Mailing List Archive

12021/07/18 04:64.54 ?????, Andrew Marlow via Gnupg-users <gnupg-users@gnupg.org> ??????:
> Hello everyone,
>
> For some time now where I work there has been a rule saying "thou shalt add a
> digital signature to every executable and shared library when shipping software
> designed to run on Windows". This is quite doable and all is well and good. At
> least, on Windows. But what about linux? The only thing I've seen for linux is
> to create separate digital signatures using tools like gpg (GNU Privacy Guard).
> I can find no mention of how to attach them to an executable or shared library.
> Has anyone here ever done anything like this please? It seems to me there is
> real benefit in doing it. So, much as I detest Windows, this seems to be one
> area in which Windows is slightly ahead.
>
> --
> Regards,
>
> Andrew Marlow
> [1]http://www.andrewpetermarlow.co.uk
>
>
> References:
>
> [1] http://www.andrewpetermarlow.co.uk/

Why not do a detached signature using e.g. gpg -sb --output file.sig file? Then, someone can run gpg --verify file.sig file to ensure that the signature is valid.

HTH,

Chiraag
--
?????? ??????
Pronouns: he/him/his

On Tue, 26 Oct 2021 16:08:56 +0100
Andrew Marlow via Gnupg-users <gnupg-users@gnupg.org> wrote:

> For some time now where I work there has been a rule saying "thou shalt add
> a digital signature to every executable and shared library when shipping
> software designed to run on Windows". This is quite doable and all is well
> and good. At least, on Windows. But what about linux? The only thing I've
> seen for linux is to create separate digital signatures using tools like
> gpg (GNU Privacy Guard). I can find no mention of how to attach them to an
> executable or shared library.

I think your first challenge is that I'm not sure ELF has any mechanism
for digital signatures. *BUT*, that doesn't stop one from adding a
section in the ELF binary that embeds a digital signature.

The trick is knowing what parts of the ELF binary need digital
signature protection. I would suggest at a minimum the .text and .data
sections. .text contains the machine code and .data contains the
statically-allocated variables and read-only data.

You could conceptually extract these as raw binary images, concatenate
them with some sort of describing header (derived from the ELF header)
that indicates where they are loaded and whatever metadata you think is
appropriate, then digitally sign *that* blob, generating a new
OpenPGP-format binary blob.

https://stackoverflow.com/questions/1088128/adding-section-to-elf-file
might provide some inspiration too.

To verify, you'd simply use `objcopy` to extract the bits, re-assemble
the signed parts then verify the signature.
--
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
...it's backed up on a tape somewhere.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> all is well and good. At least, on Windows. But what about linux?

As a general rule, Windows signs executables more than it signs
packages; Linux signs packages more than it signs executables. The best
practice seems to be to use GnuPG to attach a digital signature to an
RPM or DEB (or Snap or Flatpak or what-have-you), rather than to sign
the executables directly.

> doing it. So, much as I detest Windows, this seems to be one area in
> which Windows is slightly ahead.

"Ahead" might be putting it a little strongly. The two operating
systems are different and have different approaches to supply chain
security. :)

> Why not do a detached signature using e.g. gpg -sb --output file.sig
> file? Then, someone can run gpg --verify file.sig file to ensure that
> the signature is valid.

(a) because the OP specifically said he was looking for integrated
signatures, and

(b) detached signatures have a way of getting lost, not distributed with
the executables, and so on.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, 26 Oct 2021, Robert J. Hansen via Gnupg-users wrote:

>> all is well and good. At least, on Windows. But what about linux?
>
> As a general rule, Windows signs executables more than it signs packages;
> Linux signs packages more than it signs executables. The best practice seems
> to be to use GnuPG to attach a digital signature to an RPM or DEB (or Snap or
> Flatpak or what-have-you), rather than to sign the executables directly.
>
>> doing it. So, much as I detest Windows, this seems to be one area in which
>> Windows is slightly ahead.
>
> "Ahead" might be putting it a little strongly. The two operating systems are
> different and have different approaches to supply chain security. :)
>

The possibility to sign individual executables and libraries sounds very
interesting to me as a (more or less pure) linux user: If I want to make
sure, the files are in order, currently, I need to find the package, that
contained the file, check its signature and compare with the filesystem
state. However, if there was (also) a signature on the file, I could more
easily check single files - and I could even easily identify files, which
were not installed by the package manager.

tl;dr: If you have some results regarding signing binaries in-situ, share
them with the public!

regards,
Erich

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmF403wACgkQCu7JB1Xa
e1pAfw/+PIeCaWCXvwgbtEEksd6HU0lSgA2PW1j5ZpcyhrH+9L5164nzCqyhMFA9
7NBmEzZVP0GFm8RGeWA+1cAAFWTbeyAAfqAbaOm/cCkCAApGMfJxeMPiqJuEBox1
LdoNoiLIOq6OgUvlIr5CcSYG7pppI6eSNX0GwC7CuLVZo2+FDdjUNE5S/D9KIwM8
rlbpo3cKWgcCwdXzQ2KyTyPUL1dLxQ2fWXYHiAV9HFugVZBbMXpiAHFD5C5VqeMx
aJFWo74uGJXXd1bqD/JktFgUBwG3pZ7QG7eq9XfPCk8fPZfch4L/7oPuEekwP9Bg
DPLRZS79mNnq/I30L6pHA+yvAQjnGgH3K2QNCBUdrUUBPXUxllUeP78tHKjP37Tp
VfCTEeByuaC9evt4Rg1A9NXw5tQb1+fx+agDAJsPCD6+tKZA48Hw0AcGuWGehASG
aPe6JJWulYvOUbx0s/q7aW6w9uuZE+4INT0MhhuUShhizFBCbKaDcEKEN/LAUQph
NapPteQCnb/JZl2LIfXrK997CSQMpMCr/k1a2LboYy86bNqVzWTBlBNOKkLazDEY
wYH7r/afkBqrGZ5cJDTJ5OvpuzBWMhrREXENhJ8EsS5/qyd5Eph40wjGDHhWNnpl
glHa/oLOMRXfnwb+ZnUO3mn5iFfa7e0DUTIfwpMQdCoJ3CKwXKk=
=FbRx
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users