Using gpg to add digital signature to a linux executable

Stuart Longland stuartl at
Tue Oct 26 23:46:42 CEST 2021

On Tue, 26 Oct 2021 16:08:56 +0100
Andrew Marlow via Gnupg-users <gnupg-users at> wrote:

> For some time now where I work there has been a rule saying "thou shalt add
> a digital signature to every executable and shared library when shipping
> software designed to run on Windows". This is quite doable and all is well
> and good. At least, on Windows. But what about linux? The only thing I've
> seen for linux is to create separate digital signatures using tools like
> gpg (GNU Privacy Guard). I can find no mention of how to attach them to an
> executable or shared library.

I think your first challenge is that I'm not sure ELF has any mechanism
for digital signatures.  *BUT*, that doesn't stop one from adding a
section in the ELF binary that embeds a digital signature.

The trick is knowing what parts of the ELF binary need digital
signature protection.  I would suggest at a minimum the .text and .data
sections.  .text contains the machine code and .data contains the
statically-allocated variables and read-only data.

You could conceptually extract these as raw binary images, concatenate
them with some sort of describing header (derived from the ELF header)
that indicates where they are loaded and whatever metadata you think is
appropriate, then digitally sign *that* blob, generating a new
OpenPGP-format binary blob.
might provide some inspiration too.

To verify, you'd simply use `objcopy` to extract the bits, re-assemble
the signed parts then verify the signature.
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...'s backed up on a tape somewhere.

More information about the Gnupg-users mailing list