"I am not sure to understand why interpreting the content of an ELF file looks so difficult."
It's difficult if you cannot trust that the incoming file is reasonable. Remember, the attacker doesn't care if the ELF parses to something meaningful, as their goal is only to break your parser.
If you did want to use an ELF format then you'd write a new restricted function parser just to find the signatures. That would hopefully be something you could verify easily.
Using a container also makes it harder to add signatures (for example, a corporation could very well not trust all the modules which Well Known Linux Vendor signs and may add the corporation's own signing key to only the modules which it wants loaded). This implies that the parser has to have some of the ELF fields contribute to the checksum and others not contribute (eg, timestamps). Simpler -- and thus better in this security sensitive code -- to treat the file as text and to append the signatures outside of the ELF format.