How to ensure integrity and security enforcing signed unmodified RPM package?

This turns out to be quite a difficult problem, if you limit yourself to the single system which you're trying to validate.

Fortunately, we live in the real world, where there is more than one computer!

Some possibilities for verifying the binary include:

  • Using another reference system which has the same package version of RPM installed, take a hash of the binary and compare it on each system.

    For added assurance, reinstall the signed package from the repositories on the reference system before doing the comparison.

    Example:

    # yum reinstall rpm
    ...
    Complete!
    
    # rpm -q rpm
    rpm-4.11.3-17.el7.x86_64
    
    # sha256sum /usr/bin/rpm
    743810f3c3a9e5eea8ba9bc87351db6b4e8c6393018b9bb56beb873a64ae5431  /usr/bin/rpm
    
  • Use a host-based intrusion detection system such as OSSEC or Tripwire to detect unexpected changes to your filesystem. This won't guarantee that your binaries are unaltered, of course, but if done properly it can give you warning that an attack is in progress.

Note that both of these fail if prelinking is in use, which is one reason why it's generally not enabled by default anymore on recent systems.


# rpm -K rpm-2.3-1.i386.rpm
rpm-2.3-1.i386.rpm: size pgp md5 OK

From http://www.rpm.org/max-rpm/s1-rpm-checksig-using-rpm-k.html