Go to main content

man pages section 1: User Commands

Exit Print View

Updated: Wednesday, July 27, 2022
 
 

elfsign(1)

Name

elfsign - sign binaries

Synopsis

/usr/bin/elfsign sign [-v] 
-k private_key -c 
certificate_file
     -e elf_object [-d data_range] [-F 
format] [file]...
/usr/bin/elfsign sign [-v] 
-c certificate_file
     -e elf_object -T token_uri [-d data_range] [-F format] [file]...
/usr/bin/elfsign sign [-v] -c certificate_file
	  [-e elf_object] -s signature_file [-d data_range]
         [-F format|-O oid] [file]
/usr/bin/elfsign verify [-c 
certificate_file]
     [-v] -e elf_object [file]...
/usr/bin/elfsign list [
-f field] -c 
certificate_file
/usr/bin/elfsign list [
-f field] -e 
elf_object [file]...
/usr/bin/elfsign digest [-o digest_file]
       [-e elf_object] [-F format] [file]
/usr/bin/elfsign data [-o output_file]
       [-e elf_object] [-d data_range] [file]

Description

list

Lists on standard output information from a single certificate file or signed elf object. The selected field appears on a single line. If the field specified does not apply to the named file, the command terminates with no standard output. This output of this subcommand is intended for use in scripts and by other commands.

sign

Signs the elf object, using the given private key and certificate file, or signature and certificate file.

verify

Verifies an existing signed object. Uses the certificate given or searches for an appropriate certificate in directories /etc/certs/elfsign and /etc/certs if –c option is not given.

digest

Prints on standard output, the digest of the elf object in a given format. SHA-256 is the default format.

data

Prints to the specified output_file or to standard output, the ELF data to be signed for the given data range. The default data range is interpret.

Options

The following options are supported:

–c certificate_file

Specifies the path to an X.509 certificate in PEM/PKCS#7 or ASN.1 BER format.

–d data_range

Specifies the range of ELF data to sign. The valid data_range options are:

current

Use the data range found in the ELF file signature. If there's no signature, use the default data range.

interpret

The data signed are interpreted according to the file type. Treats relocatable ELF files and kernel modules the same as "relobj". For executable ELF files, sign ELF headers and ELF Program segments.

relobj

The data signed are ELF headers and ELF sections (excluding the signature section). This is the default range.

legacy

The data signed are ELF sections (excludes the signature section and ELF headers). This option is for use for signing files for older releases only.

–e elf_object

Specifies the path to the object to be signed or verified.

The –e option can be specified multiple times for signing or verifying multiple objects.

–F format

For the sign subcommand, specifies the format of the signature. The valid format options are

current

Use the format found in the ELF file signature. If there's no signature, use the default format.

default

Use the default cryptographic signature algorithm, rsa_sha256.

rsa_sha256

RSA signature of a SHA-256 digest. This is the default format if –F option is omitted.

rsa_sha1

RSA signature of a SHA-1 digest. This format is obsolete.

rsa_md5_sha1

RSA signature of a MD5 digest of a SHA-1 digest. This format is obsolete.

–O oid

Specifies the encryption algorithm's OID, in lieu of –F option. For example, "-O 1.2.840.113549.1.1.11" is equivalent to "-F rsa_sha256". The OID is not validated.

–f field

For the list subcommand, specifies what field should appear in the output.

The list subcommand supports the following option:

–f all

Lists all fields in a certificate or an ELF file. For an ELF file, the following signature information is displayed: Endianness, format, version, signer, timestamp, signature and OID.

The valid field specifiers for a certificate file are:

subject

Subject DN (Distinguished Name)

issuer

Issuer DN

The valid field specifiers for an elf object are:

format

Format of the signature

signer

Subject DN of the certificate used to sign the object

time

Time the signature was applied, in the locale's default format. This is no longer used.

–k private_key

Specifies the location of the private key file when not using a PKCS#11 token. This file is an RSA Private key file in standard PEM (base64) or DER (binary) format.

