mirror of
https://github.com/Bandie/grub2-signing-extension.git
synced 2024-04-01 15:51:26 +00:00
Using gpg's passphrase request; new script.
This commit is contained in:
parent
ea444b288b
commit
1b49b45439
5
Makefile
5
Makefile
@ -9,10 +9,11 @@ install:
|
||||
cp ./sbin/grub2-verify /usr/sbin/
|
||||
cp ./sbin/grub2-sign /usr/sbin/
|
||||
cp ./sbin/grub2-unsign /usr/sbin/
|
||||
cp ./sbin/grub2-update-kernel-signature /usr/sbin/
|
||||
chown root:root /usr/sbin/grub2-{verify,sign,unsign}
|
||||
chmod 700 /usr/sbin/grub2-{verify,sign,unsign}
|
||||
chmod 744 /usr/sbin/grub2-{verify,sign,unsign}
|
||||
@printf "Done.\n"
|
||||
|
||||
uninstall:
|
||||
rm /usr/sbin/grub2-{verify,sign,unsign}
|
||||
rm /usr/sbin/grub2-{verify,sign,unsign,update-kernel-signature}
|
||||
@printf "Done.\n"
|
||||
|
@ -75,6 +75,7 @@ If you didn't read the instruction above here is what the scripts does:
|
||||
* `grub2-sign` is signing the bootloader files with root's keypair.
|
||||
* `grub2-unsign` is removing the signatures of the bootloader files.
|
||||
* `grub2-verify` is checking if your signatures are good. If not, you will see which signature is bad.
|
||||
* `grub2-update-kernel-signature` is renewing the signatures in /boot/. (without subdirs) regardless if grub2-verify fails.
|
||||
|
||||
|
||||
|
||||
|
@ -1,11 +1,24 @@
|
||||
#!/bin/bash
|
||||
# grub2-sign
|
||||
# Signs everything important in /boot. Depends on grub2-verify.
|
||||
# Author: Bandie Kojote
|
||||
# Author: Bandie
|
||||
# Licence: GNU-GPLv3
|
||||
|
||||
function sign(){
|
||||
for f in `find /boot -type f`
|
||||
do
|
||||
if gpg --detach-sign $f
|
||||
then
|
||||
echo $f signed.
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
# Running grub2-verify first to prevent double signing
|
||||
|
||||
# Running grub2-verify first to prevent bad people and double signing
|
||||
echo "Running grub2-verify to check if everything is unsigned..." >&2
|
||||
grub2-verify
|
||||
if (( $? < 2 )); then
|
||||
@ -14,36 +27,10 @@ if (( $? < 2 )); then
|
||||
fi
|
||||
|
||||
|
||||
# Ask for passphrase
|
||||
IFS= read -r -s -p 'Passphrase: ' pp
|
||||
|
||||
# build a find command line matching relevant filenames
|
||||
name_patterns=(
|
||||
grubenv # fixed names
|
||||
'*.'{cfg,lst,mod,asc,pf2} # names with interesting extensions
|
||||
{vmlinuz,initrd}'*' # names with interesting prefixes
|
||||
)
|
||||
find_args=( '-false' )
|
||||
for pattern in "${name_patterns[@]}"; do find_args+=( '-or' '-name' "$pattern" ); done
|
||||
|
||||
# Find GRUB2 datas
|
||||
while IFS= read -r -d '' i; do
|
||||
# Signing
|
||||
if gpg --batch --detach-sign --passphrase-fd 0 "$i" <<<"$pp"; then
|
||||
echo "$i signed." >&2
|
||||
else
|
||||
echo "ERROR!" >&2
|
||||
break
|
||||
fi
|
||||
done < <(find /boot '(' "${find_args[@]}" ')' '-print0' )
|
||||
|
||||
# Shredding passphrase
|
||||
if (( ${#pp} )); then
|
||||
echo "Shredding passphrase..." >&2
|
||||
for (( i=0; i<10; i++ )); do
|
||||
pp=$(LC_ALL=C tr -cd '[:print:]' </dev/urandom | head -c ${#pp})
|
||||
done
|
||||
if ! sign
|
||||
then
|
||||
sign
|
||||
else
|
||||
echo -e "\nDone!"
|
||||
fi
|
||||
|
||||
echo "Done!" >&2
|
||||
exit 0
|
||||
|
@ -1,7 +1,7 @@
|
||||
#!/bin/bash
|
||||
# grub2-unsign
|
||||
# Unsigns every file in /boot. Depends on grub2-verify
|
||||
# Author: Bandie Kojote
|
||||
# Author: Bandie
|
||||
# Licence: GNU-GPLv3
|
||||
|
||||
# Check if something is wrong
|
||||
|
26
sbin/grub2-update-kernel-signature
Executable file
26
sbin/grub2-update-kernel-signature
Executable file
@ -0,0 +1,26 @@
|
||||
#!/bin/bash
|
||||
# grub2-update-kernel-signature
|
||||
# Renews the signature in /boot/.
|
||||
# Author: Bandie
|
||||
# Licence: GNU-GPLv3
|
||||
|
||||
function sign(){
|
||||
for f in `find /boot -maxdepth 1 -type f`
|
||||
do
|
||||
if gpg --detach-sign $f
|
||||
then
|
||||
echo $f signed.
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
|
||||
rm /boot/*.sig
|
||||
|
||||
if ! sign
|
||||
then
|
||||
sign
|
||||
fi
|
@ -1,7 +1,7 @@
|
||||
#!/bin/bash
|
||||
# grub2-verify
|
||||
# Checks the signatures of every file which is has a signature in /boot.
|
||||
# Author: Bandie Kojote
|
||||
# Author: Bandie
|
||||
# Licence: GNU-GPLv3
|
||||
|
||||
red=$(tput setaf 1)
|
||||
|
Loading…
Reference in New Issue
Block a user