debsums2 – Extended dpkg Integrity Checking for Debian

05 April 2026
#your, #keywords #here

debsums2 is an extended version of the file integrity check tool debsums. The major difference is the ability to verify md5sums online against the original Debian packages, using a partial download to minimize traffic. Verification by a third party at a remote location is also possible.

Download debsums2.zip

Requirements

You need python-urllib3, python-simplejson and python-apt installed. For Python below 3.3, /usr/bin/xz (package xz-utils) is required for lzma-compressed packages.

Basic usage

python debsums2.py --directory / --online --writedb

This checks your local system excluding mount points. On a typical system, a full run takes about 30 minutes and covers ~100,000 files from ~1,500 packages. Delete all .pyc files first:

find / -name \*.pyc -delete

After the run, analyze debsums2.log and look for trustlevel=0 (changed file) and trustlevel=1 (unknown file).

Result codes

  • . — verified online against Debian package
  • * — verified locally against Debian package
  • - — verified locally against debsums2 md5sum library
  • + — not verified, probably new or changed file
  • ! — verification failed, see debsums2.log

Example 1: Single file check, offline

python debsums2.py --file /bin/bash

Example 2: Single file check, online

python debsums2.py --online --file /bin/bash

The md5sum of /bin/bash is verified against the control file of the corresponding Debian package on the Debian server.

Example 3: Full directory check with hashdb

python debsums2.py --directory=/bin --writedb
python debsums2.py --directory=/bin --writedb --online

The first run creates hashdb.json with md5sums and package information. A checksum of the hashdb itself is computed before and after the run – store that value offline for later verification.

Example 4: Update after apt-get upgrade

python debsums2.py --update --online
python debsums2.py --update --online --writedb

Finds removed, added and changed files and updated URIs. Only makes sense on a fully crawled system.

Example 5: Verify hashdb against online packages

python debsums2.py --verify-online

For high-paranoia scenarios – this command can and should be run on a different system. Transfer the hashdb before running.



Back to all blog posts

About your website


Website description, contact form, mini map or anything else.

This editable area is visible on all pages.