elfsign

Trying to sign elf files.

Motivation

You download a binary from the internet, but what is in there? cargo auditable can put a dependency list into the final binary. But anyone could modify this.

Unless, you would sign the binary.

The idea of this PoC is to sign ELF binaries, ensuring that the information inside it was indeed created by the person who created the binary.

There is a bit of documentation in the docs/ folder.

State

This is a PoC. It most likely is full of bugs and far from finished.

Usage (the idea)

Sign with Sigstore:

elfsign sign my-bin my-bin-signed

Validate with:

elfsign verify my-bin-signed

ToDo

• Find a way to add a signature record to the file
• Capture all content subject to signing
  • Check it is really everything
  • Re-iterate over digesting the "program sections" (aka "memory segments")
  • Add more fields from the header
• Implement sign & store
• Improve storing stuff, this is a mess right now
• Implement verify
  • verify the signature
  • add the certificate, and allow enforcing policies
• check using "digest" vs "digested signer"