PREVIEW: bsign embeds hash and/or digital signature in ELF files

[Oscar Levi]

On Sun, Dec 13, 1998 at 03:51:59PM -0500, Stainless Steel Rat wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> "OL" == Oscar Levi <elf at buici.com> writes:
> 
> OL> It embeds a hash and optional GPG signature in ELF format files that
> OL> can be use to do two things.
> 
> This obviously will not work on a.out binaries

Not my concern.  I believe we can embed in a.out files, too, but none
of the systems I use are a.out. 

>, nor will it work on
> binaries compressed with gzexe.

Perhaps.  That  depends on how gzexe works.  Either I decompress,
sign, and recompress or I sign the compressed gzexe program.  Like
a.out, this is not a big concern since disk space is cheap and few
people really *need* to use gzexe.

>  It also does nothing for the numerous flat
> text files and scripts required for the proper and secure functioning of a
> Unix or Unixalike system.

These are next.  Fortunately, these are easier than ELF.  Also,
corruption in script files is MUCH more obvious than corruption in
binaries.  I've seen it.  Also, scripts can be stored in source
control and backup-ed up.  Binaries don't really work that way.

> The idea is good, but I think you might be making the system needlessly
> complex.  

Where is the complexity?  How much simpler can it get that embedding
signatures in the files themselves?  The complexity I've seen in other
systems usually stems from auxiliary databases.

> Take a look at what Tripwire does.

Where can I find that?

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v0.4.5 (GNU/Linux)
> Comment: For info finger gcrypt at ftp.guug.de
> 
> iD8DBQE2dCjugl+vIlSVSNkRArvsAJ9wdnvNO6gvOeJLjGLokfm+6r74BgCfQORK
> oZAVbgXqO1MiBrPetjLbWfE=
> =J0U1
> -----END PGP SIGNATURE-----
> 
> -- 
> Rat <ratinox at peorth.gweep.net>    \ Do not use Happy Fun Ball on concrete.
> PGP Key: at a key server near you! \ 
> GPG Key: same as my PGP 5 (DH) key  \ 
>