Before anyone says it, i'd be more than willing to work on the code for this myself but would like feedback on the idea.
Essentially as follows: 1 - A sysctl variable stores a public key that can only be written to once at startup 2 - All executables on the system must be signed with that public key 3 - Any executable not signed is essentially chmod -x Of course that's the simple basic idea, there are obvious performance issues to consider and this system would have to be optional, but for truly paranoid installs it could be a wonderful feature. More complex policies are easily imagined, but for a first version, simply refusing to run executables without signing seems worthwhile. The performance issues could be partly addressed by only signing hashes of the executables, the unsigned hashes would be stored all in one file that is supplied with the install sets and signed the first time this feature is enabled. Signing can take place on another machine and only the signature file copied over, or signing can take place locally with the private key later removed - or simply left in place for slightly lower levels of security.
