Red Hat Bugzilla – Bug 126395
RFE: Facility for documenting changes to installed binaries
Last modified: 2007-11-30 17:10:45 EST
Certian utilities in common use make changes to installed files, which are reported by rpm when verifying installed files. As many administrators use the verification features of RPM for integrity checking, it would be useful if a facility for updating MD5 and SHA1 sums was provided. This would require storing the checksum from the time of installation, a checksum of a modification, and a documented reason for modiification (ie "automated prelink run - 22Feb2004") rpm could then be instructed to either not report "authorized" modifications, or to clearly indicate in a verification report when a package matches the "installed" checksum rather than the "packaged" checksum.
rpm goes beyond simple digest checks on modified files already, signatures are checked whenever headers which contain file md5 digests are read. Permitting modifications to files to be reflected in the md5 digests within a signed header weakens the security check by voiding the package signature. Use aide or tripwire instead if you want to modify file md5 digests.