Home / ubuntu / Questions / 642665
Accepted
LiveWireBT
Asked: 2015-07-01 02:20:10 +0800 CST

How to inspect and validate a deb package before installation?

  • 772

I want to know as much as possible about a .deb package before I install it. There is a significant amount of metadata generated during regular package building and I know that there are also signed packages like the ones from the distribution repositories.

This is not the answer I'm looking for. Of course I can open the package with file-roller and find the build date this way, but I want to go beyond that. I think of something comparable to how you check TLS certificates in Firefox.

Key questions:

  • When was the package built?
  • If possible by whom or where was the package built?
  • What are the dependencies? (Link to good answer for completeness.)
  • Is the package signed?
    • Who or what signed it?

Regarding the last point, I know about .dsc files, though these are usually not offered on 3rd party sites. (May be we should raise awareness here so that this will change in the future.)

You can use google-chrome as an example for 3rd party packages.

package-management

5 Answers

  1. Use this:

    dpkg-deb --info <deb file>

    Prefer to use apt if you need them to be signed.

    • 24
  2. Best Answer

    Normal deb files do not contain all data you need, except that you can get by dpkg-deb --info or look into DEBIAN/control file.

    You can have dsc files with this data, if you download from launchpad or official repositories.

    Deb files are not signed by default. General recommendation is not to install deb packages from sites you do not trust.

    There are no special security instruments in Debian packages.

    • 12

  3. All you should need is

    dpkg -I package.deb

    Here is sample out put of a package named hostapd_2.1-0ubuntu1.2_amd64.deb on my PC

     ~$ dpkg -I '/home/mark/hostapd_2.1-0ubuntu1.2_amd64.deb' 
 new debian package, version 2.0.
 size 422472 bytes: control archive=2619 bytes.
      66 bytes,     3 lines      conffiles            
    1537 bytes,    31 lines      control              
    1085 bytes,    15 lines      md5sums              
    1375 bytes,    53 lines   *  postinst             #!/bin/sh
     359 bytes,    14 lines   *  postrm               #!/bin/sh
     570 bytes,    30 lines   *  preinst              #!/bin/sh
     204 bytes,     7 lines   *  prerm                #!/bin/sh
 Package: hostapd
 Source: wpa (2.1-0ubuntu1.2)
 Version: 1:2.1-0ubuntu1.2
 Architecture: amd64
 Maintainer: Ubuntu Developers <[email protected]>
 Installed-Size: 1219
 Depends: libc6 (>= 2.15), libnl-3-200 (>= 3.2.7), libnl-genl-3-200 (>= 3.2.7), libssl1.0.0 (>= 1.0.1), lsb-base (>= 3.2-13), initscripts (>= 2.88dsf-13.3)
 Section: net
 Priority: optional
 Multi-Arch: foreign
 Homepage: http://w1.fi/wpa_supplicant/
 Description: user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator
  Originally, hostapd was an optional user space component for Host AP
  driver. It adds more features to the basic IEEE 802.11 management
  included in the kernel driver: using external RADIUS authentication
  server for MAC address based access control, IEEE 802.1X Authenticator
  and dynamic WEP keying, RADIUS accounting, WPA/WPA2 (IEEE 802.11i/RSN)
  Authenticator and dynamic TKIP/CCMP keying.
  .
  The current version includes support for other drivers, an integrated
  EAP authenticator (i.e., allow full authentication without requiring
  an external RADIUS authentication server), and RADIUS authentication
  server for EAP authentication.
  .
  hostapd works with the following drivers:
  .
   * mac80211 based drivers with support for master mode [linux]
   * Host AP driver for Prism2/2.5/3 [linux]
   * Driver interface for FreeBSD net80211 layer [kfreebsd]
   * Any wired Ethernet driver for wired IEEE 802.1X authentication.
 Original-Maintainer: Debian/Ubuntu wpasupplicant Maintainers <[email protected]>

    And another at random called pulseaudio_6.0-90-g75dd2-1_amd64.deb

    ~$ dpkg -I '/home/mark/pulseaudio/pulseaudio_6.0-90-g75dd2-1_amd64.deb' 
 new debian package, version 2.0.
 size 1421422 bytes: control archive=314 bytes.
       0 bytes,     0 lines      conffiles            
     222 bytes,     9 lines      control              
 Package: pulseaudio
 Priority: extra
 Section: checkinstall
 Installed-Size: 8144
 Maintainer: root@Ubuntu
 Architecture: amd64
 Version: 6.0-90-g75dd2-1
 Provides: pulseaudio
 Description: Package created with checkinstall 1.6.2
    • 7

  4. For packages available through configured repositories, try:

    apt-cache show <package-name>

    You'll get a lot of metadata (Maintainer, Original Maintainer, Depends, MD5) but maybe not all you're looking for.

    • 3

  5. I want to give a GUI based desktop user friendly solution. I am using Ubuntu Mate 18.04

    1. Double click the .deb file. It Will open in Gdebi. If it is not already installed you can install Gdebi using sudo apt-get install gdebi.

      enter image description here

    2. When you Double click the .deb file, you can find the Package Name, Dependencies, Which Files it will install and where and much more.

    3. If you decide to install the package use Install Package

    • 2