Tools for producing SWID tags for rpm packages and inspecting the SWID tags.
Utility rpm2swidtag creates SWID tags for rpm packages, installed in
rpm database or rpm files:
usage: rpm2swidtag [-h] [-a | -p | --repo DIR]
[--tag-creator SOURCE-FILE, REGID or "REGID NAME"]
[--software-creator SOURCE-FILE, REGID or "REGID NAME"]
[--distributor SOURCE-FILE, REGID or "REGID NAME"]
[--sign-pem KEYFILE.pem[,CA.pem[...]]] [--output-dir DIR]
[--authoritative | --evidence-deviceid DEVICE]
[--primary-only] [--print-tagid]
[--preserve-signing-template] [--retain-old-md N]
[--config FILE]
[... ...]
Generating SWID tags for rpm packages.
positional arguments:
... package(s), glob(s) or file name(s)
options:
-h, --help show this help message and exit
-a, --all query all packages with glob pattern
-p, --package process rpm package file
--repo DIR create SWID tag information for yum/dnf repo
--tag-creator SOURCE-FILE, REGID or "REGID NAME"
tagCreator Entity attributes
--software-creator SOURCE-FILE, REGID or "REGID NAME"
softwareCreator Entity attributes
--distributor SOURCE-FILE, REGID or "REGID NAME"
distributor Entity attributes
--sign-pem KEYFILE.pem[,CA.pem[...]]
PEM files with key and certificates
--output-dir DIR write SWID tags files into regid subdirectory of DIR;
or directly into DIR when the path ends with /.
--authoritative produce authoritative tag (per NIST.IR.8060) with
Payload, rather than Evidence
--evidence-deviceid DEVICE
Evidence/@deviceId string, defaults to hostname
--primary-only do not generate supplemental tags
--print-tagid compute and print tagId(s) to standard output
--preserve-signing-template
keep the XML signing template in the output (for
subsequent signing)
--retain-old-md N preserve N latest copies of *-swidtags.xml.gz when
used with --repo
config options:
--config FILE location of the configuration file
The SWID tag XML output is produced from template
(/etc/rpm2swidtag/swidtag-template.xml) via XSLT stylesheet
(/etc/rpm2swidtag/rpm2swidtag.xslt) while injecting values from
the rpm package or rpm file headers.
To customize the output, either edit the default input template and/or
XSLT stylesheet, or point rpm2swidtag to alternative locations
for these files, using environment variables RPM2SWIDTAG_TEMPLATE
and/or RPM2SWIDTAG_XSLT.
The tagCreator Entity can thus be changed in the input template.
Alternatively, --tag-creator option can be used to change the
tagCreator's @regid and @name attributes on a command line.
When customizing the XSLT stylesheet,
{http://adelton.fedorapeople.org/rpm2swidtag}package_tag(tag)
function can be used to retrieve values from the rpm header for
inclusion in the output SWID tag.
When the --print-tagid option is used, values of tagId are
computed and printed to standard output, instead of the full
SWID tag, using stylesheet /etc/rpm2swidtag/rpm2swidtag-tagid.xslt.
To generate SWID tags for all packages in the rpm database
rpm2swidtag -a --tag-creator $(hostname -f) --output-dir /usr/lib/swidtag
can be used. It will produce the .swidtag files in
/usr/lib/swidtag/$(hostname -f) directory.
Running rpm2swidtag with --repo option will produce SWID tags
for yum/dnf repository and put them into single XML file which
is then referenced from repository's top-level repomd.xml metadata
file with type swidtags.
Produced SWID tags can be listed using the swidq utility:
usage: swidq [-h] [-p PATH [PATH ...]] [-a] [-n] [--rpm] [-i] [-l] [--dump]
[--xml] [--output-stylesheet FILE] [--debug] [--silent] [-c FILE]
[... ...]
Querying SWID tags.
options:
-h, --help show this help message and exit
selection options:
-p PATH [PATH ...], --paths PATH [PATH ...]
process listed directories and SWID tag files
-a, --all match tagId/name with glob pattern, default '*'
-n, --name query name instead of tagId
--rpm query rpm Resource instead of tagId
output options:
-i, --info output some SWID tag fields
-l, --list-files list files from the SWID tag
--dump dump SWID tag content as indented text
--xml output SWID tags as XML
--output-stylesheet FILE
output via custom XSLT stylesheet
other options:
--debug verbose debugging messages
--silent suppress non-fatal warnings
-c FILE, --config FILE
location of the configuration file
remaining arguments:
... tagId, name, or rpm name
By default, config file /etc/swid/swidq.conf configures swidq to
query directories (or symlinks to directories) under /etc/swid/swidtags.d
when looking for SWID tag files.
DNF plugin swidtags can be used to fetch SWID tags from dnf/yum
repository metadata, keeping the SWID information synchronized with
package installations, upgrades, and removals via DNF operations.
When the rpm2swidtag_command option is configured (pointing to
/usr/bin/rpm2swidtag) in /etc/dnf/plugins/swidtags.conf, SWID
tags will be locally-generated for packages for which they are not
available in the dnf/yum repository.
usage: dnf swidtags {sync,regen,purge}
Maintain SWID tags for installed rpms
positional arguments:
{sync,regen,purge}
sync for installed rpms, fetch SWID tags from repository
metadata or generate them locally
regen synonym to sync
purge remove all SWID tags that were locally-generated by
the plugin
When the swidtags DNF plugin is enabled in
/etc/dnf/plugins/swidtags.conf, any DNF operation which adds, removes,
updates or replaces rpm packages will cause SWID tags from repository
metadata to be updated in /usr/lib/swidtag/<tagCreator>, or generated
locally into /var/lib/swidtag/rpm2swidtag-generated.
Written by Jan Pazdziora, 2018--2023.
Copyright 2018--2023, Red Hat, Inc.
Licensed under the Apache License, Version 2.0.