Signed executables under Linux
The DigSig kernel module implements verification of binaries signed by a tool called bsign
. However, there hasn't been any work on it since version 2.6.21 of the Linux kernel.
Code signing for linux executable using install4j
There is no support for signing on Linux/Unix. Code signing in install4j is only supported for Windows and macOS.
Signing Windows application on Linux-based distros
It's actually quite straight forward to do using Mono
's signtool; the tricky part (described in more detail in the linked Mozilla article) is copying the certificate in the correct format from Windows to Linux.
Converting the Windows PFX certificate file to PVK and SPC files, only needs to be done once when copying the certificate from Windows to Linux;
openssl pkcs12 -in authenticode.pfx -nocerts -nodes -out key.pem
openssl rsa -in key.pem -outform PVK -pvk-strong -out authenticode.pvk
openssl pkcs12 -in authenticode.pfx -nokeys -nodes -out cert.pem
openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out authenticode.spc
Actually signing the exe is straight forward;
signcode \
-spc authenticode.spc \
-v authenticode.pvk \
-a sha1 -$ commercial \
-n My\ Application \
-i http://www.example.com/ \
-t http://timestamp.digicert.com/scripts/timstamp.dll \
-tr 10 \
MyApp.exe
Obtain a certificate and sign an exe on Linux
Mono's signing tools allow to sign an executable on a Linux box.
First convert your .pfx
certificate to .pvk
and .spc
files :
openssl pkcs12 -in authenticode.pfx -nocerts -nodes -out key.pem
openssl rsa -in key.pem -outform PVK -pvk-strong -out authenticode.pvk
openssl pkcs12 -in authenticode.pfx -nokeys -nodes -out cert.pem
openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out authenticode.spc
And then sign it :
signcode \
-spc authenticode.spc \
-v authenticode.pvk \
-a sha1 -$ commercial \
-n My\ Application \
-i http://www.example.com/ \
-t http://timestamp.verisign.com/scripts/timstamp.dll \
-tr 10 \
application.exe
rpmbuild and signed executable files
If you disable -debuginfo
package building I believe RPM will stop stripping binaries in packages.
You can do that by setting the %debug_package
macro to %{nil}
.
In an rpmmacros file ($HOME/.rpmmacros
is searched by default I believe) the following line should do that.
%debug_package %{nil}
It might also be possible to do that on the command line with -D'debug_package %{nil}'
but I haven't tested that.
Code Signing for Linux
In all reality and practicality, most people just use self signed certs. RHEL customers trust entire repositories in addition to sums of individual packages. So yes, you could sign your executable, but beyond letting it trust itself it would do very little good on a stock RHEL system.
A list of trusted CAs can be found somewhere in /etc, I forget the exact location but it should be rather conspicuous.
How to signing digital signature for macos app bundle and linux executable
you can extract the private key form the .p12 (pfx) with this command
openssl pkcs12 -in file.p12 -nocerts -out key.pem
then you can sign your file
openssl rsautl -sign -inkey key.pem -in yourfile -out sigfile
and verify with
openssl pkeyutl -verify -pubin -inkey pubkey.pem -sigfile sigfile -in yourfile
but instead of using the actual file, you should sign / verify a checksum, so its better to use
sha512sum yourfile | openssl rsautl -sign -inkey yourkey -out sigfile
sha512sum yourfile | openssl pkeyutl -verify -pubin -inkey pubkey.pem -sigfile sigfile
Related Topics
How to Create a Link to a Directory
Search and Replace with Sed When Dots and Underscores Are Present
Linux Removing Folders Older Than 1 Year and More Than 3 Files
How to Get a List of Available Wireless Networks on Linux
Where Does Eclipse Look for Eclipse.Ini Under Linux
Responsibility of Stack Alignment in 32-Bit X86 Assembly
Why Percent Signs (%) Do Not Work in Crontab
Restarting Cron After Changing Crontab File
Insert Multiple Lines into a File After Specified Pattern Using Shell Script
Linux Bash, Camel Case String to Separate by Dash
Bash Command Substitution on Remote Host
Create Zip File and Ignore Directory Structure
Where Are Include Files Stored - Ubuntu Linux, Gcc
Why No Output Is Shown When Using Grep Twice
How to Calculate CPU Utilization of a Process & All Its Child Processes in Linux