From 1b49b45439946e3e1953726c0b59270f70c8bd7c Mon Sep 17 00:00:00 2001 From: Bandie Canis Date: Fri, 12 Jan 2018 21:46:55 +0100 Subject: [PATCH] Using gpg's passphrase request; new script. --- Makefile | 5 +-- README.md | 1 + sbin/grub2-sign | 53 +++++++++++------------------- sbin/grub2-unsign | 6 ++-- sbin/grub2-update-kernel-signature | 26 +++++++++++++++ sbin/grub2-verify | 2 +- 6 files changed, 54 insertions(+), 39 deletions(-) create mode 100755 sbin/grub2-update-kernel-signature diff --git a/Makefile b/Makefile index cae852f..3123db4 100644 --- a/Makefile +++ b/Makefile @@ -9,10 +9,11 @@ install: cp ./sbin/grub2-verify /usr/sbin/ cp ./sbin/grub2-sign /usr/sbin/ cp ./sbin/grub2-unsign /usr/sbin/ + cp ./sbin/grub2-update-kernel-signature /usr/sbin/ chown root:root /usr/sbin/grub2-{verify,sign,unsign} - chmod 700 /usr/sbin/grub2-{verify,sign,unsign} + chmod 744 /usr/sbin/grub2-{verify,sign,unsign} @printf "Done.\n" uninstall: - rm /usr/sbin/grub2-{verify,sign,unsign} + rm /usr/sbin/grub2-{verify,sign,unsign,update-kernel-signature} @printf "Done.\n" diff --git a/README.md b/README.md index be54927..ce439d4 100644 --- a/README.md +++ b/README.md @@ -75,6 +75,7 @@ If you didn't read the instruction above here is what the scripts does: * `grub2-sign` is signing the bootloader files with root's keypair. * `grub2-unsign` is removing the signatures of the bootloader files. * `grub2-verify` is checking if your signatures are good. If not, you will see which signature is bad. +* `grub2-update-kernel-signature` is renewing the signatures in /boot/. (without subdirs) regardless if grub2-verify fails. diff --git a/sbin/grub2-sign b/sbin/grub2-sign index 9f67f57..0e20716 100755 --- a/sbin/grub2-sign +++ b/sbin/grub2-sign @@ -1,11 +1,24 @@ #!/bin/bash # grub2-sign # Signs everything important in /boot. Depends on grub2-verify. -# Author: Bandie Kojote +# Author: Bandie # Licence: GNU-GPLv3 +function sign(){ + for f in `find /boot -type f` + do + if gpg --detach-sign $f + then + echo $f signed. + else + return 1 + fi + done + return 0 +} -# Running grub2-verify first to prevent double signing + +# Running grub2-verify first to prevent bad people and double signing echo "Running grub2-verify to check if everything is unsigned..." >&2 grub2-verify if (( $? < 2 )); then @@ -14,36 +27,10 @@ if (( $? < 2 )); then fi -# Ask for passphrase -IFS= read -r -s -p 'Passphrase: ' pp - -# build a find command line matching relevant filenames -name_patterns=( - grubenv # fixed names - '*.'{cfg,lst,mod,asc,pf2} # names with interesting extensions - {vmlinuz,initrd}'*' # names with interesting prefixes -) -find_args=( '-false' ) -for pattern in "${name_patterns[@]}"; do find_args+=( '-or' '-name' "$pattern" ); done - -# Find GRUB2 datas -while IFS= read -r -d '' i; do - # Signing - if gpg --batch --detach-sign --passphrase-fd 0 "$i" <<<"$pp"; then - echo "$i signed." >&2 - else - echo "ERROR!" >&2 - break - fi -done < <(find /boot '(' "${find_args[@]}" ')' '-print0' ) - -# Shredding passphrase -if (( ${#pp} )); then - echo "Shredding passphrase..." >&2 - for (( i=0; i<10; i++ )); do - pp=$(LC_ALL=C tr -cd '[:print:]' &2 -exit 0 diff --git a/sbin/grub2-unsign b/sbin/grub2-unsign index df413ee..bc64f4c 100755 --- a/sbin/grub2-unsign +++ b/sbin/grub2-unsign @@ -1,13 +1,13 @@ #!/bin/bash # grub2-unsign # Unsigns every file in /boot. Depends on grub2-verify -# Author: Bandie Kojote +# Author: Bandie # Licence: GNU-GPLv3 # Check if something is wrong if ! grub2-verify; then - printf '%s\n' "grub2-verify has detected a one or more bad signatures." "Please check for malicious software before you're unsigning everything!" >&2 - exit 1 + printf '%s\n' "grub2-verify has detected a one or more bad signatures." "Please check for malicious software before you're unsigning everything!" >&2 + exit 1 fi # Then remove the signatures. diff --git a/sbin/grub2-update-kernel-signature b/sbin/grub2-update-kernel-signature new file mode 100755 index 0000000..c4d5ecc --- /dev/null +++ b/sbin/grub2-update-kernel-signature @@ -0,0 +1,26 @@ +#!/bin/bash +# grub2-update-kernel-signature +# Renews the signature in /boot/. +# Author: Bandie +# Licence: GNU-GPLv3 + +function sign(){ + for f in `find /boot -maxdepth 1 -type f` + do + if gpg --detach-sign $f + then + echo $f signed. + else + return 1 + fi + done + return 0 +} + + +rm /boot/*.sig + +if ! sign +then + sign +fi diff --git a/sbin/grub2-verify b/sbin/grub2-verify index 629e3fe..3f9413d 100755 --- a/sbin/grub2-verify +++ b/sbin/grub2-verify @@ -1,7 +1,7 @@ #!/bin/bash # grub2-verify # Checks the signatures of every file which is has a signature in /boot. -# Author: Bandie Kojote +# Author: Bandie # Licence: GNU-GPLv3 red=$(tput setaf 1)