Signed Executables Under Linux

Signed executables under Linux

The DigSig kernel module implements verification of binaries signed by a tool called bsign. However, there hasn't been any work on it since version 2.6.21 of the Linux kernel.

Code signing for linux executable using install4j

There is no support for signing on Linux/Unix. Code signing in install4j is only supported for Windows and macOS.

Signing Windows application on Linux-based distros

It's actually quite straight forward to do using Mono's signtool; the tricky part (described in more detail in the linked Mozilla article) is copying the certificate in the correct format from Windows to Linux.

Converting the Windows PFX certificate file to PVK and SPC files, only needs to be done once when copying the certificate from Windows to Linux;

openssl pkcs12 -in authenticode.pfx -nocerts -nodes -out key.pem
openssl rsa -in key.pem -outform PVK -pvk-strong -out authenticode.pvk
openssl pkcs12 -in authenticode.pfx -nokeys -nodes -out cert.pem
openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out authenticode.spc

Actually signing the exe is straight forward;

signcode \
 -spc authenticode.spc \
 -v authenticode.pvk \
 -a sha1 -$ commercial \
 -n My\ Application \
 -i http://www.example.com/ \
 -t http://timestamp.digicert.com/scripts/timstamp.dll \
 -tr 10 \
 MyApp.exe

Obtain a certificate and sign an exe on Linux

Mono's signing tools allow to sign an executable on a Linux box.

First convert your .pfx certificate to .pvk and .spc files :

openssl pkcs12 -in authenticode.pfx -nocerts -nodes -out key.pem
openssl rsa -in key.pem -outform PVK -pvk-strong -out authenticode.pvk
openssl pkcs12 -in authenticode.pfx -nokeys -nodes -out cert.pem
openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out authenticode.spc

And then sign it :

signcode \
 -spc authenticode.spc \
 -v authenticode.pvk \
 -a sha1 -$ commercial \
 -n My\ Application \
 -i http://www.example.com/ \
 -t http://timestamp.verisign.com/scripts/timstamp.dll \
 -tr 10 \
 application.exe

rpmbuild and signed executable files

If you disable -debuginfo package building I believe RPM will stop stripping binaries in packages.

You can do that by setting the %debug_package macro to %{nil}.

In an rpmmacros file ($HOME/.rpmmacros is searched by default I believe) the following line should do that.

%debug_package %{nil}

It might also be possible to do that on the command line with -D'debug_package %{nil}' but I haven't tested that.

Code Signing for Linux

In all reality and practicality, most people just use self signed certs. RHEL customers trust entire repositories in addition to sums of individual packages. So yes, you could sign your executable, but beyond letting it trust itself it would do very little good on a stock RHEL system.

A list of trusted CAs can be found somewhere in /etc, I forget the exact location but it should be rather conspicuous.

How to signing digital signature for macos app bundle and linux executable

you can extract the private key form the .p12 (pfx) with this command

openssl pkcs12 -in file.p12 -nocerts -out key.pem

then you can sign your file

openssl rsautl -sign -inkey key.pem -in yourfile -out sigfile

and verify with

openssl pkeyutl -verify -pubin -inkey pubkey.pem -sigfile sigfile -in yourfile

but instead of using the actual file, you should sign / verify a checksum, so its better to use

sha512sum yourfile | openssl rsautl -sign -inkey yourkey -out sigfile
sha512sum yourfile | openssl pkeyutl -verify -pubin -inkey pubkey.pem -sigfile sigfile

---

Related Topics