Linux 代码签名
是否有任何提供商为(Red Hat Enterprise)Linux 提供代码签名证书?我看到有关 Microsoft 领域的讨论很多,但有关 Linux 的讨论不多。
我知道如何生成自己的证书并将公共证书嵌入到我的可执行文件中。我正在专门寻找获得受信任的 CA 签名的证书的方法。目标系统是 RHEL 5 服务器。
另一个问题: RHEL 5 Server 开箱即用地信任哪些根证书颁发机构?
Are there any providers offering code signing certificates for (Red Hat Enterprise) Linux? I see a lot of buzz for Microsoft-land, but not much for Linux.
I know how to generate my own certificates and embed a public certificate into my executable. I'm specifically looking for ways to get the certificate signed by a trusted CA. The target system is RHEL 5 Server.
An alternative question:
What root certificate authorities are trusted by RHEL 5 Server out of the box?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
在所有现实和实用性中,大多数人只使用自签名证书。除了单个软件包的总和之外,RHEL 客户还信任整个存储库。所以,是的,您可以对可执行文件进行签名,但除了让它信任自己之外,它对现有的 RHEL 系统没有什么好处。
可以在 /etc 中找到受信任的 CA 列表,我忘记了确切的位置,但它应该相当明显。
In all reality and practicality, most people just use self signed certs. RHEL customers trust entire repositories in addition to sums of individual packages. So yes, you could sign your executable, but beyond letting it trust itself it would do very little good on a stock RHEL system.
A list of trusted CAs can be found somewhere in /etc, I forget the exact location but it should be rather conspicuous.
商业代码签名证书没有指定它可以用于哪些应用程序。因此,可以使用来自公共信任的 CA 的任何代码签名证书。对于 Linux,您需要确保依赖方可以访问验证证书。
关于信任存储库的答案可能很快就会过时(如果还没有的话)。如果软件物料清单 (SBOM) 成为标准,构建工具就必须能够验证数字签名,而自签名证书将不会受到广泛信任。
A commercial code signing certificate does not specify what applications it can be used for. So any code signing cert from a publicly trusted CA can be used. With Linux you need to ensure that the relying party has access to the verification certificate.
The answer about trusting repositories may soon be outdated if it isn't already. If Software Bills of Materials (SBOM) become standard it will be necessary for build tools to be able to verify digital signatures and self-signed certs will not be widely trusted.