How to Inspect and Extract RPM Package Contents

Inspect and Extract RPM Package Contents

Learn how to inspect and extract RPM package contents using various tools like rpm, rpm2cpio, and repoquery. Discover detailed examples and best practices for managing RPM packages.

Table of Contents

🔈Introduction

RPM (Red Hat Package Manager) is a powerful package management system used by many Linux distributions, such as Red Hat, CentOS, Fedora, and others. It allows for efficient installation, upgrading, and removal of software packages. However, at times, you may need to inspect the contents of an RPM package or extract its files without installing it. Whether you’re troubleshooting, inspecting a package before installation, or simply curious about what’s inside, knowing how to inspect and extract RPM package contents is an essential skill for system administrators, DevOps engineers, and developers.

In this post, we’ll dive into the various methods and tools you can use to inspect and extract RPM package contents efficiently. From command-line interface (CLI) examples to using graphical tools, we’ll cover the key techniques for RPM package inspection and extraction.

đŸ€”What is an RPM Package?

RPM stands for Red Hat Package Manager and is used by distributions based on Red Hat Linux, such as RHEL (Red Hat Enterprise Linux), CentOS, Fedora, and others. An RPM package contains precompiled software, along with metadata about the software, such as dependencies, installation instructions, and file locations.

The primary goal of the RPM package is to simplify the installation and maintenance of software. RPM packages can contain applications, libraries, configuration files, documentation, and more.

Why Inspect an RPM Package?

Before installing an RPM package, you might want to inspect it for several reasons:

  • Security concerns: Ensure the software doesn’t contain vulnerabilities.
  • Dependency resolution: Check which libraries or software dependencies are required for the package.
  • File inspection: Verify the contents of the package, like configuration files or executables.
  • Package integrity: Ensure that the package is intact and hasn’t been tampered with.

Inspecting and extracting RPM packages without installing them is a best practice, especially in production environments.

🔍Inspecting RPM Package Contents Using CLI

Using the rpm Command

The rpm command is the default tool for managing RPM packages. You can use it to inspect the contents of a package, query installed RPM packages, and even verify their integrity.

Querying Package Information

To display detailed information about an installed RPM package:

				
					rpm -qi <package-name>

Example:

				
					rpm -qi gedit
				
			
				
					Name        : gedit
Epoch       : 2
Version     : 40.0
Release     : 6.el9
Architecture: x86_64
Install Date: Sat 10 Sep 2022 03:37:41 PM EDT
Group       : Unspecified
Size        : 14123775
License     : GPLv2+ and GFDL
Signature   : RSA/SHA256, Tue 10 Aug 2021 07:13:51 PM EDT, Key ID 05b555b38483c65d
Source RPM  : gedit-40.0-6.el9.src.rpm
Build Date  : Mon 09 Aug 2021 05:06:00 PM EDT
Build Host  : x86-06.stream.rdu2.redhat.com
Packager    : builder@centos.org
Vendor      : CentOS
URL         : https://wiki.gnome.org/Apps/Gedit
Summary     : Text editor for the GNOME desktop
Description :
gedit is a small, but powerful text editor designed specifically for
the GNOME desktop. It has most standard text editor functions and fully
supports international text in Unicode. Advanced features include syntax
highlighting and automatic indentation of source code, printing and editing
of multiple documents in one window.

gedit is extensible through a plugin system, which currently includes
support for spell checking, comparing files, viewing CVS ChangeLogs, and
adjusting indentation levels. Further plugins can be found in the
gedit-plugins package.

This will display information like the version, release, description, and other metadata about the package.

