Using gpg to add digital signature to a linux executable
gnupg at eckner.net
Wed Oct 27 06:20:11 CEST 2021
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 26 Oct 2021, Robert J. Hansen via Gnupg-users wrote:
>> all is well and good. At least, on Windows. But what about linux?
> As a general rule, Windows signs executables more than it signs packages;
> Linux signs packages more than it signs executables. The best practice seems
> to be to use GnuPG to attach a digital signature to an RPM or DEB (or Snap or
> Flatpak or what-have-you), rather than to sign the executables directly.
>> doing it. So, much as I detest Windows, this seems to be one area in which
>> Windows is slightly ahead.
> "Ahead" might be putting it a little strongly. The two operating systems are
> different and have different approaches to supply chain security. :)
The possibility to sign individual executables and libraries sounds very
interesting to me as a (more or less pure) linux user: If I want to make
sure, the files are in order, currently, I need to find the package, that
contained the file, check its signature and compare with the filesystem
state. However, if there was (also) a signature on the file, I could more
easily check single files - and I could even easily identify files, which
were not installed by the package manager.
tl;dr: If you have some results regarding signing binaries in-situ, share
them with the public!
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users