Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share
menu search
person
Welcome To Ask or Share your Answers For Others

Categories

I'm working with a system having about 2000 RPMS in it installed. Now as per some new requirement, I need to build a new system image with the RPMS in it such that all the RPMS that gets installed must come with the HMAC files for each binary that are going inside that RPM. Essentially I need a mechanism to calculate the HMAC and add the files containing the HMAC for that file and this is for all the binaries that are going in a RPM while creating the RPM. As part of the PoC, I made the below changes to the spec of a single sample RPM which generates the HMAC file of the binaries present in that RPM while building it.

+%define __spec_install_post 
+        %{?__debug_package:%{__debug_install_post}} 
+        %{__arch_install_post} 
+        %{__os_install_post} 
+            LD_PRELOAD=%{devfsdir}%{_libdir}/libcrypto.so %{devfsdir}/usr/bin/fipshmac $RPM_BUILD_ROOT/<binary filename> 
+%{nil}
+
 
@@ -63,6 +73,10 @@
 -----------
+/usr/bin/.<filename>.hmac


 %files coverage -f coverage_filelist.txt

But currently the system has about 2000 RPMS that are installed as part of the standard ISO. And changing the spec file for each individual RPMs would be laborious and difficult.

Also a little bit insight, how the RPMs are created and ISO is finally built from it - there is a build script that calls the rpmbuild for each RPM individually following a .def file that contains a graph for all the dependencies of a RPM.

Can you please suggest if any improvement can be done without editing the individual spec files or a mechanism which is common to all something similar to Makefile.overrides which can be used to override the Makefiles of package(s)?

My job would be done if I can pass command line arguments to the rpmbuild command that will run a script to generate the HMAC files for the binaries that will be packaged into the RPM and also consider the new HMAC files generated while packaging.

[I'm pretty new to the concepts of RPM and rpmbuild. So pardon any mistake.]


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
3.3k views
Welcome To Ask or Share your Answers For Others

1 Answer

If you need distribution that is FIPS compliant, then RHEL is the right choice. But FIPS-140-3 is quite new and distribution just started playing with that. E.g., It is currently proposed (not accepted yet) for Fedora 34 https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents

Back to your original question - you do not need to define that macro in every SPEC file. You can put it in file in /usr/lib/rpm/macros.d/ or pass it to rpmbuild using -D option. But for the rest... yeah, you will need to modify each one SPEC file and it will be lot of work.

To save you some time - you can use Mock which allows you to rebuild whole set of SRC.RPM using --chain option. And it has the option -D as well.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share

548k questions

547k answers

4 comments

86.3k users

...