Forensic tool release: archlinux-userland-fs-cmp (reproducible pre-compiled binary available)
kpcyrd at archlinux.org
Wed Jan 31 20:50:25 UTC 2024
I released a tool recently that I'd like to share with this list:
It's supposed to be used from a rescue image (any Linux) with an Arch
install mounted to e.g. /mnt. It does the following:
- Open /mnt/var/lib/pacman and extract the list of (allegedly) installed
- Instead of trusting the `mtree` files from the mounted file system,
the %NAME% and %VERSION% values from the `desc` files are used to start
a download stream from archive.archlinux.org.
- From the download stream it's decompressing and inspecting the content
on-the-fly, since the .MTREE file is near the beginning of the package
we can abort the remaining package download after the mtree has been
received (saving a lot of time and traffic).
- All files in /mnt that are part of a package are hashed and compared
with the sha256 hashes in the MTREE files downloaded from the archive.
- Finally, it's printing a report of all files that either mismatched or
are not a part of any package. This can be redirected to a file using
the -o flag.
At no point is any file from the mounted filesystem eval'd or otherwise
executed. Parsers are written in a memory safe language.
Although it's integrating with pacman, the integration with
archive.archlinux.org makes this Arch Linux specific, files from AUR,
Manjaro or SteamOS packages are all going to be flagged for manual
The authenticity of the .MTREE files is assumed through the https
connection they are downloaded from (which is supposed to be sufficient
for the use-case it's built for).
The release page on github has a pre-compiled, statically linked binary
that can trivially be reproduced from source code. The dependency tree
is documented in Cargo.lock, the build environment is documented in
repro-env.lock. The binary has been tested to be working correctly on a
Debian bookworm installer busybox rescue shell.
There's a gif in the README showing how the tool looks like in action.
I also printed reproducible builds stickers with a new and unique design
that I'm planning to hand out at FOSDEM (along with some 37c3
leftovers), if you have read this far, feel free to ask me about
stickers if you see me there. The print cost geht auf mein Nacken.
More information about the rb-general