elfsign - sign binaries
/usr/bin/elfsign sign [-v] -k private_key -c certificate_file -e elf_object [-F format] [file]...
/usr/bin/elfsign sign [-v] -c certificate_file -e elf_object -T token_label [-P pin_file] [ -F format] [file]...
/usr/bin/elfsign sign [-v] -c certificate_file [-e elf_object] -s signature_file [-F format] [file]
/usr/bin/elfsign verify [-c certificate_file] [-v] -e elf_object [file]...
/usr/bin/elfsign list -f field -c certificate_file
/usr/bin/elfsign list -f field -e elf_object
/usr/bin/elfsign digest [-v] [-o digest_file] [-e elf_object] [-F format] [file]
Lists on standard output information from a single certificate file or signed elf object. The selected field appears on a single line. If the field specified does not apply to the named file, the command terminates with no standard output. This output of this subcommand is intended for use in scripts and by other commands.
Signs the elf object, using the given private key and certificate file, or signature and certificate file.
Verifies an existing signed object. Uses the certificate given or searches for an appropriate certificate in /etc/crypto/certs and /etc/certs if – c is not given.
Prints on standard output, the digest of the elf object in a given format. SHA-256 is the default format.
The following options are supported:
Specifies the path to an X.509 certificate in PEM/PKCS#7 or ASN.1 BER format.
Specifies the path to the object to be signed or verified.
The –e option can be specified multiple times for signing or verifying multiple objects.
For the sign subcommand, specifies the format of the signature. The valid format options are
Default format Solaris 10 and updates, The rsa_md5_sha1 format is obsolete.
Default format for this release.
Alternate format for this release.
Formats other than rsa_md5_sha1 include an informational timestamp with the signature indicating when the signature was applied. This timestamp is not cryptographically secure, nor is it used as part of verification.
For the list subcommand, specifies what field should appear in the output.
The list subcommand supports the following option:
Lists all fields in a certificate or an ELF file. For an ELF file, the following signature information is displayed: Endianess, format, version, signer, timestamp, signature and OID.
The valid field specifiers for a certifiicate file are:
Subject DN (Distinguished Name)
Issuer DN
The valid field specifiers for an elf object are:
Format of the signature
Subject DN of the certificate used to sign the object
Time the signature was applied, in the locale's default format
Specifies the location of the private key file when not using a PKCS#11 token. This file is an RSA Private key file in standard PEM (base64) or DER (binary) format.
It is an error to specify both the –k and –T options.
Specifies the path to the digest file to be output with the digest command.
Specifies the file which holds the PIN for accessing the token device. If the PIN is not provided in a pin_file, elfsign prompts for the PIN.
It is an error to specify the –P option without the – T option.
Specifies the path to a signature file in binary or base64 encoded format. Signature file is created separately using private key and the digest information of the elf object.
Specifies the URI of the PKCS#11 token device, as provided by pktool, which holds the private key. The token label, token key label, and pin file can be specified through the token_uri; the token key label (object) is a required input attribute.
It is an error to specify both the –T and –k options.
Requests more detailed information. The additional output includes the signer and, if the signature format contains it, the time the object was signed. This is not stable parsable output.
The following operand is supported:
One or more elf objects to be signed or verified. At least one elf object must be specified either through the –e option or after all other options.
example$ elfsign sign -k myprivatekey -c mycert -e lib/libmylib.so.1Example 2 Verifying an elf Object's Signature
example$ elfsign verify -c mycert -e lib/libmylib.so.1 elfsign: verification of lib/libmylib.so.1 passedExample 3 Determining Information About an Object
example$ elfsign list -f format -e lib/libmylib.so.1 rsa_md5_sha1 example$ elfsign list -f signer -e lib/libmylib.so.1 CN=VENDOR, OU=Software Development, O=Vendor Inc.Example 4 Signing an ELF Object Using a Token URI
example$ elfsign sign -c mycert -e lib/libmylib.so.1 -T 'pkcs11:token=Sun Software PKCS#11 softtoken; object=mykey;pinfile=/path/to/pinfile'Example 5 Signing an ELF Object Using a Token URI with interactive PIN
example$ elfsign sign -c mycert -e lib/libmylib.so.1 \ -T 'pkcs11:token=Sun Software PKCS#11 softtoken;object=mykey' Enter PIN for Sun Software PKCS#11 softtoken:Example 6 Signing an ELF Object Using a Signature File
Create digest of the ELF object.
example$ elfsign digest -o /path/to/digest_file -e /lib/libmylib.so.1
Create private key and certificate file using the openssl command.
example$ openssl genrsa -out /path/to/private_key 2048 example$ openssl req -new -x509 -days 999 -key /path/to/private_key -out /path/to/certificate_file
Create a signature file using the openssl command.
example$ openssl rsautl -sign -in /path/to/digest_file -out /path/to/signature_file -inkey /path/to/private_key
Sign the ELF object using the signature file.
example$ elfsign sign -c /path/to/certificate_file -s /path/to/signature_file -e /lib/libmylib.so.1
The following exit values are returned:
|
Directory searched for the verify subcommand if the –c flag is not used
See attributes(5) for descriptions of the following attributes:
|
The elfsign command and subcommands are Committed. While applications should not depend on the output format of elfsign, the output format of the list subcommand is Committed.