3 # Copyright (c) 2001 Anthony Towns <ajt@debian.org>
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 2 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 rm -rf /tmp/apt-release-check
16 mkdir /tmp/apt-release-check || exit 1
17 cd /tmp/apt-release-check
24 arch=`dpkg --print-installation-architecture`
31 cat "$1" | awk '/^MD5Sum:/,/^SHA1:/' |
32 MYARG="$2" perl -ne '@f = split /\s+/; if ($f[3] eq $ENV{"MYARG"}) { print "$f[1] $f[2]\n"; exit(0); }'
39 Y="`get_md5sumsize Release "$LOOKUP"`"
40 Y="`echo "$Y" | sed 's/^ *//;s/ */ /g'`"
42 if [ ! -e "/var/lib/apt/lists/$FILE" ]; then
43 if [ "$Y" = "" ]; then
44 # No file, but not needed anyway
48 echo "$FILE" >>MISSING
52 if [ "$Y" = "" ]; then
53 echo "$FILE" >>NOCHECK
57 X="`md5sum < /var/lib/apt/lists/$FILE | cut -d\ -f1` `wc -c < /var/lib/apt/lists/$FILE`"
58 X="`echo "$X" | sed 's/^ *//;s/ */ /g'`"
59 if [ "$X" != "$Y" ]; then
69 echo "Checking sources in /etc/apt/sources.list:"
70 echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
72 (echo "You should take care to ensure that the distributions you're downloading"
73 echo "are the ones you think you are downloading, and that they are as up to"
74 echo "date as you would expect (testing and unstable should be no more than"
75 echo "two or three days out of date, stable-updates no more than a few weeks"
80 cat /etc/apt/sources.list |
81 sed 's/^ *//' | grep '^[^#]' |
82 while read ty url dist comps; do
83 if [ "${url%%:*}" = "http" -o "${url%%:*}" = "ftp" ]; then
89 echo "Source: ${ty} ${url} ${dist} ${comps}"
91 rm -f Release Release.gpg
92 lynx -reload -dump "${url}/dists/${dist}/Release" >/dev/null 2>&1
93 wget -q -O Release "${url}/dists/${dist}/Release"
95 if ! grep -q '^' Release; then
96 echo " * NO TOP-LEVEL Release FILE"
99 origline=`sed -n 's/^Origin: *//p' Release | head -1`
100 lablline=`sed -n 's/^Label: *//p' Release | head -1`
101 suitline=`sed -n 's/^Suite: *//p' Release | head -1`
102 codeline=`sed -n 's/^Codename: *//p' Release | head -1`
103 dateline=`grep "^Date:" Release | head -1`
104 dscrline=`grep "^Description:" Release | head -1`
105 echo " o Origin: $origline/$lablline"
106 echo " o Suite: $suitline/$codeline"
110 if [ "${dist%%/*}" != "$suitline" -a "${dist%%/*}" != "$codeline" ]; then
111 echo " * WARNING: asked for $dist, got $suitline/$codeline"
114 lynx -reload -dump "${url}/dists/${dist}/Release.gpg" >/dev/null 2>&1
115 wget -q -O Release.gpg "${url}/dists/${dist}/Release.gpg"
117 gpgv --status-fd 3 Release.gpg Release 3>&1 >/dev/null 2>&1 | sed -n "s/^\[GNUPG:\] //p" | (okay=0; err=""; while read gpgcode rest; do
118 if [ "$gpgcode" = "GOODSIG" ]; then
119 if [ "$err" != "" ]; then
120 echo " * Signed by ${err# } key: ${rest#* }"
122 echo " o Signed by: ${rest#* }"
126 elif [ "$gpgcode" = "BADSIG" ]; then
127 echo " * BAD SIGNATURE BY: ${rest#* }"
129 elif [ "$gpgcode" = "ERRSIG" ]; then
130 echo " * COULDN'T CHECK SIGNATURE BY KEYID: ${rest%% *}"
132 elif [ "$gpgcode" = "SIGREVOKED" ]; then
134 elif [ "$gpgcode" = "SIGEXPIRED" ]; then
138 if [ "$okay" != 1 ]; then
139 echo " * NO VALID SIGNATURE"
144 for comp in $comps; do
145 if [ "$ty" = "deb" ]; then
146 X=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/binary-${arch}/Release" | sed 's,//*,_,g'`" "${comp}/binary-${arch}/Release")
147 Y=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/binary-${arch}/Packages" | sed 's,//*,_,g'`" "${comp}/binary-${arch}/Packages")
148 if [ "$X $Y" = "OK OK" ]; then
149 okaycomps="$okaycomps $comp"
151 echo " * PROBLEMS WITH $comp ($X, $Y)"
153 elif [ "$ty" = "deb-src" ]; then
154 X=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/source/Release" | sed 's,//*,_,g'`" "${comp}/source/Release")
155 Y=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/source/Sources" | sed 's,//*,_,g'`" "${comp}/source/Sources")
156 if [ "$X $Y" = "OK OK" ]; then
157 okaycomps="$okaycomps $comp"
159 echo " * PROBLEMS WITH component $comp ($X, $Y)"
163 [ "$okaycomps" = "" ] || echo " o Okay:$okaycomps"
173 cd /tmp/apt-release-check
174 diff <(cat BAD MISSING NOCHECK OK | sort) <(cd /var/lib/apt/lists && find . -type f -maxdepth 1 | sed 's,^\./,,g' | grep '_' | sort) | sed -n 's/^> //p' >UNVALIDATED
176 cd /tmp/apt-release-check
177 if grep -q ^ UNVALIDATED; then
179 (echo "The following files in /var/lib/apt/lists have not been validated."
180 echo "This could turn out to be a harmless indication that this script"
181 echo "is buggy or out of date, or it could let trojaned packages get onto"
185 sed 's/^/ /' < UNVALIDATED
189 if grep -q ^ BAD; then
191 (echo "The contents of the following files in /var/lib/apt/lists does not"
192 echo "match what was expected. This may mean these sources are out of date,"
193 echo "that the archive is having problems, or that someone is actively"
194 echo "using your mirror to distribute trojans."
196 echo "The files have been renamed to have the extension .FAILED and"
197 echo "will be ignored by apt."
198 cat BAD | while read a; do
199 mv /var/lib/apt/lists/$a /var/lib/apt/lists/${a}.FAILED
207 if grep -q ^ MISSING; then
209 (echo "The following files from /var/lib/apt/lists were missing. This"
210 echo "may cause you to miss out on updates to some vulnerable packages."
213 sed 's/^/ /' < MISSING
217 if grep -q ^ NOCHECK; then
219 (echo "The contents of the following files in /var/lib/apt/lists could not"
220 echo "be validated due to the lack of a signed Release file, or the lack"
221 echo "of an appropriate entry in a signed Release file. This probably"
222 echo "means that the maintainers of these sources are slack, but may mean"
223 echo "these sources are being actively used to distribute trojans."
225 echo "The files have been renamed to have the extension .FAILED and"
226 echo "will be ignored by apt."
227 cat NOCHECK | while read a; do
228 mv /var/lib/apt/lists/$a /var/lib/apt/lists/${a}.FAILED
232 sed 's/^/ /' < NOCHECK
237 echo 'Everything seems okay!'
241 rm -rf /tmp/apt-release-check