0

Should the common binaries on different but identical linux systems (lets say same Debian version, fully patched), have the exact same binaries across systems (matching hashes)?

Is there any known collection of these "known-good" hashes for linux, similar to how VirusTotal identifies microsoft-provided binaries as "Supplied by Microsoft"?

I ask because almost any time I investigate a binary on my system which is (hopefully) legitimate, it almost never appears in VirusTotal or anywhere else on the internet (unless its something like ls)

dcom-launch
  • 683
  • The source code should be identical with matching hashes, but I think at least some binaries might be compiled differently depending on the hardware the system is running on. – fuzzydrawrings Mar 25 '22 at 16:38
  • Given that Debian has ~51k packages available with updates coming out frequently, maintaining a hash database for just one major release is quite an undertaking. If you start considering multiple releases and databases for other distributions the task becomes impossible. Would you consider testing the signature on the .deb instead of looking at the binaries it contains? – doneal24 Mar 25 '22 at 16:56
  • @fuzzydrawings no, in Debian at least all the binaries for a given architecture are identical — there’s only one package per architecture. – Stephen Kitt Mar 25 '22 at 16:56
  • The binary might be modified after the package was installed – dcom-launch Mar 25 '22 at 17:07

1 Answers1

2

All systems running a given architecture and version of a package will have exactly the same binaries, unless they are post-processed on each individual system (as used to happen when preloading was popular).

I’m not aware of a centralised list of hashes for individual binaries published by Debian. However most Debian packages ship their own hashes, which are available on local systems as /var/lib/dpkg/info/*.md5sums.

Obviously those files can be modified on a local system, so they’re not inherently trustworthy. They can however be used to externally validate binaries:

  • run dpkg -V to verify installed files against the stored hashes;
  • download packages from the main repositories (see How is the authenticity of Debian packages guaranteed? to understand how these are verified — apt does the verification for you);
  • check that your local hashes haven’t changed compared to those in the downloaded packages.

If you want to take care of your initial question yourself, you could extract the .md5sums files from all available packages and publish the hashes somewhere.

Stephen Kitt
  • 434,908