Forensic tool release: archlinux-userland-fs-cmp (reproducible pre-compiled binary available)

kpcyrd kpcyrd at
Wed Jan 31 20:50:25 UTC 2024


I released a tool recently that I'd like to share with this list:

It's supposed to be used from a rescue image (any Linux) with an Arch 
install mounted to e.g. /mnt. It does the following:

- Open /mnt/var/lib/pacman and extract the list of (allegedly) installed 
- Instead of trusting the `mtree` files from the mounted file system, 
the %NAME% and %VERSION% values from the `desc` files are used to start 
a download stream from
- From the download stream it's decompressing and inspecting the content 
on-the-fly, since the .MTREE file is near the beginning of the package 
we can abort the remaining package download after the mtree has been 
received (saving a lot of time and traffic).
- All files in /mnt that are part of a package are hashed and compared 
with the sha256 hashes in the MTREE files downloaded from the archive.
- Finally, it's printing a report of all files that either mismatched or 
are not a part of any package. This can be redirected to a file using 
the -o flag.

At no point is any file from the mounted filesystem eval'd or otherwise 
executed. Parsers are written in a memory safe language.

Although it's integrating with pacman, the integration with makes this Arch Linux specific, files from AUR, 
Manjaro or SteamOS packages are all going to be flagged for manual 

The authenticity of the .MTREE files is assumed through the https 
connection they are downloaded from (which is supposed to be sufficient 
for the use-case it's built for).

The release page on github has a pre-compiled, statically linked binary 
that can trivially be reproduced from source code. The dependency tree 
is documented in Cargo.lock, the build environment is documented in 
repro-env.lock. The binary has been tested to be working correctly on a 
Debian bookworm installer busybox rescue shell.

There's a gif in the README showing how the tool looks like in action.


I also printed reproducible builds stickers with a new and unique design 
that I'm planning to hand out at FOSDEM (along with some 37c3 
leftovers), if you have read this far, feel free to ask me about 
stickers if you see me there. The print cost geht auf mein Nacken.


More information about the rb-general mailing list