if you just want to pass rpm verify, I believe you can just delete the rpm db entry with something like 'rpm -e <pkgs> --justdb --nodeps'. the pkg won't show as installed, but it shouldn't be corrupt either. I haven't verified this, tho.
jeff > Do you know any of the RPM-aware rootkits for Linux which will not be > detected by "rpm --verify". I would prefer direct edit of /var/lib/rpm > rather to trojaned rpm binary, but what the heck - whatever will do. > > I need to deploy something on Linux which will pass the "rpm -V", but will > involve replacing some binaries. I can rebuild the stuff from source > RPMs, recreate the package and then replace the stock RPM., but it is too > messy (GPG sig will be different, but that will hopefully be OK for the > honeypot).
