grub2-signing-extension/sbin/grub2-verify

#!/bin/bash
# grub2-verify
# Checks the signatures of every file which is has a signature in /boot.
# Author: Bandie
# Licence: GNU-GPLv3

red=$(tput setaf 1)
green=$(tput setaf 2)
normal=$(tput sgr0)

all_files=( )
error_files=( )

# Signature check part + error counter + file counter + file list

echo "Checking signatures in /boot..." >&2
while IFS= read -r -d '' i; do
    if ! gpg --verify-files "$i" >/dev/null 2>&1; then
        error_files+=( "$i" )
    fi
    all_files+=( "$i" )
done < <(find /boot -name "*.sig" -print0)

# Nothing to verify? Exit 2.
if (( ${#all_files[@]} == 0 )); then
    echo "Nothing to verify." >&2
    exit 2
fi

# Message
printf '%s' 'Found ' >&2
if (( ${#error_files} == 0 )); then
    printf '%s' "$green" "no" "$normal" >&2
else
    printf '%s' "$red" "${#error_files[@]}" "$normal" >&2
fi
if (( ${#error_files[@]} == 1 )); then
    echo " bad signature." >&2
else
    echo " bad signatures." >&2
fi

# File list and exit codes
if (( ${#error_files[@]} > 0 )); then
    printf 'BAD signature: %s\n' "${error_files[@]}"
    exit 1
else
    exit 0
fi

exit 99
First commit and release. 2015-03-16 19:38:36 +00:00			`#!/bin/bash`
			`# grub2-verify`
			`# Checks the signatures of every file which is has a signature in /boot.`
Using gpg's passphrase request; new script. 2018-01-12 20:46:55 +00:00			`# Author: Bandie`
First commit and release. 2015-03-16 19:38:36 +00:00			`# Licence: GNU-GPLv3`

Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo \| bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo \| bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead. 2015-12-30 21:32:46 +00:00			`red=$(tput setaf 1)`
			`green=$(tput setaf 2)`
			`normal=$(tput sgr0)`
Comments and words. 2015-03-17 06:23:23 +00:00
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo \| bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo \| bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead. 2015-12-30 21:32:46 +00:00			`all_files=( )`
			`error_files=( )`
Comments and words. 2015-03-17 06:23:23 +00:00
			`# Signature check part + error counter + file counter + file list`

Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo \| bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo \| bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead. 2015-12-30 21:32:46 +00:00			`echo "Checking signatures in /boot..." >&2`
			`while IFS= read -r -d '' i; do`
			`if ! gpg --verify-files "$i" >/dev/null 2>&1; then`
			`error_files+=( "$i" )`
First commit and release. 2015-03-16 19:38:36 +00:00			`fi`
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo \| bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo \| bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead. 2015-12-30 21:32:46 +00:00			`all_files+=( "$i" )`
			`done < <(find /boot -name "*.sig" -print0)`

Comments and words. 2015-03-17 06:23:23 +00:00			`# Nothing to verify? Exit 2.`
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo \| bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo \| bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead. 2015-12-30 21:32:46 +00:00			`if (( ${#all_files[@]} == 0 )); then`
			`echo "Nothing to verify." >&2`
First commit and release. 2015-03-16 19:38:36 +00:00			`exit 2`
			`fi`

Comments and words. 2015-03-17 06:23:23 +00:00			`# Message`
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo \| bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo \| bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead. 2015-12-30 21:32:46 +00:00			`printf '%s' 'Found ' >&2`
			`if (( ${#error_files} == 0 )); then`
			`printf '%s' "$green" "no" "$normal" >&2`
First commit and release. 2015-03-16 19:38:36 +00:00			`else`
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo \| bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo \| bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead. 2015-12-30 21:32:46 +00:00			`printf '%s' "$red" "${#error_files[@]}" "$normal" >&2`
First commit and release. 2015-03-16 19:38:36 +00:00			`fi`
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo \| bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo \| bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead. 2015-12-30 21:32:46 +00:00			`if (( ${#error_files[@]} == 1 )); then`
			`echo " bad signature." >&2`
First commit and release. 2015-03-16 19:38:36 +00:00			`else`
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo \| bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo \| bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead. 2015-12-30 21:32:46 +00:00			`echo " bad signatures." >&2`
First commit and release. 2015-03-16 19:38:36 +00:00			`fi`

Comments and words. 2015-03-17 06:23:23 +00:00			`# File list and exit codes`
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo \| bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo \| bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead. 2015-12-30 21:32:46 +00:00			`if (( ${#error_files[@]} > 0 )); then`
			`printf 'BAD signature: %s\n' "${error_files[@]}"`
First commit and release. 2015-03-16 19:38:36 +00:00			`exit 1`
			`else`
			`exit 0`
			`fi`
Additional exit codes added + better shredding 2015-03-17 06:54:03 +00:00
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo \| bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo \| bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead. 2015-12-30 21:32:46 +00:00			`exit 99`