(originally published on 08.02.2008, reviewed/rewritten on 08.04.2025, tested on Oracle Solaris 11.4 SRU 79)
Just for the giggles: This is the re-publication of one of the oldest blog entries about a Solaris feature in my blog. 17 years, 2 months and 1 day ago.
One of problems in computer security is the validation of binaries: Is this the original binary or is it a counterfeit binary with some added functionality? Since Solaris 10 Oracle electronically signs the binaries of the Solaris Operating Environment. You can check the signature of the binaries with the elfsign tool.
root@testbed:/usr/sbin# elfsign verify -v /usr/sbin/ifconfig
elfsign: verification of /usr/sbin/ifconfig passed.
Elfsign signature format: rsa_sha256
Signer: O=Oracle Corporation, OU=Corporate Object Signing, OU=Solaris Signed Execution, CN=Oracle Solaris 2017
Elfsign signature version: 9 (relobj)
OID: 1.2.840.113549.1.1.11 (rsa_sha256)
root@testbed:/usr/sbin#Obviously you have to trust the elfsign. But you can check it, when you boot the system from a trusted media like a checksum validated iso-image. This enables you to check the signature of the elfsign independently from the system.
