Starting from Solaris 10, most operating system ELF (Executable and Linkable Format) objects have been digitally signed. To verify that a file hasn’t been tampered with, we can use the command “elfsign”. Note that this utility verifies that contents of the file only. It doesn’t verify the path of the file, so if the name of the file has changed, this utility can’t detect that.
For example, to verify the integrity of the command “ls”:
root@hamdan # which ls /usr/bin/ls root@hamdan # root@hamdan # elfsign verify -e /usr/bin/ls elfsign: verification of /usr/bin/ls passed. root@hamdan # root@hamdan #
The verification of the file = passed. This means that the file hasn’t been tampered. If the verification shows “failed”, then it means that the file has been tampered with. If the verification result shows “no signature found” or “unable to open file”, then the file hasn’t been signed by Sun.
This is a quick and useful way to verify the integrity of ELF objects.
Note: The digital certificates used for verification are under the directory “/etc/certs”.