Re: Using gpg to add digital signature to a linux executable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, 26 Oct 2021, Robert J. Hansen via Gnupg-users wrote: all is well and good. At least, on Windows. But what about linux? As a general rule, Windows signs executables more than it signs packages; Linux signs packages more than it signs executables. The best practice seems to be to use GnuPG to attach a digital signature to an RPM or DEB (or Snap or Flatpak or what-have-you), rather than to sign the executables directly. doing it. So, much as I detest Windows, this seems to be one area in which Windows is slightly ahead. "Ahead" might be putting it a little strongly. The two operating systems are different and have different approaches to supply chain security. :) The possibility to sign individual executables and libraries sounds very interesting to me as a (more or less pure) linux user: If I want to make sure, the files are in order, currently, I need to find the package, that contained the file, check its signature and compare with the filesystem state. However, if there was (also) a signature on the file, I could more easily check single files - and I could even easily identify files, which were not installed by the package manager. tl;dr: If you have some results regarding signing binaries in-situ, share them with the public! regards, Erich -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmF403wACgkQCu7JB1Xa e1pAfw/+PIeCaWCXvwgbtEEksd6HU0lSgA2PW1j5ZpcyhrH+9L5164nzCqyhMFA9 7NBmEzZVP0GFm8RGeWA+1cAAFWTbeyAAfqAbaOm/cCkCAApGMfJxeMPiqJuEBox1 LdoNoiLIOq6OgUvlIr5CcSYG7pppI6eSNX0GwC7CuLVZo2+FDdjUNE5S/D9KIwM8 rlbpo3cKWgcCwdXzQ2KyTyPUL1dLxQ2fWXYHiAV9HFugVZBbMXpiAHFD5C5VqeMx aJFWo74uGJXXd1bqD/JktFgUBwG3pZ7QG7eq9XfPCk8fPZfch4L/7oPuEekwP9Bg DPLRZS79mNnq/I30L6pHA+yvAQjnGgH3K2QNCBUdrUUBPXUxllUeP78tHKjP37Tp VfCTEeByuaC9evt4Rg1A9NXw5tQb1+fx+agDAJsPCD6+tKZA48Hw0AcGuWGehASG aPe6JJWulYvOUbx0s/q7aW6w9uuZE+4INT0MhhuUShhizFBCbKaDcEKEN/LAUQph NapPteQCnb/JZl2LIfXrK997CSQMpMCr/k1a2LboYy86bNqVzWTBlBNOKkLazDEY wYH7r/afkBqrGZ5cJDTJ5OvpuzBWMhrREXENhJ8EsS5/qyd5Eph40wjGDHhWNnpl glHa/oLOMRXfnwb+ZnUO3mn5iFfa7e0DUTIfwpMQdCoJ3CKwXKk= =FbRx -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using gpg to add digital signature to a linux executable
Why not do a detached signature using e.g. gpg -sb --output file.sig file? Then, someone can run gpg --verify file.sig file to ensure that the signature is valid. (a) because the OP specifically said he was looking for integrated signatures, and (b) detached signatures have a way of getting lost, not distributed with the executables, and so on. OpenPGP_signature Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using gpg to add digital signature to a linux executable
all is well and good. At least, on Windows. But what about linux? As a general rule, Windows signs executables more than it signs packages; Linux signs packages more than it signs executables. The best practice seems to be to use GnuPG to attach a digital signature to an RPM or DEB (or Snap or Flatpak or what-have-you), rather than to sign the executables directly. doing it. So, much as I detest Windows, this seems to be one area in which Windows is slightly ahead. "Ahead" might be putting it a little strongly. The two operating systems are different and have different approaches to supply chain security. :) OpenPGP_signature Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using gpg to add digital signature to a linux executable
On Tue, 26 Oct 2021 16:08:56 +0100 Andrew Marlow via Gnupg-users wrote: > For some time now where I work there has been a rule saying "thou shalt add > a digital signature to every executable and shared library when shipping > software designed to run on Windows". This is quite doable and all is well > and good. At least, on Windows. But what about linux? The only thing I've > seen for linux is to create separate digital signatures using tools like > gpg (GNU Privacy Guard). I can find no mention of how to attach them to an > executable or shared library. I think your first challenge is that I'm not sure ELF has any mechanism for digital signatures. *BUT*, that doesn't stop one from adding a section in the ELF binary that embeds a digital signature. The trick is knowing what parts of the ELF binary need digital signature protection. I would suggest at a minimum the .text and .data sections. .text contains the machine code and .data contains the statically-allocated variables and read-only data. You could conceptually extract these as raw binary images, concatenate them with some sort of describing header (derived from the ELF header) that indicates where they are loaded and whatever metadata you think is appropriate, then digitally sign *that* blob, generating a new OpenPGP-format binary blob. https://stackoverflow.com/questions/1088128/adding-section-to-elf-file might provide some inspiration too. To verify, you'd simply use `objcopy` to extract the bits, re-assemble the signed parts then verify the signature. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using gpg to add digital signature to a linux executable
12021/07/18 04:64.54 ನಲ್ಲಿ, Andrew Marlow via Gnupg-users ಬರೆದರು: > Hello everyone, > > For some time now where I work there has been a rule saying "thou shalt add a > digital signature to every executable and shared library when shipping > software > designed to run on Windows". This is quite doable and all is well and good. At > least, on Windows. But what about linux? The only thing I've seen for linux is > to create separate digital signatures using tools like gpg (GNU Privacy > Guard). > I can find no mention of how to attach them to an executable or shared > library. > Has anyone here ever done anything like this please? It seems to me there is > real benefit in doing it. So, much as I detest Windows, this seems to be one > area in which Windows is slightly ahead. > > -- > Regards, > > Andrew Marlow > [1]http://www.andrewpetermarlow.co.uk > > > References: > > [1] http://www.andrewpetermarlow.co.uk/ Why not do a detached signature using e.g. gpg -sb --output file.sig file? Then, someone can run gpg --verify file.sig file to ensure that the signature is valid. HTH, Chiraag -- ಚಿರಾಗ್ ನಟರಾಜ್ Pronouns: he/him/his publickey - mailinglist@chiraag.me - b0c8d720.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users