verify rpm package contents

[Jeff Johnson]

On May 13, 2009, at 1:41 PM, Tomasz Pala wrote:

> How to verify digest of files in rpm package (like when repackaged
> modified files)? For example I've got:
>
> ~: rpm -qplv xorg-proto-xproto-devel-7.0.14-1.i586.rpm
> -rw-r--r--    1 root    root           167477 Oct 28  2008 /usr/ 
> include/X11/keysymdef.h
> but after un-cpio there is:            167401 May 22  2008
>
> rpm --verify -p file.rpm
>
> verifies against filesystem contents not files within.
>

Repackaged files have no digest verification. The digest
carried in repackaged packages is the original digest;
but the file in the payload may have been modified or
even deleted and not present in te repackaged package payload.

You can work around by using a transaction "probe dependency".

E.g.

     mkdir -p /etc/rpm/sysinfo
     md5sum /etc/passwd | sed -e 's/\([^ ]*\) *\(.*\)/digest(\2) =  
\1/' >> /etc/rpm/sysinfo/Requirename

verifies the md5 of /etc/passwd every time rpm -Uvh is run.

hth

73 de Jeff