How to Extract Build Source Metadata from RPM Files Without Installation on Windows or CentOS


10 views

RPM packages contain rich metadata that can be accessed without installation. The key metadata fields include:

BuildHost: build.example.com
BuildTime: 1689345678
Vendor: Example Corporation
SourceRPM: package-1.0-1.src.rpm

On Windows, you can use these tools to examine RPM metadata:

Using 7-Zip:

7z l package.rpm | find "Build"

Using rpm2cpio (Cygwin):

rpm2cpio package.rpm | cpio -itv

On CentOS/RHEL systems, you have more powerful options:

Using rpm command:

rpm -qip package.rpm --queryformat="%{BUILDHOST}\n%{BUILDTIME}\n%{SOURCERPM}\n"

Using yum-utils:

repoquery --pkgnarrow=all --queryformat="%{buildtime} %{buildhost}" -i package.rpm

To specifically find where the package was compiled from:

rpm -qp --queryformat="%{SOURCERPM}\n" package.rpm

This returns the source RPM name which contains build information.

For comprehensive metadata analysis:

rpmdump -v package.rpm > metadata.txt
grep -E 'BuildHost|BuildTime' metadata.txt

For advanced users, you can directly read RPM headers:

od -x -N 96 package.rpm | head

This shows the lead and signature sections containing build timestamps.

Here's a complete script to extract build information:

#!/bin/bash
if [ -f "$1" ]; then
    echo "Build Host: $(rpm -qp --queryformat="%{BUILDHOST}\n" $1)"
    echo "Build Time: $(rpm -qp --queryformat="%{BUILDTIME}\n" $1 | xargs -I{} date -d @{})"
    echo "Source RPM: $(rpm -qp --queryformat="%{SOURCERPM}\n" $1)"
else
    echo "File $1 not found"
fi

RPM packages contain rich metadata that can be accessed without installation. The package header stores crucial information including:

  • Build host and timestamp
  • Source RPM name
  • Build dependencies
  • Changelog entries

On Windows, you can use these methods:


# Using 7-Zip (GUI method):
1. Right-click the .rpm file
2. Select "7-Zip" → "Open archive"
3. Look for .spec files and metadata in the archive structure

# Using Cygwin with rpm2cpio:
rpm2cpio package.rpm | cpio -t

For comprehensive metadata extraction on CentOS/RHEL:


# Basic package info
rpm -qip package.rpm

# Show changelog (contains build references)
rpm -qp --changelog package.rpm

# Extract SPEC file (contains build instructions)
rpm2cpio package.rpm | cpio -ivd '*.spec'

To trace the exact build sources:


# 1. Find the SRPM name
rpm -qp --queryformat "%{SOURCERPM}\n" package.rpm

# 2. Query build host (useful for forensic analysis)
rpm -qp --queryformat "Built on: %{BUILDHOST}\nAt: %{BUILDTIME:date}\n" package.rpm

# 3. Show all available tags (full metadata dump)
rpm -qp --querytags package.rpm

Let's examine a hypothetical httpd package:


$ rpm -qip httpd-2.4.6-90.el7.centos.x86_64.rpm
Name        : httpd
Version     : 2.4.6
Release     : 90.el7.centos
Architecture: x86_64
Build Host  : buildvm-07.phx2.fedoraproject.org
Source RPM  : httpd-2.4.6-90.el7.centos.src.rpm

The output reveals it was built in the Fedora project's build system, and the matching source RPM name is provided for further investigation.