want to sign/verify a binary using elfsign, pls let me know the procedure



Hello,
I am using ubuntu 10.04 LTS - Lucid Lynx.

I have generated binary using gcc filename.c -o TEST

I wanted to sign this binary (TEST) using elfsign - 0.2.2

I have built this package using elfsign-0.2.2 source package.

My work around:

:~/Documents/elfsign-0.2.2/tools$ md5sum TEST
b001f847f6320c0b5145728147517e11 TEST
:~/Documents/elfsign-0.2.2/tools$ ./elfsign -f TEST -c cacert.pem -p cakey.pem
Key Password:
:~/Documents/elfsign-0.2.2/tools$ md5sum TEST
c41803b138a56c3f69cd9d09ea2f19aa TEST

I have successfully signed a binary using the above command and checked the
md5sum before and after signing.
and I confirmed the signing using below method;

:~/Documents/elfsign-0.2.2/tools$ readelf -S ./TEST | grep sig
[30] .sig PROGBITS 00000000 000cff 00081e 00 0 0 0
:~/Documents/elfsign-0.2.2/tools$ readelf -x 27 ./TEST

Hex dump of section '.shstrtab':
0x00000000 002e7379 6d746162 002e7374 72746162 ..symtab..strtab
0x00000010 002e7368 73747274 6162002e 696e7465 ..shstrtab..inte
0x00000020 7270002e 6e6f7465 2e414249 2d746167 rp..note.ABI-tag
0x00000030 002e6e6f 74652e67 6e752e62 75696c64 ..note.gnu.build
0x00000040 2d696400 2e676e75 2e686173 68002e64 -id..gnu.hash..d
0x00000050 796e7379 6d002e64 796e7374 72002e67 ynsym..dynstr..g
0x00000060 6e752e76 65727369 6f6e002e 676e752e nu.version..gnu.
0x00000070 76657273 696f6e5f 72002e72 656c2e64 version_r..rel.d
0x00000080 796e002e 72656c2e 706c7400 2e696e69 yn..rel.plt..ini
0x00000090 74002e74 65787400 2e66696e 69002e72 t..text..fini..r
0x000000a0 6f646174 61002e65 685f6672 616d6500 odata..eh_frame.
0x000000b0 2e63746f 7273002e 64746f72 73002e6a .ctors..dtors..j
0x000000c0 6372002e 64796e61 6d696300 2e676f74 cr..dynamic..got
0x000000d0 002e676f 742e706c 74002e64 61746100 ..got.plt..data.
0x000000e0 2e627373 002e636f 6d6d656e 74002e73 .bss..comment..s
0x000000f0 696700 ig.

After this I wanted to verify this signed binary and used the below command

:~/Documents/elfsign-0.2.2/tools$ ./elfverify -f TEST -c cacert.crt -p
/home/Documents/elfsign-0.2.2/tools
FAIL (The binary digest did not match the signed digest.)
:~/Documents/elfsign-0.2.2/tools$ ./elfverify -f TEST -c cacert.crt
FAIL (The binary digest did not match the signed digest.)
:~/Documents/elfsign-0.2.2/tools$ ./elfverify -f TEST
Issuer: O=My <email address hidden>, L=bengaluru, ST=karnataka, C=IN,
CN=girishlc
Signer: O=My <email address hidden>, L=bengaluru, ST=karnataka, C=IN,
CN=girishlc
Issuer is not trusted, would you like to trust them? [y/N] y
OK

Unable to verify the sign using the certificate and private key path, but if I
give without root CA then I am asking to enter the option whether to certify
since the certificate was not trusted by default; if I say 'Y' or 'y' then it
accepts and prints OK

My Questions:
1. How many certificates we need?
2. What is root certificate?
3. After signing the binary I am unable to execute the binary as earlier, i,e
binary is getting modified.
and if I try to execute the binary getting error saying "Killed"
4. What I have done so far for signing and verifying for the binary is it the
correct way? am I going in a right way?
5. Can anybody please give me some solution Or
if anybody gives me step by step method to sign the binary with example I
would
be very much thankful to them.

PS: NEED TO SIGN ONLY EXECUTABLE NOT FOR OBJECTS/LIBRARIES.


Thanks,
Girish.L.C
.