Digtally Signed ELF files

Motivation

To maintain system integrity it is usefull to know that binaries come from trusted source before attempting to execute them. This does not solve the problem of authenticating scripts, binaries with custom loaders or plain data files. However having digitally signed ELF files would allow one to verify that all executed files have really come from the trusted source.

DigSig project stopped being developed back in 2009. bsign supports only Elf32 binaries and digsig module will not compile for contemporary kernels.

IMA appraisal implements ability to sign executables, however it is a part of separate large project, which complicates system setup quite a lot.

Design

Status

Further ideas

A list of further ideas without any specific target or implementation plan/deadline

• Support containers with unsigned binaries.
• Support trusted/untrusted filesystems. Each file on trusted filesystem should be signed (in detached sig or xattr). Opening file on trusted FS requires valid signature.
• Integration with distributions.
• More certificate attribute processing (like basicConstraints).

Links

• DigSig/DSI
• bsign
• IMA, IMA Gentoo Wiki
• SignElf
• Solaris ELF Signatures
• Windows Authenticode Portable Executable Signature Format