CODEWITHSUNDEEP
linuxmakefilerpmrpmbuildrpm-spec
Fire Lancer
Fire Lancer

Reputation: 30105

rpmbuild and signed executable files

In a project I am working on, I need to generate a signature from one of my output executable (elf) files using a private key (the signature forms one of the files in the rpm, the private key to do this never leaves the build machine). This is currently done within my makefile as part of the "make", "make install" process outside the rpm system.

However it seems when than making an rpm out of this using rpmbuild, at some point after %build and %install it is further modifying my executable (seems to be removing stuff from .strtab and .symtab for some reason). This means later after installing the rpm the other software I am integrating with rejects my signature data due to the change in the executable file...

Is there some way I can stop rpmbuild from modifying my files, or at least some way to move part of my %build and %install to be after it has made any such changes (so I can recreate signature file).

Upvotes: 2

Views: 737

Answers (2)

Jeff Johnson
Jeff Johnson

Reputation: 2390

You might consider signing the buildid (which is a digest generated on ELF executables that is invariant to stripping). The signature on the buildid (which can be verified) is as secure as any other signing scheme, just a different plaintext.

Upvotes: 0

Etan Reisner
Etan Reisner

Reputation: 80921

If you disable -debuginfo package building I believe RPM will stop stripping binaries in packages.

You can do that by setting the %debug_package macro to %{nil}.

In an rpmmacros file ($HOME/.rpmmacros is searched by default I believe) the following line should do that.

%debug_package %{nil}

It might also be possible to do that on the command line with -D'debug_package %{nil}' but I haven't tested that.

Upvotes: 2

Related Questions