Comments and words.

This commit is contained in:
Bandie Kojote 2015-03-17 07:23:23 +01:00
parent d37cc28bf0
commit 5e4766cfa8
4 changed files with 33 additions and 7 deletions

View File

@ -1,6 +1,6 @@
# grub2-signing-extension for GRUB2
GRUB2 has got a function which automatically checks if your GRUB2 files are signed and have a good signature. If the files aren't signed or have a bad signature GRUB2 won't run them to prevent running malicious software.
GRUB2 has got a function called "check\_signatures" which automatically checks if your GRUB2 files are signed and have a good signature. If the files aren't signed or have a bad signature GRUB2 won't run them to prevent running malicious software.
The GRUB2 signing extension are some scripts which helps you to verify, sign and unsign your GRUB2 bootloader files using gpg.

View File

@ -4,6 +4,8 @@
# Author: Bandie Kojote
# Licence: GNU-GPLv3
# Running grub2-verify first to prevent double signing
echo "Running grub2-verify to check if everything is unsigned..."
grub2-verify
if [ $? -lt 2 ]
@ -12,15 +14,21 @@ then
exit 1
fi
# Ask for passphrase
echo -n "Passphrase: "
stty -echo
read pp
stty echo
echo -e "\n"
# Find GRUB2 datas
for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \
-name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \
-name "grubenv" -or -name "*.asc" -or -name "*.pf2"`;
do
# Signing
echo $pp | gpg --batch --detach-sign --passphrase-fd 0 $i
if [ $? -eq 0 ]
then
@ -30,4 +38,6 @@ do
break
fi
done
pp=`cat /dev/urandom | tr -dc 'a-zA-Z0-9-!@#$%^&*()_+~' | fold -w 96 | head -n 1`
# Shredding passphrase
pp=`cat /dev/urandom | tr -dc 'a-zA-Z0-9-!@#$%^&*()_+~' | fold -w ${#pp} | head -n 1`

View File

@ -4,14 +4,18 @@
# Author: Bandie Kojote
# Licence: GNU-GPLv3
# Check if something is wrong
grub2-verify
if [ $? -eq 1 ]
then
echo -e "grub2-verify has detected a one or more bad signatures.\nPlease check for malicious software before you're unsigning everything!"
exit 1
fi
# Then remove the signatures.
for i in `find /boot -name "*.sig"`
do
rm $i
done
echo "GRUB2 unsigned."
echo "GRUB2 unsigned. WARNING: If you want to deactivate GRUB2's signature feature, change the check_signatures variable in the headers file!"

View File

@ -5,7 +5,11 @@
# Licence: GNU-GPLv3
errorcounter=0
c=0
filecounter=0
# Signature check part + error counter + file counter + file list
echo "Checking signatures in /boot..."
for i in `find /boot -name "*.sig"`
do
@ -15,15 +19,19 @@ do
((errorcounter++))
files[$errorcounter]=$i
fi
((c++))
((filecounter++))
done
if [ $c -eq 0 ]
# Nothing to verify? Exit 2.
if [ $filecounter -eq 0 ]
then
echo "Nothing to verify."
exit 2
fi
# Message
echo -ne "There has been "
if [ $errorcounter -eq 0 ]
then
@ -38,6 +46,10 @@ else
echo " bad signatures."
fi
# File list and exit codes
if [ $errorcounter -gt 0 ]
then
for(( i=1; i<=${#files[@]}; i++))