PREVIEW: bsign embeds hash and/or digital signature in ELF files
Brian Warner
warner at lothar.com
Mon Dec 14 11:43:38 CET 1998
ratinox at peorth.gweep.net (Stainless Steel Rat) writes:
> "OL" == Oscar Levi <elf at buici.com> writes:
>
> OL> It embeds a hash and optional GPG signature in ELF format files that
> OL> can be use to do two things.
...
>
> The idea is good, but I think you might be making the system needlessly
> complex. Take a look at what Tripwire does.
Hmm.. would there be any benefit (for a particularly paranoid system) to
putting the signature-verification code in the kernel? Then you could build a
system that would only be willing to execute trusted binaries, period. As you
said, it couldn't help for the various text files. But for shell/perl scripts,
if you were so inclined you could build a special version of perl etc that
would only execute signed scripts, and only sign that special version and not
the real (unrestricted) one.
Having a Tripwire database verified by the kernel before performing an exec()
would probably accomplish the same thing more easily.
-Brian
More information about the Gnupg-devel
mailing list