Using gpg's passphrase request; new script.

This commit is contained in:
Bandie Canis 2018-01-12 21:46:55 +01:00
parent ea444b288b
commit 1b49b45439
6 changed files with 54 additions and 39 deletions

View File

@ -9,10 +9,11 @@ install:
cp ./sbin/grub2-verify /usr/sbin/ cp ./sbin/grub2-verify /usr/sbin/
cp ./sbin/grub2-sign /usr/sbin/ cp ./sbin/grub2-sign /usr/sbin/
cp ./sbin/grub2-unsign /usr/sbin/ cp ./sbin/grub2-unsign /usr/sbin/
cp ./sbin/grub2-update-kernel-signature /usr/sbin/
chown root:root /usr/sbin/grub2-{verify,sign,unsign} chown root:root /usr/sbin/grub2-{verify,sign,unsign}
chmod 700 /usr/sbin/grub2-{verify,sign,unsign} chmod 744 /usr/sbin/grub2-{verify,sign,unsign}
@printf "Done.\n" @printf "Done.\n"
uninstall: uninstall:
rm /usr/sbin/grub2-{verify,sign,unsign} rm /usr/sbin/grub2-{verify,sign,unsign,update-kernel-signature}
@printf "Done.\n" @printf "Done.\n"

View File

@ -75,6 +75,7 @@ If you didn't read the instruction above here is what the scripts does:
* `grub2-sign` is signing the bootloader files with root's keypair. * `grub2-sign` is signing the bootloader files with root's keypair.
* `grub2-unsign` is removing the signatures of the bootloader files. * `grub2-unsign` is removing the signatures of the bootloader files.
* `grub2-verify` is checking if your signatures are good. If not, you will see which signature is bad. * `grub2-verify` is checking if your signatures are good. If not, you will see which signature is bad.
* `grub2-update-kernel-signature` is renewing the signatures in /boot/. (without subdirs) regardless if grub2-verify fails.

View File

@ -1,11 +1,24 @@
#!/bin/bash #!/bin/bash
# grub2-sign # grub2-sign
# Signs everything important in /boot. Depends on grub2-verify. # Signs everything important in /boot. Depends on grub2-verify.
# Author: Bandie Kojote # Author: Bandie
# Licence: GNU-GPLv3 # Licence: GNU-GPLv3
function sign(){
for f in `find /boot -type f`
do
if gpg --detach-sign $f
then
echo $f signed.
else
return 1
fi
done
return 0
}
# Running grub2-verify first to prevent double signing
# Running grub2-verify first to prevent bad people and double signing
echo "Running grub2-verify to check if everything is unsigned..." >&2 echo "Running grub2-verify to check if everything is unsigned..." >&2
grub2-verify grub2-verify
if (( $? < 2 )); then if (( $? < 2 )); then
@ -14,36 +27,10 @@ if (( $? < 2 )); then
fi fi
# Ask for passphrase if ! sign
IFS= read -r -s -p 'Passphrase: ' pp then
sign
# build a find command line matching relevant filenames
name_patterns=(
grubenv # fixed names
'*.'{cfg,lst,mod,asc,pf2} # names with interesting extensions
{vmlinuz,initrd}'*' # names with interesting prefixes
)
find_args=( '-false' )
for pattern in "${name_patterns[@]}"; do find_args+=( '-or' '-name' "$pattern" ); done
# Find GRUB2 datas
while IFS= read -r -d '' i; do
# Signing
if gpg --batch --detach-sign --passphrase-fd 0 "$i" <<<"$pp"; then
echo "$i signed." >&2
else else
echo "ERROR!" >&2 echo -e "\nDone!"
break
fi
done < <(find /boot '(' "${find_args[@]}" ')' '-print0' )
# Shredding passphrase
if (( ${#pp} )); then
echo "Shredding passphrase..." >&2
for (( i=0; i<10; i++ )); do
pp=$(LC_ALL=C tr -cd '[:print:]' </dev/urandom | head -c ${#pp})
done
fi fi
echo "Done!" >&2
exit 0

View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# grub2-unsign # grub2-unsign
# Unsigns every file in /boot. Depends on grub2-verify # Unsigns every file in /boot. Depends on grub2-verify
# Author: Bandie Kojote # Author: Bandie
# Licence: GNU-GPLv3 # Licence: GNU-GPLv3
# Check if something is wrong # Check if something is wrong

View File

@ -0,0 +1,26 @@
#!/bin/bash
# grub2-update-kernel-signature
# Renews the signature in /boot/.
# Author: Bandie
# Licence: GNU-GPLv3
function sign(){
for f in `find /boot -maxdepth 1 -type f`
do
if gpg --detach-sign $f
then
echo $f signed.
else
return 1
fi
done
return 0
}
rm /boot/*.sig
if ! sign
then
sign
fi

View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# grub2-verify # grub2-verify
# Checks the signatures of every file which is has a signature in /boot. # Checks the signatures of every file which is has a signature in /boot.
# Author: Bandie Kojote # Author: Bandie
# Licence: GNU-GPLv3 # Licence: GNU-GPLv3
red=$(tput setaf 1) red=$(tput setaf 1)