List Files in an RPM Package

To list the files contained in a specific RPM package:

				
					rpm -ql <package-name>

Example:

				
					rpm -ql gedit
				
			
				
					/usr/bin/gedit
/usr/lib/.build-id
/usr/lib/.build-id/0f
/usr/lib/.build-id/0f/d18034e5975cbb881509c3e720237ad91c766a
/usr/lib/.build-id/16
/usr/lib/.build-id/16/12e896d17adb93c871c4c9bf451b76c4e29f22
/usr/lib/.build-id/20
/usr/lib/.build-id/20/103901b8e0236ece36021758974f432bfbd494
/usr/lib/.build-id/36
/usr/lib/.build-id/36/ca9d851566062746a5fc2569abbf0f70a02e31
/usr/lib/.build-id/42
/usr/lib/.build-id/42/e598027b9debf97a04f2ee6043627303bdb628
/usr/lib/.build-id/49
/usr/lib/.build-id/49/cfb30496746a47d558f6d361e4890198d1b44f
/usr/lib/.build-id/7a
/usr/lib/.build-id/7a/f6c81359efb456c1ae2ff8787c412d1c1832d7
/usr/lib/.build-id/dd
/usr/lib/.build-id/dd/557d8e22b69d26f88895095d8c7f87fec32488
/usr/lib/.build-id/f8
/usr/lib/.build-id/f8/89db879770806872cd7fd7517988c283c2016c
/usr/lib64/gedit
/usr/lib64/gedit/girepository-1.0
/usr/lib64/gedit/girepository-1.0/Gedit-3.0.typelib
/usr/lib64/gedit/libgedit-40.0.so
...omitted for brevity...

This will show you a list of files that are installed on your system by the gedit package.

Display Package File Details

If you have a downloaded RPM file and want to inspect it without installing, you can query it using:

				
					rpm -qpi <package-file.rpm>

Example:

				
					rpm -qpi httpd-2.4.62-4.el9.x86_64.rpm

This will show package metadata like name, version, release, and architecture.

Using the repoquery Command

repoquery is a part of the yum-utils or dnf-utils package, and it’s specifically designed to query repositories for package details. To list the files in a package from a repository:

				
					repoquery -l <package-name>

Example:

				
					repoquery -l httpd

This command will show you a list of files in the repository’s httpd package without installing it.

Using the rpm2cpio Command

rpm2cpio is a useful tool to convert an RPM package into a cpio archive, which you can then extract to see the contents. To convert an RPM file to a cpio archive:

				
					rpm2cpio <package-file.rpm> | cpio -idmv

Example:

				
					rpm2cpio httpd-2.4.62-4.el9.x86_64.rpm | cpio -idmv
				
			
				
					./etc/httpd/conf.modules.d/00-brotli.conf
./etc/httpd/conf.modules.d/00-systemd.conf
./usr/lib/.build-id
./usr/lib/.build-id/40
./usr/lib/.build-id/40/4230e3a41d09cff09520ff9090ead0f35a5dad
./usr/lib/.build-id/e5
./usr/lib/.build-id/e5/f19e0a51490e803dee7c5144d3e80a7da4f756
./usr/lib/systemd/system/htcacheclean.service
./usr/lib/systemd/system/httpd.service
./usr/lib/systemd/system/httpd.socket
./usr/lib/systemd/system/httpd@.service
./usr/lib64/httpd/modules/mod_brotli.so
./usr/lib64/httpd/modules/mod_systemd.so
./usr/share/man/man5/httpd.conf.5.gz
./usr/share/man/man8/apachectl.8.gz
./usr/share/man/man8/fcgistarter.8.gz
./usr/share/man/man8/htcacheclean.8.gz
./usr/share/man/man8/htcacheclean.service.8.gz
./usr/share/man/man8/httpd.8.gz
./usr/share/man/man8/httpd.service.8.gz
./usr/share/man/man8/httpd.socket.8.gz
./usr/share/man/man8/httpd@.service.8.gz
./usr/share/man/man8/rotatelogs.8.gz
./usr/share/man/man8/suexec.8.gz
127 blocks

This will extract the contents of the RPM package into your current directory, preserving the file structure.

Extracting RPM Package Files

Extracting with rpm2cpio and cpio

As shown in the previous section, you can extract the contents of an RPM package using the rpm2cpio and cpio commands.

