From 271c8677d8c95088915d4fd6a41b65decad1c081 Mon Sep 17 00:00:00 2001
From: Bandie <bandie@chaospott.de>
Date: Wed, 11 Dec 2019 19:49:09 +0100
Subject: [PATCH] Renaming script names: grub2-.* to grub-.*, including
 grub.cfg for update-kernel-signature

---
 README.md                                     | 32 +++++++++----------
 sbin/{grub2-sign => grub-sign}                |  0
 sbin/{grub2-unsign => grub-unsign}            |  0
 ...signature => grub-update-kernel-signature} |  7 ++++
 sbin/{grub2-verify => grub-verify}            |  0
 5 files changed, 23 insertions(+), 16 deletions(-)
 rename sbin/{grub2-sign => grub-sign} (100%)
 rename sbin/{grub2-unsign => grub-unsign} (100%)
 rename sbin/{grub2-update-kernel-signature => grub-update-kernel-signature} (70%)
 rename sbin/{grub2-verify => grub-verify} (100%)

diff --git a/README.md b/README.md
index 59b07b4..410257b 100644
--- a/README.md
+++ b/README.md
@@ -27,7 +27,7 @@ You need
 - Change into the grub2-signing-extension directory.
 - Run `make install` as root. 
 
-You will now have `grub2-sign`, `grub2-unsign`, `grub2-verify` and `grub2-update-kernel-signature` as runable scripts.
+You will now have `grub-sign`, `grub-unsign`, `grub-verify` and `grub-update-kernel-signature` as runable scripts.
 
 
 ## Enabling GRUB2 check\_signatures feature
@@ -55,16 +55,16 @@ Before you can use the signing and verification feature you need to generate a k
       EOF
       ```    
 - Run`grub-mkconfig -o /boot/grub/grub.cfg` to make the new configuration valid.
-- Sign your bootloader running `grub2-sign` and enter your GPG passphrase. 
+- Sign your bootloader running `grub-sign` and enter your GPG passphrase. 
 
 **It is also recommended to install a password in GRUB2! [See ADDENDUM]**
 
 
 ## How to update the signatures on changes
 
-On every change at the GRUB2 core files you need to run `grub2-unsign` first before you make your changes. Please notice, if you reinstall GRUB2, you should do it as it is said above. Otherwise the signature check won't work.
+On every change at the GRUB2 core files you need to run `grub-unsign` first before you make your changes. Please notice, if you reinstall GRUB2, you should do it as it is said above. Otherwise the signature check won't work.
 
-If you do some changes or updates for the kernel or initramfs, you may want to use `grub2-update-kernel-signature` instead.
+If you do some changes or updates for the kernel or initramfs, you may want to use `grub-update-kernel-signature` instead.
 
 
 
@@ -73,15 +73,15 @@ If you do some changes or updates for the kernel or initramfs, you may want to u
 
 If you didn't read the instruction above here is what the scripts does:
 
-* `grub2-sign` is signing the bootloader files with root's keypair.
-* `grub2-unsign` is removing the signatures of the bootloader files.
-* `grub2-verify` is checking if your signatures are good. If not, you will see which signature is bad.
-* `grub2-update-kernel-signature` is renewing the signatures in /boot/. (without subdirs) regardless if grub2-verify fails.
+* `grub-sign` is signing the bootloader files with root's keypair.
+* `grub-unsign` is removing the signatures of the bootloader files.
+* `grub-verify` is checking if your signatures are good. If not, you will see which signature is bad.
+* `grub-update-kernel-signature` is renewing the signatures in /boot/ (without subdirs) and grub.cfg, regardless if grub-verify fails.
 
 
 ## Exit codes
 
-You might be interested in the exit codes of `grub2-verify` to use it in your monitoring tools:
+You might be interested in the exit codes of `grub-verify` to use it in your monitoring tools:
 
 ```
 0 - Everything is okay
@@ -107,8 +107,8 @@ chown root:root $(tty)
 
 ### I forgot to run grub2-unsign before I made changes. What now?
 
-Run `grub2-verify` to see, which signature is bad. Remove the signature and run `grub2-unsign`, after this `grub2-sign`.
-Alternatively, if you just updated your kernel/initramfs, run `grub2-update-kernel-signatures`.
+Run `grub-verify` to see, which signature is bad. Remove the signature and run `grub-unsign`, after this `grub-sign`.
+Alternatively, if you just updated your kernel/initramfs/grub.cfg, run `grub-update-kernel-signatures`.
 
 
 ### How can I switch off GRUB2's check\_signature feature?
@@ -119,7 +119,7 @@ Open */etc/grub.d/00_header* and remove the part
     set check_signatures=enforce
     EOF
 
-Run `grub2-unsign` and `grub-mkconfig -o /boot/grub/grub.cfg`.
+Run `grub-unsign` and `grub-mkconfig -o /boot/grub/grub.cfg`.
 
 Also you should reinstall grub2, using something like `grub-install /dev/sda`.
 
@@ -127,8 +127,8 @@ Also you should reinstall grub2, using something like `grub-install /dev/sda`.
 ### Suddenly I can't boot! This is YOUR FAULT!
 
 No. An important signature is bad. So GRUB2 didn't run this part of code/configuration/kernel/whatever.
-You could do a chroot using an USB dongle with a GNU/Linux distribution on it. If you're chrooted to your system run `grub2-verify`. 
-If you think this happened through an update shortly done by you, you may want to run `gpg-agent --daemon ; grub2-update-kernel-signatures`.
+You could do a chroot using an USB dongle with a GNU/Linux distribution on it. If you're chrooted to your system run `grub-verify`. 
+If you think this happened through an update shortly done by you, you may want to run `gpg-agent --daemon ; grub-update-kernel-signatures`.
 
 
 ### Okay, I really got some bad signatures not caused by me. What do I do now?
@@ -168,6 +168,6 @@ Check your system thoroughly. Check it about malicious software. Check it about
   ```
   The important changing is the flag *--unrestricted*.
   
-- Run `grub2-unsign` to unsign the bootloader.
+- Run `grub-unsign` to unsign the bootloader.
 - Run `grub-mkconfig -o /boot/grub/grub.cfg` to write the new config.
-- Run `grub2-sign` to sign the new changings.
+- Run `grub-sign` to sign the new changings.
diff --git a/sbin/grub2-sign b/sbin/grub-sign
similarity index 100%
rename from sbin/grub2-sign
rename to sbin/grub-sign
diff --git a/sbin/grub2-unsign b/sbin/grub-unsign
similarity index 100%
rename from sbin/grub2-unsign
rename to sbin/grub-unsign
diff --git a/sbin/grub2-update-kernel-signature b/sbin/grub-update-kernel-signature
similarity index 70%
rename from sbin/grub2-update-kernel-signature
rename to sbin/grub-update-kernel-signature
index c4d5ecc..947699e 100755
--- a/sbin/grub2-update-kernel-signature
+++ b/sbin/grub-update-kernel-signature
@@ -14,11 +14,18 @@ function sign(){
       return 1
     fi
   done
+  if gpg --detach-sign "/boot/grub/grub.cfg"
+  then
+    echo /boot/grub/grub.cfg signed.
+  else
+    return 1
+  fi
   return 0
 }
 
 
 rm /boot/*.sig
+rm /boot/grub/grub.cfg.sig
 
 if ! sign
 then
diff --git a/sbin/grub2-verify b/sbin/grub-verify
similarity index 100%
rename from sbin/grub2-verify
rename to sbin/grub-verify