On Windows, PE files (executable files) have a property "Original Filename", which is the filename when the executable was built. For signed files, this means you can't change "svchost.exe" to "innocent.exe" without leaving a trail, for example.
Is there a similar property for ELF binaries?
I'm not aware of any standard section that would store the original filename as created by the linker.
However, adding your own section to an ELF is perfectly fine. You can then sign the ELF with elfsign which by default covers the ELF sections.
This is a PKI system, so you then need a chain of trust to verify that signature.
Windows is probably using a CA rooted at Microsoft for their Authenticode mechanism and hence can tell you if a PE has a valid signature (valid here means "with a key signed by Microsoft", you still don't know if ACME inc. is really ACME inc.).
Under Linux you have to give elfverify your trusted CA because there is no single entity behind Linux.
So you can just add a custom section and sign the elf. If you set the convention with any parties of yours that should do it.
Note that while Authenticode is used by Windows (I don't know if by the user-mode loader or in the kernel) to restrict the execution of binaries, elfsign doesn't do anything of that. It just sign ELFs.
There is a patch for checking the ELF signature, I'm not sure if it is in the tree. But it can check ELFs signed with signelf, not elfsign, and that signature only covers loadable segments (which would require putting your custom section into one such segment if you wanted to use this).
Also, it requires static libraries (see here for whys) and it doesn't look like a PKI but rather a simple sign/verify (i.e. no chain of trust).
For completeness, Linux also supports IMA for restricting execution but that's not based on cryptographic signatures at all (it's similar to a TPM measurement, so it's hash-based).