Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-84062

[RFE] Allow querying rpm checksums for installed rpms

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-10.1
    • rhel-10.0
    • rpm
    • rpm-4.19.1.1-14.el10
    • None
    • rhel-swm
    • ssg_core_services
    • 10
    • 12
    • 0
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Hide
      • Setting the new %_pkgverify_digests macro causes newly installed packages to have their originating digest(s) (on the entire .rpm package file) stored in the rpmdb in the %packagedigests query tag. Example usage:
      # rpm -U --define "_pkgverify_digests 8" foo.rpm
$ rpm -q --qf "[%{packagedigestalgos:hashalgo} %{packagedigests}\n]" foo
SHA256 e05a5191e214b1f05ae2448ebe493e55c6313ab68eaf040b83baa80e25f15d54
      • The default value of %_pkgverify_digests is 8:10 (i.e. SHA256 and SHA512)
      • This feature works regardless of whether the package is installed via rpm directly or via dnf
      • See the comment in /usr/lib/rpm/macros above %_pkgverify_digests for details.
      Show
      Setting the new %_pkgverify_digests macro causes newly installed packages to have their originating digest(s) (on the entire .rpm package file) stored in the rpmdb in the %packagedigests query tag. Example usage: # rpm -U --define "_pkgverify_digests 8" foo.rpm $ rpm -q --qf "[%{packagedigestalgos:hashalgo} %{packagedigests}\n]" foo SHA256 e05a5191e214b1f05ae2448ebe493e55c6313ab68eaf040b83baa80e25f15d54 The default value of %_pkgverify_digests is 8:10 (i.e. SHA256 and SHA512) This feature works regardless of whether the package is installed via rpm directly or via dnf See the comment in /usr/lib/rpm/macros above %_pkgverify_digests for details.
    • Pass
    • Automated
    • Enhancement
    • Hide
      .RPM records a checksum of the original package during installation

      With this update, RPM records the SHA256 and SHA512 digests of the entire `.rpm` package during its installation. You can then retrieve these digests from the RPM database to verify that the installed package corresponds to a specific `.rpm` file. As a result, you can improve the integrity of your RHEL system by retrospectively verifying that the installed package set matches, bit-by-bit, a known set of `.rpm` packages, such as the ones available in a DNF repository.

      To print the package digests of an installed package, use the following command:

      [subs="+quotes,attributes"]
      ----
      $ *rpm -q --qf "[%{packagedigestalgos:hashalgo} %{packagedigests}\n]" _<package_name>_*
      ----

      You can also customize which digest types are recorded in the database by configuring the new `%_pkgverify_digests` macro, for example:

      ----
      %_pkgverify_digests 8:10
      ----
      Show
      .RPM records a checksum of the original package during installation With this update, RPM records the SHA256 and SHA512 digests of the entire `.rpm` package during its installation. You can then retrieve these digests from the RPM database to verify that the installed package corresponds to a specific `.rpm` file. As a result, you can improve the integrity of your RHEL system by retrospectively verifying that the installed package set matches, bit-by-bit, a known set of `.rpm` packages, such as the ones available in a DNF repository. To print the package digests of an installed package, use the following command: [subs="+quotes,attributes"] ---- $ *rpm -q --qf "[%{packagedigestalgos:hashalgo} %{packagedigests}\n]" _<package_name>_* ---- You can also customize which digest types are recorded in the database by configuring the new `%_pkgverify_digests` macro, for example: ---- %_pkgverify_digests 8:10 ----
    • Done
    • Done
    • Done
    • Not Required
    • None

      1. Proposed title of this feature request

      Add feature to "rpm -q" function to keep track of an installation package's SHA1, MD5, and SHA256 value

      3. What is the nature and description of the request?

      We want to be able to  query installed packages to check whether the SHA1, SHA256, and MD5 sums for a currently installed package match what the originally installed package had. Not for installed files, but for the rpms themselves. We want to do this without having to download the rpm. For example:

       
#### The following is an example of a list of checksums for the RHEL 9.2 bash rpm
$ cd /var/www/html/RHEL9.2-x86_64/BaseOS/Packages
$ for chksum in md5sum sha1sum sha256sum;do
> $chksum ./bash-5.1.8-6.el9_1.x86_64.rpm
> done
f84aec1fe6f72d235e868c41e3bb2453  ./bash-5.1.8-6.el9_1.x86_64.rpm
e601a53f60cf83fb76cdaa83a0f1b78b99ba4d60  ./bash-5.1.8-6.el9_1.x86_64.rpm
90603777c369e7e4266971d06a7c0bc33f3493b7ddf6904a7d141abe2e7b287f  ./bash-5.1.8-6.el9_1.x86_64.rpm
...
#### I would like to be able to able to do something like the following to connect the two.
$ rpm --nodigest -q bash --qf="%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\t%{PACKAGEMD5}\n"
bash-5.1.8-6.el9_1.x86_64       f84aec1fe6f72d235e868c41e3bb2453  
$ rpm --nodigest -q bash --qf="%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\t%{PACKAGESHA1}\n"
bash-5.1.8-6.el9_1.x86_64       e601a53f60cf83fb76cdaa83a0f1b78b99ba4d60
$ rpm --nodigest -q bash --qf="%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\t%{PACKAGESHA256}\n"
bash-5.1.8-6.el9_1.x86_64       90603777c369e7e4266971d06a7c0bc33f3493b7ddf6904a7d141abe2e7b287f

       

      4. Why does the customer need this? (List the business requirements here)

      This would help us to improve the integrity of our RHEL installations. We are looking to ensure the package installation tracked in the rpmdb is consistent with its configuration in dnf repodata. The package checksum is known when the package is pulled down to be installed, and it could be added to the rpmdb to be checked with a query tag.

       

      5. How would the customer like to achieve this? (List the functional requirements here)

      • When an rpm is installed, save its checksum data to the rpmdb.
      • Add a function to rpm --query so that the checksum can be inspected after an rpm is installed.

      6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

      • Checking the first requirement probably would not be possible without the implementation of the rpm -q feature.
      • Once rpm is able to query the rpmdb to check the SHA1/SHA256/MD5 sum of installed packages, install a new rpm and then query its checksum and compare it with what we see when querying the rpm file directly.

      7. Is there already an existing RFE upstream or in Red Hat Bugzilla?

      No

      8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL8, RHEL9)?

      RHEL 9

       

      9. Is the sales team involved in this request and do they have any additional input?

      No

       

      10. List any affected packages or components.

      rpm

       

      11. Would the customer be able to assist in testing this functionality if implemented?

      yes

              mdomonko@redhat.com Michal Domonkos
              rhn-support-lagordon Kaitlin Gordon (Inactive)
              packaging-team-maint packaging-team-maint
              Jan Blazek Jan Blazek
              Mariya Pershina Mariya Pershina
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: