How to ensure integrity and security enforcing signed unmodified RPM package?

Question

There is a way to verify files related to specific package against original RPM content:

# Verify `vsftpd` package.
rpm -V vsftpd

How to complete the chain and verify that rpm command itself hasn't been changed?

If I replace rpm by a script which always succeeds, this type of verification will never fail.

Answer 1

This turns out to be quite a difficult problem, if you limit yourself to the single system which you're trying to validate.

Fortunately, we live in the real world, where there is more than one computer!

Some possibilities for verifying the binary include:

• Using another reference system which has the same package version of RPM installed, take a hash of the binary and compare it on each system.

  For added assurance, reinstall the signed package from the repositories on the reference system before doing the comparison.

  Example:

  # yum reinstall rpm
  ...
  Complete!
  
  # rpm -q rpm
  rpm-4.11.3-17.el7.x86_64
  
  # sha256sum /usr/bin/rpm
  743810f3c3a9e5eea8ba9bc87351db6b4e8c6393018b9bb56beb873a64ae5431  /usr/bin/rpm
  

• Use a host-based intrusion detection system such as OSSEC or Tripwire to detect unexpected changes to your filesystem. This won't guarantee that your binaries are unaltered, of course, but if done properly it can give you warning that an attack is in progress.

Note that both of these fail if prelinking is in use, which is one reason why it's generally not enabled by default anymore on recent systems.

Answer 2

# rpm -K rpm-2.3-1.i386.rpm
rpm-2.3-1.i386.rpm: size pgp md5 OK

From http://www.rpm.org/max-rpm/s1-rpm-checksig-using-rpm-k.html