Hi, visit https://www.virustotal.com/ and scan your RPM. You will get a list of virus scan software that supports RPMs. We use Sophos AV for Linux used via MailScanner <https://www.mailscanner.info/>. https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/9418/scan-linux-package-files thanks -- Thomas Stephen Lee On Wed, Jun 12, 2019 at 7:54 AM Mihai Moldovan <ionic at ionic.de> wrote: > * On 6/12/19 4:16 AM, Young, Gregory wrote: > > I would suggest, after the build is completed, have clamav scan the > sources, as part of the build section of the RPM spec. Once the RPM is > built, make sure to GPG sign it and also publish your public key so GPG > signature checking can be enabled. In this way, you satisfy the AV scan > requirement on the package contents before packaging, and you sign the > package during build to help ensure it hasn't been tampered with post build. > > That implies that virus scanners are able to detect malicious source code, > which > doesn't seem likely, since they mostly look for binary patterns > (notwithstanding > stuff like VBScript) and that the build machine was not itself infected and > spews out malicious binaries for clean source code. > > Doesn't sound like a good way to go to me. > > > > Obviously, you need to go through all the rigamarol to ensure signature > checking is enabled on the destination devices, and that your key is > imported and trusted (and you will want to sign your repo if you use one as > well, and enable repo signature checking), and also ensure that unsigned > RPMs cannot be installed. > > Together with signing you could however transfer the RPM file to a trusted > scanning box, check the signature, unpack the file (rpm2cpio ... | cpio > --extract --make-directories) into a staging directory and use clamav's > manual > scanner on that staging directory. This can easily be done on a CentOS box > with > EPEL packages and a bit of automation scripts. That approach also assumes > that > you have a "trusted scanning box", but all this snake oil expects a trusted > something at some point in the chain. > > > > Mihai > > _______________________________________________ > CentOS-devel mailing list > CentOS-devel at centos.org > https://lists.centos.org/mailman/listinfo/centos-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20190612/a19c4842/attachment-0008.html>