How to Extract Build Source Metadata from RPM Files Without Installation on Windows or CentOS


2 views

RPM packages contain rich metadata that can be accessed without installation. The key metadata fields include:

BuildHost: build.example.com
BuildTime: 1689345678
Vendor: Example Corporation
SourceRPM: package-1.0-1.src.rpm

On Windows, you can use these tools to examine RPM metadata:

Using 7-Zip:

7z l package.rpm | find "Build"

Using rpm2cpio (Cygwin):

rpm2cpio package.rpm | cpio -itv

On CentOS/RHEL systems, you have more powerful options:

Using rpm command:

rpm -qip package.rpm --queryformat="%{BUILDHOST}\n%{BUILDTIME}\n%{SOURCERPM}\n"

Using yum-utils:

repoquery --pkgnarrow=all --queryformat="%{buildtime} %{buildhost}" -i package.rpm

To specifically find where the package was compiled from:

rpm -qp --queryformat="%{SOURCERPM}\n" package.rpm

This returns the source RPM name which contains build information.

For comprehensive metadata analysis:

rpmdump -v package.rpm > metadata.txt
grep -E 'BuildHost|BuildTime' metadata.txt

For advanced users, you can directly read RPM headers:

od -x -N 96 package.rpm | head

This shows the lead and signature sections containing build timestamps.

Here's a complete script to extract build information:

#!/bin/bash
if [ -f "$1" ]; then
    echo "Build Host: $(rpm -qp --queryformat="%{BUILDHOST}\n" $1)"
    echo "Build Time: $(rpm -qp --queryformat="%{BUILDTIME}\n" $1 | xargs -I{} date -d @{})"
    echo "Source RPM: $(rpm -qp --queryformat="%{SOURCERPM}\n" $1)"
else
    echo "File $1 not found"
fi

RPM packages contain rich metadata that can be accessed without installation. The package header stores crucial information including:

  • Build host and timestamp
  • Source RPM name
  • Build dependencies
  • Changelog entries

On Windows, you can use these methods:


# Using 7-Zip (GUI method):
1. Right-click the .rpm file
2. Select "7-Zip" → "Open archive"
3. Look for .spec files and metadata in the archive structure

# Using Cygwin with rpm2cpio:
rpm2cpio package.rpm | cpio -t

For comprehensive metadata extraction on CentOS/RHEL:


# Basic package info
rpm -qip package.rpm

# Show changelog (contains build references)
rpm -qp --changelog package.rpm

# Extract SPEC file (contains build instructions)
rpm2cpio package.rpm | cpio -ivd '*.spec'

To trace the exact build sources:


# 1. Find the SRPM name
rpm -qp --queryformat "%{SOURCERPM}\n" package.rpm

# 2. Query build host (useful for forensic analysis)
rpm -qp --queryformat "Built on: %{BUILDHOST}\nAt: %{BUILDTIME:date}\n" package.rpm

# 3. Show all available tags (full metadata dump)
rpm -qp --querytags package.rpm

Let's examine a hypothetical httpd package:


$ rpm -qip httpd-2.4.6-90.el7.centos.x86_64.rpm
Name        : httpd
Version     : 2.4.6
Release     : 90.el7.centos
Architecture: x86_64
Build Host  : buildvm-07.phx2.fedoraproject.org
Source RPM  : httpd-2.4.6-90.el7.centos.src.rpm

The output reveals it was built in the Fedora project's build system, and the matching source RPM name is provided for further investigation.