GRUB2 has got a function called "check\_signatures" which automatically checks if your GRUB2 files are signed and have a good signature. If the files aren't signed or have a bad signature GRUB2 won't run them to prevent running malicious software.
- Download the [grub2-signing-extension](https://github.com/Bandie/grub2-signing-extension/releases/download/0.1.1/grub2-signing-extension-0.1.1.tar.gz) and it's [signature](https://github.com/Bandie/grub2-signing-extension/releases/download/0.1.1/grub2-signing-extension-0.1.1.tar.gz.asc).
- Run `gpg --verify grub2-signing-extension*.tar.gz.asc` to make sure that everything is alright.
- Unpack the tar archive. `tar xvf grub2-signing-extension*.tar.gz`
- Change into the grub2-signing-extension directory.
- Run `make install` as root.
You will now have `grub2-sign`, `grub2-unsign`, `grub2-verify` and `grub2-update-kernel-signature` as runable scripts.
## Enabling GRUB2 check\_signatures feature
Before you can use the signing and verification feature you need to generate a keypair as root.
- Run `gpg --gen-key` as root. Please use a secure passphrase.
- Activate the `gpg-agent` for root so that you are able to sign and verify files in a `su` environment. To do that:
- Edit the file _/root/.gnupg/gpg.conf_ and add the line `use-agent`. Save the file.
- Create _/root/.gnupg/gpg-agent.conf_ with the following content
```
pinentry-program /usr/bin/pinentry-curses
no-grab
default-cache-ttl 1800
```
- Export your public key through running `gpg --export -o ~/pubkey`.
-`mount /boot` (assuming your /boot partition is in your /etc/fstab)
- (Re)install GRUB2. The following command will install root's public key into the core and instruct to load the modules `gcry_sha256``gcry_dsa` and `gcry_rsa` at start so that GRUB2 will be able to do verifications.
On every change at the GRUB2 core files you need to run `grub2-unsign` first before you make your changes. Please notice, if you reinstall GRUB2, you should do it as it is said above. Otherwise the signature check won't work.
If you do some changes or updates for the kernel or initramfs, you may want to use `grub2-update-kernel-signature` instead.
- Generate a GRUB2 password string through running `grub-mkpasswd-pbkdf2`. Please take care because in the GRUB2 standard installation the keyboard layout is set to en\_US.
- Copy the generated *grub.pbkdf2.[...]* string to your clipboard.
- Open the file */etc/grub.d/00_header* and insert this at the end of the file