Where do I find the verified checksums for all files in all packages for Ubuntu?

Question

I am looking to verify whether or not my binaries, installed by the Aptitude package manager under Ubuntu 16.04.2 LTS, are either in-tact or have been modified / compromised. I cannot find any list of file checksums for each file from each package - that is, the current package installed on my system through updates - to allow me to do the comparison.

Is there some built-in feature like this? There certainly must be a list of checksums somewhere, so that the package manager can verify everything installed correctly, right?

And - before you say Tripwire or the like in order to monitor these changes - tripwire is only useful if you install it on a 100% clean legit installation and update sums immediately after package upgrades. Otherwise, you're only recording (and thus "verifying"/"validating") the file hashes of potentially compromised binaries. I didn't log the checksums from clean install.

However, if I can run through the binaries, shared libraries, and default configs etc on my system and confirm they're all legitimate, I have a base on which to install and maintain Tripwire.

Thank you in advance!

Answer 1

A file with md5sums is on the system and available for most packages in the location /var/lib/dpkg/info/{packagename}.md5sums. If you install the package debsums that will include a tool can run a scan and tell you files that do not match the sums. (debsums --changed)

Keep in mind that since these sums are stored on your local system they could be easily compromised or replaced. This tool really isn't designed as a security control.

If you really want to be certain, you could rebuild another identical system with an identical selection of packages in a VM or something and compare all the checksum files on the existing system against the clean system.