On Wed, Jun 12, 2019 at 02:16:27AM +0000, Young, Gregory wrote:
> I would suggest, after the build is completed, have clamav scan the sources, as part of the build section of the RPM spec. Once the RPM is built, make sure to GPG sign it and also publish your public key so GPG signature checking can be enabled. In this way, you satisfy the AV scan requirement on the package contents before packaging, and you sign the package during build to help ensure it hasn't been tampered with post build.
You can use 'cpio' to extract the payload of an RPM; e.g.:
rpm2cpio commons-lang3-3.3.2-1.x86_64.rpm | cpio -idmv
That won't dump out scriptlets, triggers, etc. That's an additional
set of steps:
rpm -q --scripts -p commons-lang3-3.3.2-1.x86_64.rpm
rpm -q --triggers -p commons-lang3-3.3.2-1.x86_64.rpm
rpm -q --queryformat "%{PRETRANS}" -p commons-lang3-3.3.2-1.x86_64.rpm
rpm -q --queryformat "%{POSTTRANS}" -p commons-lang3-3.3.2-1.x86_64.rpm
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> https://lists.centos.org/mailman/listinfo/centos-devel
--
Brian Reichert <reichert at numachi.com>
BSD admin/developer at large