From 1b49b45439946e3e1953726c0b59270f70c8bd7c Mon Sep 17 00:00:00 2001
From: Bandie Canis <bandie@posteo.net>
Date: Fri, 12 Jan 2018 21:46:55 +0100
Subject: [PATCH] Using gpg's passphrase request; new script.

---
 Makefile                           |  5 +--
 README.md                          |  1 +
 sbin/grub2-sign                    | 53 +++++++++++-------------------
 sbin/grub2-unsign                  |  6 ++--
 sbin/grub2-update-kernel-signature | 26 +++++++++++++++
 sbin/grub2-verify                  |  2 +-
 6 files changed, 54 insertions(+), 39 deletions(-)
 create mode 100755 sbin/grub2-update-kernel-signature

diff --git a/Makefile b/Makefile
index cae852f..3123db4 100644
--- a/Makefile
+++ b/Makefile
@@ -9,10 +9,11 @@ install:
 	cp ./sbin/grub2-verify /usr/sbin/
 	cp ./sbin/grub2-sign /usr/sbin/
 	cp ./sbin/grub2-unsign /usr/sbin/
+	cp ./sbin/grub2-update-kernel-signature /usr/sbin/
 	chown root:root /usr/sbin/grub2-{verify,sign,unsign}
-	chmod 700 /usr/sbin/grub2-{verify,sign,unsign}
+	chmod 744 /usr/sbin/grub2-{verify,sign,unsign}
 	@printf "Done.\n"
 
 uninstall:
-	rm /usr/sbin/grub2-{verify,sign,unsign}
+	rm /usr/sbin/grub2-{verify,sign,unsign,update-kernel-signature}
 	@printf "Done.\n"
diff --git a/README.md b/README.md
index be54927..ce439d4 100644
--- a/README.md
+++ b/README.md
@@ -75,6 +75,7 @@ If you didn't read the instruction above here is what the scripts does:
 * `grub2-sign` is signing the bootloader files with root's keypair.
 * `grub2-unsign` is removing the signatures of the bootloader files.
 * `grub2-verify` is checking if your signatures are good. If not, you will see which signature is bad.
+* `grub2-update-kernel-signature` is renewing the signatures in /boot/. (without subdirs) regardless if grub2-verify fails.
 
 
 
diff --git a/sbin/grub2-sign b/sbin/grub2-sign
index 9f67f57..0e20716 100755
--- a/sbin/grub2-sign
+++ b/sbin/grub2-sign
@@ -1,11 +1,24 @@
 #!/bin/bash
 # grub2-sign
 # Signs everything important in /boot. Depends on grub2-verify.
-# Author: Bandie Kojote
+# Author: Bandie
 # Licence: GNU-GPLv3
 
+function sign(){
+  for f in `find /boot -type f`
+  do
+    if gpg --detach-sign $f
+    then
+      echo $f signed.
+    else
+      return 1
+    fi
+  done
+  return 0
+}
 
-# Running grub2-verify first to prevent double signing
+
+# Running grub2-verify first to prevent bad people and double signing
 echo "Running grub2-verify to check if everything is unsigned..." >&2
 grub2-verify
 if (( $? < 2 )); then
@@ -14,36 +27,10 @@ if (( $? < 2 )); then
 fi
 
 
-# Ask for passphrase
-IFS= read -r -s -p 'Passphrase: ' pp
-
-# build a find command line matching relevant filenames
-name_patterns=(
-	grubenv				# fixed names
-	'*.'{cfg,lst,mod,asc,pf2}	# names with interesting extensions
-	{vmlinuz,initrd}'*'		# names with interesting prefixes
-)
-find_args=( '-false' )
-for pattern in "${name_patterns[@]}"; do find_args+=( '-or' '-name' "$pattern" ); done
-
-# Find GRUB2 datas
-while IFS= read -r -d '' i; do
-    # Signing
-    if gpg --batch --detach-sign --passphrase-fd 0 "$i" <<<"$pp"; then
-        echo "$i signed." >&2
-    else
-        echo "ERROR!" >&2
-	break
-    fi
-done < <(find /boot '(' "${find_args[@]}" ')' '-print0' )
-
-# Shredding passphrase
-if (( ${#pp} )); then
-    echo "Shredding passphrase..." >&2
-    for (( i=0; i<10; i++ )); do
-	pp=$(LC_ALL=C tr -cd '[:print:]' </dev/urandom | head -c ${#pp})
-    done
+if ! sign
+then
+  sign
+else
+  echo -e "\nDone!"
 fi
 
-echo "Done!" >&2
-exit 0
diff --git a/sbin/grub2-unsign b/sbin/grub2-unsign
index df413ee..bc64f4c 100755
--- a/sbin/grub2-unsign
+++ b/sbin/grub2-unsign
@@ -1,13 +1,13 @@
 #!/bin/bash
 # grub2-unsign
 # Unsigns every file in /boot. Depends on grub2-verify
-# Author: Bandie Kojote
+# Author: Bandie 
 # Licence: GNU-GPLv3
 
 # Check if something is wrong
 if ! grub2-verify; then
-    printf '%s\n' "grub2-verify has detected a one or more bad signatures." "Please check for malicious software before you're unsigning everything!" >&2
-    exit 1
+  printf '%s\n' "grub2-verify has detected a one or more bad signatures." "Please check for malicious software before you're unsigning everything!" >&2
+  exit 1
 fi
 
 # Then remove the signatures.
diff --git a/sbin/grub2-update-kernel-signature b/sbin/grub2-update-kernel-signature
new file mode 100755
index 0000000..c4d5ecc
--- /dev/null
+++ b/sbin/grub2-update-kernel-signature
@@ -0,0 +1,26 @@
+#!/bin/bash
+# grub2-update-kernel-signature
+# Renews the signature in /boot/.
+# Author: Bandie
+# Licence: GNU-GPLv3
+
+function sign(){
+  for f in `find /boot -maxdepth 1 -type f`
+  do
+    if gpg --detach-sign $f
+    then
+      echo $f signed.
+    else
+      return 1
+    fi
+  done
+  return 0
+}
+
+
+rm /boot/*.sig
+
+if ! sign
+then
+  sign
+fi
diff --git a/sbin/grub2-verify b/sbin/grub2-verify
index 629e3fe..3f9413d 100755
--- a/sbin/grub2-verify
+++ b/sbin/grub2-verify
@@ -1,7 +1,7 @@
 #!/bin/bash
 # grub2-verify
 # Checks the signatures of every file which is has a signature in /boot.
-# Author: Bandie Kojote
+# Author: Bandie
 # Licence: GNU-GPLv3
 
 red=$(tput setaf 1)