[RFC] rpmbuild,check: verify file hashes

[nmanthey]

During the %check target, no files that existed before are expected to be modified. This change adds a validation to the rpmbuild command, which will store file hashes, and compare them after compilation again.

Note: this is only a simple demonstrator that cannot handle large projects, and it is using a very simply hash function.

Note

This is a demonstrator to steer discussions. A fully functional variant would likely use a dynamic container to store the hashes, handle errors better, and use a more sophisticated hash function.

We are aware that there are ways around this validation and still modify build files from the %check phase.

This is one way to implement the requirement to have an immutable build root during rpmbuild's %check phase, as described in #3010

Testing Done

I compiled the xz-utils package of Amazon Linux 2 in an Amazon Linux 2 container image with this change. We also tested a malicious RPM that modified its build files during %check.

[pmatilai]

Rpm already hashes any packaged content cryptographically (SHA256 by default), any such mechanism should utilize that to minimize the extra cost.

But this seems like a big extra cost with limited benefit, we're more interested in preventing writes across the different stages.