grub2-signing-extension/sbin/grub-verify

98 lines
1.8 KiB
Plaintext
Raw Permalink Normal View History

2015-03-16 19:38:36 +00:00
#!/bin/bash
# grub2-verify
# Checks the signatures of every file which is has a signature in /boot.
# Author: Bandie
2015-03-16 19:38:36 +00:00
# Licence: GNU-GPLv3
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo | bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo | bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead.
2015-12-30 21:32:46 +00:00
red=$(tput setaf 1)
green=$(tput setaf 2)
normal=$(tput sgr0)
2015-03-17 06:23:23 +00:00
2018-03-22 12:40:23 +00:00
all_files=( )
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo | bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo | bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead.
2015-12-30 21:32:46 +00:00
error_files=( )
2018-03-22 12:34:56 +00:00
missing_files=( )
2015-03-17 06:23:23 +00:00
# Signature check part + error counter + file counter + file list
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo | bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo | bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead.
2015-12-30 21:32:46 +00:00
echo "Checking signatures in /boot..." >&2
2018-03-22 12:34:56 +00:00
while IFS= read -r -d '' i
do
if ! gpg --verify-files "$i" >/dev/null 2>&1
then
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo | bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo | bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead.
2015-12-30 21:32:46 +00:00
error_files+=( "$i" )
2015-03-16 19:38:36 +00:00
fi
2018-03-22 12:40:23 +00:00
all_files+=( "$i" )
2021-02-13 12:54:17 +00:00
done < <(find /boot -iname "efi" -prune -o -type f -name "*.sig" -print0)
2018-03-22 12:34:56 +00:00
echo "Checking missing signatures in /boot..." >&2
while IFS= read -r -d '' i
do
if test ! -f ${i}.sig
then
missing_files+=( "$i" )
fi
2021-02-13 12:54:17 +00:00
done < <(find /boot -iname "efi" -prune -o -type f -not -name "*.sig" -print0)
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo | bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo | bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead.
2015-12-30 21:32:46 +00:00
2015-03-17 06:23:23 +00:00
# Nothing to verify? Exit 2.
2018-03-22 12:40:23 +00:00
if (( ${#all_files[@]} == 0 ))
2018-03-22 12:34:56 +00:00
then
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo | bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo | bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead.
2015-12-30 21:32:46 +00:00
echo "Nothing to verify." >&2
2015-03-16 19:38:36 +00:00
exit 2
fi
2018-03-22 12:34:56 +00:00
# Message signatures
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo | bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo | bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead.
2015-12-30 21:32:46 +00:00
printf '%s' 'Found ' >&2
2018-03-22 12:34:56 +00:00
if (( ${#error_files} == 0 ))
then
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo | bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo | bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead.
2015-12-30 21:32:46 +00:00
printf '%s' "$green" "no" "$normal" >&2
2015-03-16 19:38:36 +00:00
else
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo | bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo | bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead.
2015-12-30 21:32:46 +00:00
printf '%s' "$red" "${#error_files[@]}" "$normal" >&2
2015-03-16 19:38:36 +00:00
fi
2018-03-22 12:34:56 +00:00
if (( ${#error_files[@]} == 1 ))
then
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo | bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo | bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead.
2015-12-30 21:32:46 +00:00
echo " bad signature." >&2
2015-03-16 19:38:36 +00:00
else
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo | bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo | bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead.
2015-12-30 21:32:46 +00:00
echo " bad signatures." >&2
2015-03-16 19:38:36 +00:00
fi
2018-03-22 12:34:56 +00:00
# Message missing
printf '%s' 'Found ' >&2
if (( ${#missing_files} == 0 ))
then
printf '%s' "$green" "no" "$normal" >&2
else
printf '%s' "$red" "${#missing_files[@]}" "$normal" >&2
fi
if (( ${#missing_files[@]} == 1 ))
then
echo " missing signature." >&2
else
echo " missing signatures." >&2
fi
# File list
if (( ${#error_files[@]} > 0 ))
then
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo | bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo | bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead.
2015-12-30 21:32:46 +00:00
printf 'BAD signature: %s\n' "${error_files[@]}"
2018-03-22 12:34:56 +00:00
fi
if (( ${#missing_files[@]} > 0 ))
then
printf 'MISSING signatures: %s\n' "${missing_files[@]}"
fi
# Exit codes
if (( ${#error_files[@]} > 0 ))
then
2015-03-16 19:38:36 +00:00
exit 1
2018-04-08 12:46:43 +00:00
fi
if (( ${#missing_files[@]} > 0 ))
2018-03-22 12:34:56 +00:00
then
exit 3
2015-03-16 19:38:36 +00:00
fi
2018-04-08 12:46:43 +00:00
exit 0