grub2-signing-extension/sbin/grub2-sign

52 lines
1010 B
Plaintext
Raw Normal View History

2015-03-16 19:38:36 +00:00
#!/bin/bash
# grub2-sign
# Signs everything important in /boot. Depends on grub2-verify.
# Author: Bandie Kojote
# Licence: GNU-GPLv3
2015-03-17 06:23:23 +00:00
# Running grub2-verify first to prevent double signing
2015-03-16 19:38:36 +00:00
echo "Running grub2-verify to check if everything is unsigned..."
grub2-verify
if [ $? -lt 2 ]
then
echo "Run grub2-unsign first."
exit 1
fi
2015-03-17 06:23:23 +00:00
# Ask for passphrase
2015-03-16 19:38:36 +00:00
echo -n "Passphrase: "
stty -echo
read pp
stty echo
echo -e "\n"
2015-03-17 06:23:23 +00:00
# Find GRUB2 datas
2015-03-16 19:38:36 +00:00
for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \
-name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \
-name "grubenv" -or -name "*.asc" -or -name "*.pf2"`;
do
2015-03-17 06:23:23 +00:00
# Signing
2015-03-16 19:38:36 +00:00
echo $pp | gpg --batch --detach-sign --passphrase-fd 0 $i
if [ $? -eq 0 ]
then
echo "$i signed."
else
echo "ERROR!"
break
fi
done
2015-03-17 06:23:23 +00:00
2015-03-19 22:11:00 +00:00
# Shredding passphrase
echo "Shredding passphrase..."
2015-03-19 22:11:00 +00:00
for (( i=0; $i<10; i++ ))
do
pp=`cat /dev/urandom | tr -dc 'a-zA-Z0-9-!@#$%^&*()_+~' | fold -w ${#pp} | head -n 1`
done
echo "Done!"
exit 0