want to sign/verify a binary using elfsign, pls let me know the procedure



Hello,
I am using ubuntu 10.04 LTS - Lucid Lynx.

I have generated binary using gcc filename.c -o TEST

I wanted to sign this binary (TEST) using elfsign - 0.2.2

I have built this package using elfsign-0.2.2 source package.

My work around:

:~/Documents/elfsign-0.2.2/tools$ md5sum TEST
b001f847f6320c0b5145728147517e11 TEST
:~/Documents/elfsign-0.2.2/tools$ ./elfsign -f TEST -c cacert.pem -p cakey.pem
Key Password:
:~/Documents/elfsign-0.2.2/tools$ md5sum TEST
c41803b138a56c3f69cd9d09ea2f19aa TEST

I have successfully signed a binary using the above command and checked the
md5sum before and after signing.
and I confirmed the signing using below method;

:~/Documents/elfsign-0.2.2/tools$ readelf -S ./TEST | grep sig
[30] .sig PROGBITS 00000000 000cff 00081e 00 0 0 0
:~/Documents/elfsign-0.2.2/tools$ readelf -x 27 ./TEST

Hex dump of section '.shstrtab':
0x00000000 002e7379 6d746162 002e7374 72746162 ..symtab..strtab
0x00000010 002e7368 73747274 6162002e 696e7465 ..shstrtab..inte
0x00000020 7270002e 6e6f7465 2e414249 2d746167 rp..note.ABI-tag
0x00000030 002e6e6f 74652e67 6e752e62 75696c64 ..note.gnu.build
0x00000040 2d696400 2e676e75 2e686173 68002e64 -id..gnu.hash..d
0x00000050 796e7379 6d002e64 796e7374 72002e67 ynsym..dynstr..g
0x00000060 6e752e76 65727369 6f6e002e 676e752e nu.version..gnu.
0x00000070 76657273 696f6e5f 72002e72 656c2e64 version_r..rel.d
0x00000080 796e002e 72656c2e 706c7400 2e696e69 yn..rel.plt..ini
0x00000090 74002e74 65787400 2e66696e 69002e72 t..text..fini..r
0x000000a0 6f646174 61002e65 685f6672 616d6500 odata..eh_frame.
0x000000b0 2e63746f 7273002e 64746f72 73002e6a .ctors..dtors..j
0x000000c0 6372002e 64796e61 6d696300 2e676f74 cr..dynamic..got
0x000000d0 002e676f 742e706c 74002e64 61746100 ..got.plt..data.
0x000000e0 2e627373 002e636f 6d6d656e 74002e73 .bss..comment..s
0x000000f0 696700 ig.

After this I wanted to verify this signed binary and used the below command

:~/Documents/elfsign-0.2.2/tools$ ./elfverify -f TEST -c cacert.crt -p
/home/Documents/elfsign-0.2.2/tools
FAIL (The binary digest did not match the signed digest.)
:~/Documents/elfsign-0.2.2/tools$ ./elfverify -f TEST -c cacert.crt
FAIL (The binary digest did not match the signed digest.)
:~/Documents/elfsign-0.2.2/tools$ ./elfverify -f TEST
Issuer: O=My <email address hidden>, L=bengaluru, ST=karnataka, C=IN,
CN=girishlc
Signer: O=My <email address hidden>, L=bengaluru, ST=karnataka, C=IN,
CN=girishlc
Issuer is not trusted, would you like to trust them? [y/N] y
OK

Unable to verify the sign using the certificate and private key path, but if I
give without root CA then I am asking to enter the option whether to certify
since the certificate was not trusted by default; if I say 'Y' or 'y' then it
accepts and prints OK

My Questions:
1. How many certificates we need?
2. What is root certificate?
3. After signing the binary I am unable to execute the binary as earlier, i,e
binary is getting modified.
and if I try to execute the binary getting error saying "Killed"
4. What I have done so far for signing and verifying for the binary is it the
correct way? am I going in a right way?
5. Can anybody please give me some solution Or
if anybody gives me step by step method to sign the binary with example I
would
be very much thankful to them.

PS: NEED TO SIGN ONLY EXECUTABLE NOT FOR OBJECTS/LIBRARIES.


Thanks,
Girish.L.C
.



Relevant Pages

  • Re: Running into a roadblock when using execute as and sys.databas
    ... With the execute as clause, ... you use EXECUTE AS LOGIN in the body, and sign them with the certificate. ... CREATE LOGIN imperscert_login FROM CERTIFICATE imperscert ...
    (microsoft.public.sqlserver.security)
  • Re: Cross-database execution permissions with certificates and sch
    ... Whatever principal you impersonate with EXECUTE AS must have a security context in both databases but it doesn't need to be dbo. ... CREATE USER dispatcher ... The reason EXECUTE AS OWNER works with dbo as the schema owner is that 1) the certificate is a trusted authenticator because you granted AUTHENTICATE and 2) the impersonated dbo principal exists in dispatchDB by virtue of the fact that both databases are owed by the same server principal. ... You can still use the certificate as the authenticator as long as the impersonated principal has a security context in the referenced database as well. ...
    (microsoft.public.sqlserver.security)
  • Re: Cross-database execution permissions with certificates and sch
    ... activated user cannot access objects in other schemas in this database. ... injection is defended against, however, the threat exists anywhere EXECUTE ... CREATE USER dispatcher ... the certificate is a trusted authenticator because you granted AUTHENTICATE ...
    (microsoft.public.sqlserver.security)
  • Cross-database execution permissions with certificates and schemas
    ... make the dispatcher user the owner (EXEC sp_addrolemember N'db_owner', ... Discard the private key from the certificate, ... make the provider user the owner (EXEC sp_addrolemember N'db_owner', ... execute [dispatch] ...
    (microsoft.public.sqlserver.security)
  • Re: Programmatically Signing DLL
    ... Authenicode signing adds ~ 1 kbyte of data, it wouldn't be a big deal to ... > What kind of certificate do we need to buy to allow programmatic ... IE5+ can properly verify the validity of an Authenticode signature (build into ... As I mentioned before, the CAPICOM install is a no-brainer, fast install, no reboot ...
    (microsoft.public.security)