• want to sign/verify a binary using elfsign, pls let me know the procedu

    From girishlc@110:300/1.1 to All on Thu Jan 5 19:18:58 2012
    Subject: want to sign/verify a binary using elfsign, pls let me know the procedure

    Hello,
    I am using ubuntu 10.04 LTS - Lucid Lynx.

    I have generated binary using gcc filename.c -o TEST

    I wanted to sign this binary (TEST) using elfsign - 0.2.2

    I have built this package using elfsign-0.2.2 source package.

    My work around:

    :~/Documents/elfsign-0.2.2/tools$ md5sum TEST
    b001f847f6320c0b5145728147517e11 TEST
    :~/Documents/elfsign-0.2.2/tools$ ./elfsign -f TEST -c cacert.pem -p cakey.pem
    Key Password:
    :~/Documents/elfsign-0.2.2/tools$ md5sum TEST
    c41803b138a56c3f69cd9d09ea2f19aa TEST

    I have successfully signed a binary using the above command and checked the
    md5sum before and after signing.
    and I confirmed the signing using below method;

    :~/Documents/elfsign-0.2.2/tools$ readelf -S ./TEST | grep sig
    [30] .sig PROGBITS 00000000 000cff 00081e 00 0 0 0
    :~/Documents/elfsign-0.2.2/tools$ readelf -x 27 ./TEST

    Hex dump of section '.shstrtab':
    0x00000000 002e7379 6d746162 002e7374 72746162 ..symtab..strtab
    0x00000010 002e7368 73747274 6162002e 696e7465 ..shstrtab..inte
    0x00000020 7270002e 6e6f7465 2e414249 2d746167 rp..note.ABI-tag
    0x00000030 002e6e6f 74652e67 6e752e62 75696c64 ..note.gnu.build
    0x00000040 2d696400 2e676e75 2e686173 68002e64 -id..gnu.hash..d
    0x00000050 796e7379 6d002e64 796e7374 72002e67 ynsym..dynstr..g
    0x00000060 6e752e76 65727369 6f6e002e 676e752e nu.version..gnu.
    0x00000070 76657273 696f6e5f 72002e72 656c2e64 version_r..rel.d
    0x00000080 796e002e 72656c2e 706c7400 2e696e69 yn..rel.plt..ini
    0x00000090 74002e74 65787400 2e66696e 69002e72 t..text..fini..r
    0x000000a0 6f646174 61002e65 685f6672 616d6500 odata..eh_frame.
    0x000000b0 2e63746f 7273002e 64746f72 73002e6a .ctors..dtors..j
    0x000000c0 6372002e 64796e61 6d696300 2e676f74 cr..dynamic..got
    0x000000d0 002e676f 742e706c 74002e64 61746100 ..got.plt..data.
    0x000000e0 2e627373 002e636f 6d6d656e 74002e73 .bss..comment..s
    0x000000f0 696700 ig.

    After this I wanted to verify this signed binary and used the below command

    :~/Documents/elfsign-0.2.2/tools$ ./elfverify -f TEST -c cacert.crt -p
    /home/Documents/elfsign-0.2.2/tools
    FAIL (The binary digest did not match the signed digest.)
    :~/Documents/elfsign-0.2.2/tools$ ./elfverify -f TEST -c cacert.crt
    FAIL (The binary digest did not match the signed digest.)
    :~/Documents/elfsign-0.2.2/tools$ ./elfverify -f TEST
    Issuer: O=My <email address hidden>, L=bengaluru, ST=karnataka, C=IN,
    CN=girishlc
    Signer: O=My <email address hidden>, L=bengaluru, ST=karnataka, C=IN,
    CN=girishlc
    Issuer is not trusted, would you like to trust them? [y/N] y
    OK

    Unable to verify the sign using the certificate and private key path, but if
    give without root CA then I am asking to enter the option whether to certify
    since the certificate was not trusted by default; if I say 'Y' or 'y' then it
    accepts and prints OK

    My Questions:
    1. How many certificates we need?
    2. What is root certificate?
    3. After signing the binary I am unable to execute the binary as earlier, i,e
    binary is getting modified.
    and if I try to execute the binary getting error saying "Killed"
    4. What I have done so far for signing and verifying for the binary is it the
    correct way? am I going in a right way?
    5. Can anybody please give me some solution Or
    if anybody gives me step by step method to sign the binary with example I would
    be very much thankful to them.

    PS: NEED TO SIGN ONLY EXECUTABLE NOT FOR OBJECTS/LIBRARIES.


    Thanks,
    Girish.L.C

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: !No_Organization! (110:300/1.1@linuxnet)