LKSF › Solaris Security › Signed binaries
One of the problems in computer security is the validation of binaries: Is this the original binary or is it a counterfeit binary? Since Solaris 10 Sun electronically signs the binaries of the Solaris Operating Environment. You can check the signature of the binaries with the elfsign tool.
[root@gandalf:/etc]$ elfsign verify -v /usr/sbin/ifconfig
elfsign: verification of /usr/sbin/ifconfig passed.
format: rsa_md5_sha1.
signer: CN=SunOS 5.10, OU=Solaris Signed Execution, O=Sun Microsystems Inc.
Obviously you have to trust the elfsign binary. But you can check it when you boot the system from a trusted medium (like an original media kit or a checksum-validated ISO image). This enables you to check the signature of elfsign independently from the system.
By the way: This certificate and the signature are very important for crypto modules. The crypto framework of Solaris only loads modules signed by Sun to prevent the usage of malicious modules (for example to read out the key store and send it somewhere) in the framework.