On Tue, 26 Oct 2021 16:08:56 +0100 Andrew Marlow via Gnupg-users <gnupg-users@gnupg.org> wrote:
> For some time now where I work there has been a rule saying "thou shalt add > a digital signature to every executable and shared library when shipping > software designed to run on Windows". This is quite doable and all is well > and good. At least, on Windows. But what about linux? The only thing I've > seen for linux is to create separate digital signatures using tools like > gpg (GNU Privacy Guard). I can find no mention of how to attach them to an > executable or shared library. I think your first challenge is that I'm not sure ELF has any mechanism for digital signatures. *BUT*, that doesn't stop one from adding a section in the ELF binary that embeds a digital signature. The trick is knowing what parts of the ELF binary need digital signature protection. I would suggest at a minimum the .text and .data sections. .text contains the machine code and .data contains the statically-allocated variables and read-only data. You could conceptually extract these as raw binary images, concatenate them with some sort of describing header (derived from the ELF header) that indicates where they are loaded and whatever metadata you think is appropriate, then digitally sign *that* blob, generating a new OpenPGP-format binary blob. https://stackoverflow.com/questions/1088128/adding-section-to-elf-file might provide some inspiration too. To verify, you'd simply use `objcopy` to extract the bits, re-assemble the signed parts then verify the signature. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
