I'm working with a system having about 2000 RPMS in it installed. Now as per some new requirement, I need to build a new system image with the RPMS in it such that all the RPMS that gets installed must come with the HMAC files for each binary that are going inside that RPM. Essentially I need a mechanism to calculate the HMAC and add the files containing the HMAC for that file and this is for all the binaries that are going in a RPM while creating the RPM. As part of the PoC, I made the below changes to the spec of a single sample RPM which generates the HMAC file of the binaries present in that RPM while building it.
+%define __spec_install_post
+ %{?__debug_package:%{__debug_install_post}}
+ %{__arch_install_post}
+ %{__os_install_post}
+ LD_PRELOAD=%{devfsdir}%{_libdir}/libcrypto.so %{devfsdir}/usr/bin/fipshmac $RPM_BUILD_ROOT/<binary filename>
+%{nil}
+
@@ -63,6 +73,10 @@
-----------
+/usr/bin/.<filename>.hmac
%files coverage -f coverage_filelist.txt
But currently the system has about 2000 RPMS that are installed as part of the standard ISO. And changing the spec file for each individual RPMs would be laborious and difficult.
Also a little bit insight, how the RPMs are created and ISO is finally built from it - there is a build script that calls the rpmbuild for each RPM individually following a .def file that contains a graph for all the dependencies of a RPM.
Can you please suggest if any improvement can be done without editing the individual spec files or a mechanism which is common to all something similar to Makefile.overrides which can be used to override the Makefiles of package(s)?
My job would be done if I can pass command line arguments to the rpmbuild command that will run a script to generate the HMAC files for the binaries that will be packaged into the RPM and also consider the new HMAC files generated while packaging.
[I'm pretty new to the concepts of RPM and rpmbuild. So pardon any mistake.]