annocheck - Man Page

Analysing binary files.

Synopsis

annocheck
 [-h | --help]
 [--help-tool]
 [--version]
 [-v | --verbose]
 [-q | --quiet]
 [-i | --ignore-unknown]
 [-r | --report-unknown]
 [-f | --follow-links]
 [-I | --ignore-links]
 [--debug-rpm=file]
 [--debug-file=file]
 [--debug-dir=dir]
 [-p text | --prefix=text]
 [-t dir | --tmpdir=dir]
 [-u | --use-debuginfod]
 [-n | --no-use-debuginfod]
 [--enable-tool]
 [--disable-tool]
 [--tool]
 [--tool-option]
 file...

annocheck
 --builtby
 --enable-builtby
 [--all]
 [--tool=name]
 [--nottool=name]
 [--no-version-info]
 [--no-lang-info]
 [--options-info]
 file...

Description

The annocheck program can analyse binary files and report information about them.  It is designed to be modular, with a set of self-contained tools providing the checking functionality. Currently the following tools are implemented:

The annocheck program is able to scan inside rpm files and libraries.  It will automatically recurse into any directories that are specified on the command line.  In addition annocheck knows how to find debug information held in separate debug files, and it will search for these whenever it needs the resources that they contain.

New tools can be added to the annocheck framework by creating a new source file and including it in the Makefile used to build annocheck.  The modular nature of annocheck means that nothing else needs to be updated.

New tools must fill out a struct checker structure (defined in annocheck.h) and they must define a constructor function that calls annocheck_add_checker to register their presence at program start-up.

The annocheck program supports some generic command line options that are used regardless of which tools are enabled.

--debug-rpm=file

Look inside file for separate dwarf debug information. Multiple instances of the --debug-rpm option accumulate.

Note - if none of the --debug-rpm, --debug-file and --debug-dir options are used and a single source file is specified to be scanned, and this file's name ends in .rpm then annocheck will automatically look to see if it can find an associated debug info rpm based upon the filename.

--debug-file=file

Look in file for dwarf debug information. Multiple instances of this option accumulate.

--debug-dir=dir

Look in directory dir for separate dwarf debug information files. Note: multiple instances of this option do not accumulate.

--help
-h

Displays the generic annobin usage information and then exits.

--help-tool

Display the usage information for tool and then exits.

--report-unknown
--ignore-unknown
-r
-i

If enabled, unknown file types are reported when they are encountered. This includes non-ELF format files, block devices and so on. Directories are not considered to be unknown and are automatically descended.

The default setting depends upon the file being processed.  For rpm files the default is to ignore unknowns, since these often contain non-executable files.  For other file types, including directories, the default is to report unknown files.

--ignore-links
--follow-links
-I
-f

Specifies whether symbolic links should be followed or ignored.

The default setting depends upon the file being processed.  For rpm files the default is to ignore symbolic links, since these often unresolveable.  For other file types, including directories, the default is to follow the links.

--prefix=text
-p text

Include text in the output description.

--quiet
-q

Do not print anything, just return an exit status.

--tmpdir=dir
-t dir

Use dir as a directory for holding temporary files.

--verbose
-v

Produce informational messages whilst working.  Repeat for more information.

--version

Report the version of the tool and then exit.

--use-debuginfod
-u

Enable the use of the debuginfod service to download debuginfo rpms. This feature is enabled by default, but it is only active if support for the debuginfod server has been compiled in to annocheck.

--no-use-debuginfod
-n

Do not use the debuginfod service, even if it is available.

--enable-tool

Enable tool.  Most tools are disabled by default and so need to be enabled via this option before they will act.

--disable-tool

Disable tool.  Normally used to disable the hardening checker, which is enabled by default.

--tool

Enable tool and disable all other tools.

--tool-option

Pass option on to tool.

Any other command line options will be passed to the tools in turn in order to give them a chance to claim and process them.

The builtby tool is disabled by default, but it can be enabled by the command line option --enable-builtby or just --builtby.  The tool checks the specified files to see if any information is stored about how the file was built and the source languages involved.

Since the hardening checker is enabled by default it may also be useful to add the --disable-hardened option to the command line, although this is not needed if the --builtby option is used.

The tool supports a few command line options to customise its behaviour:

--all

Report all builder identification strings.  The tool has several different heuristics for determining the builder.  By default it will report the information return by the first successful heuristic.  If the --all option is enabled then all successful results will be returned.  This will probably result in the display of multiple instances of the same information.

--tool=name

This option can be used to restrict the output to only those files which were built by a specific tool.  This can be useful when scanning a directory full of files searching for those built by a particular compiler.  This option can be used multiple times in order to allow a selection of builders to be reported.

--nottool=NAME

This option can be used to restrict the output to only those files which were not built by a specific tool.  This can be useful when scanning a directory full of files searching for those that were not built by a particular compiler.  This option can be used multiple times in order to allow multiple builders to be hidden.

--lang=name

This option can be used to restrict the output to only those files which were written in a specific high level language.  Note - not all binaries include information about the source code language(s), so this option may not be completely effective.  This option can be used multiple times in order to allow a broader selection of languages to be reported.

--notlang=NAME

This option can be used to restrict the output to only those files which were not written in a specific high level language.  Note - not all binaries include information about the source code language(s), so this option may not be completely effective.  This option can be used multiple times in order to allow a broader selection of languages to be hidden.

--no-version-info
--lang-info

By default builtby will report the version information for the builders that it detects.  Enabling the --no-version-info option will prevent this information from being displayed.

If necessary the feature can be re-enabled by the --version-info option.

--no-lang-info
--lang-info

By default builtby will report the high level language(s) of the sources used to build the program - if they have been recorded. Enabling the --no-lang-info option will prevent this information from being displayed.

If necessary the feature can be re-enabled by the --lang-info option.

--no-tool-info
--no-builder-info
--tool-info

By default builtby will report the tool(s) used to build the program.  Enabling the --no-build-info option will prevent this information from being displayed, meaning that only the high level language information will shown.  Enabling this option and the --no-lang-info option effectively renders built-by redundant.

Note --no-builder-info is treated as a synonym for --no-tool-info.

If necessary the feature can be re-enabled by the --tool-info option.

--options-info
--no-options-info

By default builtby will not report the command line options provided to the tool(s) used to built the target binary.  Adding the --options-info option will enable the display of this information, if it is stored in the binary (or its debug info).

If necessary the feature can be disabled by the --no-options-info option.

Options

Info

2025-11-04 annobin-1 RPM Development Tools