed MD5 hash of 
> content instead of based on signed content.  Is it true that signed MD5 is 
> weaker than signed content?

No.

Mike Stone