It is an error to specify both the –k and –T options.

–o output_file

Specifies the path to the output file to be output with the data command.

–P pin_file

Specifies the file which holds the PIN for accessing the token device. If the PIN is not provided in a pin_file, elfsign prompts for the PIN.

It is an error to specify the –P option without the –T option.

–s signature_file

Specifies the path to a signature file in binary or base64 encoded format. Signature file is created separately using private key and the file created by the "elfsign data" subcommand of the elf object.

–T token_uri

Specifies the URI of the PKCS#11 token device, as provided by pktool, which holds the private key. The token label, token key label, and pin file can be specified through the token_uri; the token key label (object) is a required input attribute.

It is an error to specify both the –T and –k options.

–v

Requests more detailed information. The additional output includes the signer and, if the signature format contains it, the time the object was signed. This is not stable parsable output.

Operands

The following operand is supported:

file

One or more elf objects to be signed, verified or listed. At least one elf object must be specified either via the –e option or after all other options.

Examples

Example 1 Signing an ELF Object Using a Key/Certificate in a File
example$ elfsign sign -k myprivatekey -c mycert -e lib/libmylib.so.1
Example 2 Verifying an elf Object's Signature
example$ elfsign verify -c mycert -e lib/libmylib.so.1
elfsign: verification of lib/libmylib.so.1 passed
Example 3 Signing an Object Specifying the Data Range

This will be the prefix of the Certificate DN: ORCL

example$ elfsign sign -d relobj -k myprivatekey -c mycert
          -e lib/libmylib.so.1
Example 4 Determining Information About an Object
example$ elfsign list -f format -e lib/libmylib.so.1
rsa_md5_sha1

example$ elfsign list -f signer -e lib/libmylib.so.1
CN=VENDOR, OU=Software Development, O=Vendor Inc.
Example 5 Signing an ELF Object Using a Token URI
example$ elfsign sign -c mycert -e lib/libmylib.so.1
          -T 'pkcs11:token=Sun Software PKCS#11 softtoken;
          object=mykey;pinfile=/path/to/pinfile'
Example 6 Signing an ELF Object Using a Token URI with interactive PIN
example$ elfsign sign -c mycert -e lib/libmylib.so.1 \
          -T 'pkcs11:token=Sun Software PKCS#11 softtoken;object=mykey'
Enter PIN for Sun Software PKCS#11 softtoken:
Example 7 Signing an ELF Object Using a Signature File

Create file containing data to be signed from the ELF object.

example$ elfsign data -o /path/to/data_file -e /lib/libmylib.so.1

Create private key and certificate file using the openssl command.

example$ openssl genrsa -out /path/to/private_key 2048
example$ openssl req -new -x509 -days 999 -key /path/to/private_key
     -out /path/to/certificate_file

Create a signature file using the openssl command.

example$ openssl dgst -sha256 -binary /path/to/data_file
           >/path/to/digest_file
example$ openssl rsautl -sign -in /path/to/digest_file
           -out /path/to/signature_file -inkey /path/to/private_key

Sign the ELF object using the signature file.

example$ elfsign sign -c /path/to/certificate_file
           -s /path/to/signature_file -e /lib/libmylib.so.1

Exit Status

The following exit values are returned:

VALUE
MEANING
SUB-COMMAND
0
Operation successful
sign/verify
1
Invalid arguments
2
Failed to verify ELF object
verify
3
Unable to open ELF object
sign/verify
4
Unable to load or invalid certificate
sign/verify
5
Unable to load private key, private key is invalid, or token label is invalid
sign
6
Failed to add signature
sign
7
Attempt to verify unsigned object or object not an ELF file
verify

Files

/etc/certs/elfsign
/etc/certs

Directory searched for the verify subcommand if the –c flag is not used.

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
developer/base-developer-utilities
Interface Stability
See below.

The elfsign command and subcommands are Committed. While applications should not depend on the output format of elfsign, the output format of the list subcommand is Committed.

See Also

date(1), pktool(1), attributes(7), cryptoadm(8)