Using gpg to add digital signature to a linux executable
Erich Eckner
gnupg at eckner.net
Wed Oct 27 06:20:11 CEST 2021
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Tue, 26 Oct 2021, Robert J. Hansen via Gnupg-users wrote:
>> all is well and good. At least, on Windows. But what about linux?
>
> As a general rule, Windows signs executables more than it signs packages;
> Linux signs packages more than it signs executables. The best practice seems
> to be to use GnuPG to attach a digital signature to an RPM or DEB (or Snap or
> Flatpak or what-have-you), rather than to sign the executables directly.
>
>> doing it. So, much as I detest Windows, this seems to be one area in which
>> Windows is slightly ahead.
>
> "Ahead" might be putting it a little strongly. The two operating systems are
> different and have different approaches to supply chain security. :)
>
The possibility to sign individual executables and libraries sounds very
interesting to me as a (more or less pure) linux user: If I want to make
sure, the files are in order, currently, I need to find the package, that
contained the file, check its signature and compare with the filesystem
state. However, if there was (also) a signature on the file, I could more
easily check single files - and I could even easily identify files, which
were not installed by the package manager.
tl;dr: If you have some results regarding signing binaries in-situ, share
them with the public!
regards,
Erich
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmF403wACgkQCu7JB1Xa
e1pAfw/+PIeCaWCXvwgbtEEksd6HU0lSgA2PW1j5ZpcyhrH+9L5164nzCqyhMFA9
7NBmEzZVP0GFm8RGeWA+1cAAFWTbeyAAfqAbaOm/cCkCAApGMfJxeMPiqJuEBox1
LdoNoiLIOq6OgUvlIr5CcSYG7pppI6eSNX0GwC7CuLVZo2+FDdjUNE5S/D9KIwM8
rlbpo3cKWgcCwdXzQ2KyTyPUL1dLxQ2fWXYHiAV9HFugVZBbMXpiAHFD5C5VqeMx
aJFWo74uGJXXd1bqD/JktFgUBwG3pZ7QG7eq9XfPCk8fPZfch4L/7oPuEekwP9Bg
DPLRZS79mNnq/I30L6pHA+yvAQjnGgH3K2QNCBUdrUUBPXUxllUeP78tHKjP37Tp
VfCTEeByuaC9evt4Rg1A9NXw5tQb1+fx+agDAJsPCD6+tKZA48Hw0AcGuWGehASG
aPe6JJWulYvOUbx0s/q7aW6w9uuZE+4INT0MhhuUShhizFBCbKaDcEKEN/LAUQph
NapPteQCnb/JZl2LIfXrK997CSQMpMCr/k1a2LboYy86bNqVzWTBlBNOKkLazDEY
wYH7r/afkBqrGZ5cJDTJ5OvpuzBWMhrREXENhJ8EsS5/qyd5Eph40wjGDHhWNnpl
glHa/oLOMRXfnwb+ZnUO3mn5iFfa7e0DUTIfwpMQdCoJ3CKwXKk=
=FbRx
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list