Tor preferences and auto updates

I power down the machine after each use.

After I powerup on several occasions I get update messages like, “The following files failed the verification process: /boot/grub/grub.cfg This could be a compromise! Would you like to udate your check sums now?”

I perform Update check sums on the menue - Of course… I want to continue using the mini.

I then get an error on boot, “Error boot entry has changed”
“The list of boot entries has changed” “Please set a new default”
I select the first option and continue with the boot
Everything looks ok.

Just how do I know I have not compromised the machine?

Additionally, I have installed Tor. I have selected to automatically download and update the software through using the preferences menue of the browser… is this an error, was I too trusting? Can someone highjack the browser and gain access to the OS?

Am I compounding errors?

“Confidence is high” - Fail Safe

To make a decision about these messages you need to become aware of which system changes might lead to them. If your machine is not compromised (you need to know yourself how probable that is and which attack profile you’d likely be a target off) these messages most probably are the consequence of updates or changes you made to your configuration.

You can learn about this if you try to find the reason for each of your messages for a while - which probably is time-consuming, but if you really want to protect yourself on the level that pureboot could offer to you, you need to understand what’s going on technically.

A good start are logfiles in /var/log/apt/. There you’ll find (hopefully - don’t know about packagekit) information about packages that changed. If there are packages like linux-image…, initramfs…, dracut… or grub… mentioned you probably found the reason and be able to trace back the changed file to a newly gernerated initrd-file or updated grub-default or something like that.

The think you’re asking about is called “supply chain attack” : if you’re not producing yourself what you’re using you need to trust the supplier and its security measures.

When updating your PureOS using prebuild packages you trust Purism that they didn’t let slip in some malicious code and that they didn’t provide malicious code on purpose.

Same applies to the people offering tor: If you use their software, you need to trust them and their security measures protecting their source code and build process. Or read their source code, compile it yourself and then use it.

Packagekit uses plugins for apt to do it’s work so they should also show up at: /var/log/apt/.

But yes, updates that alter any file in the /boot partition can trigger that warning (grub, kernel updates, etc), which is why it is wise to keep track of what updates are made.

while old, this post might add some info: Pureboot and PureOS kernel update to 4.19.0-12