grub2-signing-extension/sbin/grub2-sign

#!/bin/bash
# grub2-sign
# Signs everything important in /boot. Depends on grub2-verify.
# Author: Bandie Kojote
# Licence: GNU-GPLv3


# Running grub2-verify first to prevent double signing
echo "Running grub2-verify to check if everything is unsigned..." >&2
grub2-verify
if (( $? < 2 )); then
    echo "Run grub2-unsign first." >&2
    exit 1
fi


# Ask for passphrase
IFS= read -r -s -p 'Passphrase: ' pp

# build a find command line matching relevant filenames
name_patterns=(
	grubenv				# fixed names
	'*.'{cfg,lst,mod,asc,pf2}	# names with interesting extensions
	{vmlinuz,initrd}'*'		# names with interesting prefixes
)
find_args=( '-false' )
for pattern in "${name_patterns[@]}"; do find_args+=( '-or' '-name' "$pattern" ); done

# Find GRUB2 datas
while IFS= read -r -d '' i; do
    # Signing
    if gpg --batch --detach-sign --passphrase-fd 0 "$i" <<<"$pp"; then
        echo "$i signed." >&2
    else
        echo "ERROR!" >&2
	break
    fi
done < <(find /boot '(' "${find_args[@]}" ')' '-print0' )

# Shredding passphrase
if (( ${#pp} )); then
    echo "Shredding passphrase..." >&2
    for (( i=0; i<10; i++ )); do
	pp=$(LC_ALL=C tr -cd '[:print:]' </dev/urandom | head -c ${#pp})
    done
fi

echo "Done!" >&2
exit 0
First commit and release. 2015-03-16 19:38:36 +00:00			`#!/bin/bash`
			`# grub2-sign`
			`# Signs everything important in /boot. Depends on grub2-verify.`
			`# Author: Bandie Kojote`
			`# Licence: GNU-GPLv3`

Comments and words. 2015-03-17 06:23:23 +00:00
			`# Running grub2-verify first to prevent double signing`
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo \| bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo \| bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead. 2015-12-30 21:32:46 +00:00			`echo "Running grub2-verify to check if everything is unsigned..." >&2`
First commit and release. 2015-03-16 19:38:36 +00:00			`grub2-verify`
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo \| bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo \| bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead. 2015-12-30 21:32:46 +00:00			`if (( $? < 2 )); then`
			`echo "Run grub2-unsign first." >&2`
First commit and release. 2015-03-16 19:38:36 +00:00			`exit 1`
			`fi`

Comments and words. 2015-03-17 06:23:23 +00:00
			`# Ask for passphrase`
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo \| bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo \| bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead. 2015-12-30 21:32:46 +00:00			`IFS= read -r -s -p 'Passphrase: ' pp`
Comments and words. 2015-03-17 06:23:23 +00:00
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo \| bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo \| bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead. 2015-12-30 21:32:46 +00:00			`# build a find command line matching relevant filenames`
			`name_patterns=(`
			`grubenv # fixed names`
			`'*.'{cfg,lst,mod,asc,pf2} # names with interesting extensions`
			`{vmlinuz,initrd}'*' # names with interesting prefixes`
			`)`
			`find_args=( '-false' )`
			`for pattern in "${name_patterns[@]}"; do find_args+=( '-or' '-name' "$pattern" ); done`
Comments and words. 2015-03-17 06:23:23 +00:00
			`# Find GRUB2 datas`
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo \| bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo \| bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead. 2015-12-30 21:32:46 +00:00			`while IFS= read -r -d '' i; do`
Comments and words. 2015-03-17 06:23:23 +00:00			`# Signing`
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo \| bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo \| bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead. 2015-12-30 21:32:46 +00:00			`if gpg --batch --detach-sign --passphrase-fd 0 "$i" <<<"$pp"; then`
			`echo "$i signed." >&2`
First commit and release. 2015-03-16 19:38:36 +00:00			`else`
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo \| bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo \| bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead. 2015-12-30 21:32:46 +00:00			`echo "ERROR!" >&2`
First commit and release. 2015-03-16 19:38:36 +00:00			`break`
			`fi`
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo \| bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo \| bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead. 2015-12-30 21:32:46 +00:00			`done < <(find /boot '(' "${find_args[@]}" ')' '-print0' )`
Additional exit codes added + better shredding 2015-03-17 06:54:03 +00:00
for corrected 2015-03-19 22:11:00 +00:00			`# Shredding passphrase`
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo \| bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo \| bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead. 2015-12-30 21:32:46 +00:00			`if (( ${#pp} )); then`
			`echo "Shredding passphrase..." >&2`
			`for (( i=0; i<10; i++ )); do`
			`pp=$(LC_ALL=C tr -cd '[:print:]' </dev/urandom \| head -c ${#pp})`
			`done`
			`fi`
Additional exit codes added + better shredding 2015-03-17 06:54:03 +00:00
Follow best practices for bash - Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo \| bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo \| bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead. 2015-12-30 21:32:46 +00:00			`echo "Done!" >&2`
Additional exit codes added + better shredding 2015-03-17 06:54:03 +00:00			`exit 0`