Repackage RPM file from Zstandard to Gzip compression

Summary

AzureHSM support for BIG-IP requires that the BIG-IP admin install a RPM file that is released by Microsoft. However, recent releases of this RPM file are unable to be installed on BIG-IP due to an old version of rpm used on BIG-IP. It is possible to use a newer version of software to repackage the the .rpm file so that it can be installed on BIG-IP.

Problem statement

Long story short: a BIG-IP admin seeking to install this RPM on BIG-IP will get this error:

curl -LOJ https://github.com/microsoft/AzureManagedHsmTLSOffload/releases/download/v1.1.0.02829/mhsm-pkcs11-1.1.0.02829-1.cm2.x86_64.rpm
 
rpm -ivh mhsm-pkcs11-1.1.0.02829-1.cm2.x86_64.rpm

Then we get an error message:
error: Failed dependencies:
        rpmlib(PayloadIsZstd) <= 5.4.18-1 is needed by mhsm-pkcs11-1.1.0.02829-1.cm2.x86_64

Initial notes

  • BIG-IP (latest version is 17.5) runs on CentOS Linux release 7.3.1611 (Core). You can run cat /etc/centos-release to see this.
  • CentOS 7 is no longer supported by MS for this package. README
  • Release notes indicate the last CentOS 7 supported package is v1.1.0.02802. This was released Sept 2024, currently 2nd newest release.
  • It is somewhat unclear if the following version, v1.1.0.02829, supports CentOS 7. It may also.

Workaround

After researching and asking ChatGPT, we learned we can do the following:

  1. Build a new RHEL 9.4 server in Azure and ran these commands:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

curl -LOJ https://github.com/microsoft/AzureManagedHsmTLSOffload/releases/download/v1.1.0.02802/mhsm-pkcs11-1.1.0.02802-1.cm2.x86_64.rpm

mkdir repack_rpm
cd repack_rpm

# Extract the RPM contents
rpm2cpio ../mhsm-pkcs11-1.1.0.02802-1.cm2.x86_64.rpm | cpio -idmv

#install fpm, which we will use to rebuild this package with gzip instead of Zstandard
sudo yum install -y ruby rubygems
gem install --no-document fpm

sudo yum install -y rpm-build

# Rebuild the RPM using gzip instead of Zstd
fpm -s dir -t rpm -n mhsm-pkcs11 -v 1.1.0.02802 --iteration 1.cm2 --architecture x86_64 --rpm-compression=gzip *
  1. Copy the new rpm file you just built to the BIG-IP.
  2. Install it: rpm -ivh mhsm-pkcs11-1.1.0.02802-1.cm2.x86_64.rpm

Conclusion

The problem is that the version of rpm on BIG-IP is too old for RPM files that are packaged with Zstandard, a newer compression method than gzip.

Updated:

You May Also Enjoy

My Vault Setup

This is a record so I can reference how I like to run Hashicorp Vault