Here’s a step-by-step guide to extracting an RPM package:

  1. Convert the RPM file into a cpio archive using rpm2cpio.

  2. Use cpio to extract the contents of the archive.

Understanding the cpio Command Options:

  • Extract files.
  • Create directories as needed.
  • Preserve modification times.
  • Provide verbose output.

Extracting with GUI Tools

If you prefer using a graphical interface, you can use tools like Ark (on KDE) or File Roller (on GNOME) to extract RPM package files.

  • Open the RPM file with the GUI tool.
  • Extract the files to a chosen location

These GUI tools work similarly to archive managers like tar or zip extractors.

Verifying Package Integrity

It’s crucial to verify the integrity of an RPM package, especially for security reasons. You can use the rpm command to verify if an RPM package is installed correctly and if all files match their expected hashes.

Verify Installed Package Files

				
					rpm -V <package-name>

Example:

				
					rpm -V httpd-2.4.62-4.el9.x86_64.rpm
				
			
				
					Unsatisfied dependencies for httpd-2.4.62-4.el9.x86_64:
	httpd-core = 0:2.4.62-4.el9 is needed by httpd-2.4.62-4.el9.x86_64
	system-logos-httpd is needed by httpd-2.4.62-4.el9.x86_64
missing   c /etc/httpd/conf.modules.d/00-brotli.conf
missing   c /etc/httpd/conf.modules.d/00-systemd.conf
missing   a /usr/lib/.build-id/40/4230e3a41d09cff09520ff9090ead0f35a5dad
missing   a /usr/lib/.build-id/e5/f19e0a51490e803dee7c5144d3e80a7da4f756
missing     /usr/lib/systemd/system/htcacheclean.service
missing     /usr/lib/systemd/system/httpd.service
missing     /usr/lib/systemd/system/httpd.socket
missing     /usr/lib/systemd/system/httpd@.service
missing     /usr/lib64/httpd/modules/mod_brotli.so
missing     /usr/lib64/httpd/modules/mod_systemd.so
missing   d /usr/share/man/man5/httpd.conf.5.gz
missing   d /usr/share/man/man8/apachectl.8.gz
missing   d /usr/share/man/man8/fcgistarter.8.gz
missing   d /usr/share/man/man8/htcacheclean.8.gz
missing   d /usr/share/man/man8/htcacheclean.service.8.gz
missing   d /usr/share/man/man8/httpd.8.gz
missing   d /usr/share/man/man8/httpd.service.8.gz
missing   d /usr/share/man/man8/httpd.socket.8.gz
missing   d /usr/share/man/man8/httpd@.service.8.gz
missing   d /usr/share/man/man8/rotatelogs.8.gz
missing   d /usr/share/man/man8/suexec.8.gz

This will check the integrity of the installed httpd package and report any mismatches, such as file corruption or missing files.

✅Best Practices for RPM Inspection

Before installing an RPM package, you might want to inspect it for several reasons:

  • Use rpm2cpio for inspection: If you’re unsure whether a package will break your system, use rpm2cpio to extract the package in a temporary directory. This way, you can inspect its contents without actually installing it.
  • Regular package verification: Periodically verify the integrity of installed RPM packages with the rpm -V command to detect any issues.
  • Check dependencies before installation: Use rpm -qpR to list dependencies before installing a package to avoid potential conflicts or issues.

📌Conclusion

Inspecting and extracting RPM package contents can help you maintain better control over the software you install on your system. By using tools like rpm, repoquery, rpm2cpio, and graphical interfaces, you can easily query package metadata, list files, and extract RPM package contents for further inspection.

These methods help system administrators, developers, and security professionals ensure the integrity and compatibility of packages before installation, making your system more secure and reliable.

Did you find this article helpful? Your feedback is invaluable to us! Feel free to share this post with those who may benefit, and let us know your thoughts in the comments section below.

Related Posts
Install CentOS8 on KVM
Commands
Install CentOS8 on KVM

In today’s tutorial, we will install CentOS8 on KVM. The install process is fairly straightforward and we will cover it here step-by-step. We will follow

Read More »
Tags

Leave a Reply

Your email address will not be published. Required fields are marked *