how to sign a binary in Linux?

stuck asked:

I have a Linux device that needs to be able to perform a software update of some binaries that may be coming from an insecure source

I’d like to find a way to sign these binaries using a public/private key such that the device uses the key to verify the integrity of the contents

I can easily store a key on the device securely

what is the preferred tool for this? ideally it’d be a command line program where I’d provide the key and the binary and a yes/no is returned if the binary were correctly signed

My answer:

RPM and dpkg are both perfectly capable of checking package signatures – and of course allowing you to sign the packages. Why reinvent the wheel?

If you’re building an embedded system, ipkg and its fork opkg supposedly also can deal with signed packages, though documentation is sparse since ipkg is dead and opkg refers to the dead ipkg website…

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.