Using gpg's passphrase request; new script.

Makefile

@@ -9,10 +9,11 @@ install:
 	cp ./sbin/grub2-verify /usr/sbin/
 	cp ./sbin/grub2-sign /usr/sbin/
 	cp ./sbin/grub2-unsign /usr/sbin/
+	cp ./sbin/grub2-update-kernel-signature /usr/sbin/
 	chown root:root /usr/sbin/grub2-{verify,sign,unsign}
-	chmod 700 /usr/sbin/grub2-{verify,sign,unsign}
+	chmod 744 /usr/sbin/grub2-{verify,sign,unsign}
 	@printf "Done.\n"
 
 uninstall:
-	rm /usr/sbin/grub2-{verify,sign,unsign}
+	rm /usr/sbin/grub2-{verify,sign,unsign,update-kernel-signature}
 	@printf "Done.\n"

README.md

@@ -75,6 +75,7 @@ If you didn't read the instruction above here is what the scripts does:
 * `grub2-sign` is signing the bootloader files with root's keypair.
 * `grub2-unsign` is removing the signatures of the bootloader files.
 * `grub2-verify` is checking if your signatures are good. If not, you will see which signature is bad.
+* `grub2-update-kernel-signature` is renewing the signatures in /boot/. (without subdirs) regardless if grub2-verify fails.
 
 
 

sbin/grub2-sign

@@ -1,11 +1,24 @@
 #!/bin/bash
 # grub2-sign
 # Signs everything important in /boot. Depends on grub2-verify.
-# Author: Bandie Kojote
+# Author: Bandie
 # Licence: GNU-GPLv3
 
+function sign(){
+  for f in `find /boot -type f`
+  do
+    if gpg --detach-sign $f
+    then
+      echo $f signed.
+    else
+      return 1
+    fi
+  done
+  return 0
+}
 
-# Running grub2-verify first to prevent double signing
+
+# Running grub2-verify first to prevent bad people and double signing
 echo "Running grub2-verify to check if everything is unsigned..." >&2
 grub2-verify
 if (( $? < 2 )); then
@@ -14,36 +27,10 @@ if (( $? < 2 )); then
 fi
 
 
-# Ask for passphrase
-IFS= read -r -s -p 'Passphrase: ' pp
-
-# build a find command line matching relevant filenames
-name_patterns=(
-	grubenv				# fixed names
-	'*.'{cfg,lst,mod,asc,pf2}	# names with interesting extensions
-	{vmlinuz,initrd}'*'		# names with interesting prefixes
-)
-find_args=( '-false' )
-for pattern in "${name_patterns[@]}"; do find_args+=( '-or' '-name' "$pattern" ); done
-
-# Find GRUB2 datas
-while IFS= read -r -d '' i; do
-    # Signing
-    if gpg --batch --detach-sign --passphrase-fd 0 "$i" <<<"$pp"; then
-        echo "$i signed." >&2
-    else
-        echo "ERROR!" >&2
-	break
-    fi
-done < <(find /boot '(' "${find_args[@]}" ')' '-print0' )
-
-# Shredding passphrase
-if (( ${#pp} )); then
-    echo "Shredding passphrase..." >&2
-    for (( i=0; i<10; i++ )); do
-	pp=$(LC_ALL=C tr -cd '[:print:]' </dev/urandom | head -c ${#pp})
-    done
+if ! sign
+then
+  sign
+else
+  echo -e "\nDone!"
 fi
 
-echo "Done!" >&2
-exit 0

sbin/grub2-unsign

@@ -1,13 +1,13 @@
 #!/bin/bash
 # grub2-unsign
 # Unsigns every file in /boot. Depends on grub2-verify
-# Author: Bandie Kojote
+# Author: Bandie 
 # Licence: GNU-GPLv3
 
 # Check if something is wrong
 if ! grub2-verify; then
-    printf '%s\n' "grub2-verify has detected a one or more bad signatures." "Please check for malicious software before you're unsigning everything!" >&2
-    exit 1
+  printf '%s\n' "grub2-verify has detected a one or more bad signatures." "Please check for malicious software before you're unsigning everything!" >&2
+  exit 1
 fi
 
 # Then remove the signatures.

sbin/grub2-update-kernel-signature

@@ -0,0 +1,26 @@
+#!/bin/bash
+# grub2-update-kernel-signature
+# Renews the signature in /boot/.
+# Author: Bandie
+# Licence: GNU-GPLv3
+
+function sign(){
+  for f in `find /boot -maxdepth 1 -type f`
+  do
+    if gpg --detach-sign $f
+    then
+      echo $f signed.
+    else
+      return 1
+    fi
+  done
+  return 0
+}
+
+
+rm /boot/*.sig
+
+if ! sign
+then
+  sign
+fi

sbin/grub2-verify

@@ -1,7 +1,7 @@
 #!/bin/bash
 # grub2-verify
 # Checks the signatures of every file which is has a signature in /boot.
-# Author: Bandie Kojote
+# Author: Bandie
 # Licence: GNU-GPLv3
 
 red=$(tput setaf 1)