I studied and find that enclave is signed with private key and at the time on enclave launching it will be verified using public key that come along with enclave library.
My question is how to trust the enclave binary when it comes with public key.
In between , someone can change the code and sign it again with his private key and attach his public key to SIGSTRUCT.
You are right. Enclave code can be easily manipulated and a new signature can be created by the attacker. The executing platform would not recognize this tampering as the signature is correct for the (tampered) code. The platform could have some list of permitted public keys but in SGX's threat model the platform is adversarial anyways.
The problem is solved using remote attestation. Trusted hardware and software generate a quote for the created enclave that contains its measurement value (MRENCLAVE) and also its signer's hash (MRSIGNER). With those values, a remote verifier can ensure that the enclave was created correctly and has not been tampered with.
Consequently, before (successful) remote attestation an enclave should not be trusted (with secrets).
