diff --git a/README.md b/README.md index 71bbbbc..7a24b34 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # grub2-signing-extension for GRUB2 -GRUB2 has got a function which automatically checks if your GRUB2 files are signed and have a good signature. If the files aren't signed or have a bad signature GRUB2 won't run them to prevent running malicious software. +GRUB2 has got a function called "check\_signatures" which automatically checks if your GRUB2 files are signed and have a good signature. If the files aren't signed or have a bad signature GRUB2 won't run them to prevent running malicious software. The GRUB2 signing extension are some scripts which helps you to verify, sign and unsign your GRUB2 bootloader files using gpg. diff --git a/sbin/grub2-sign b/sbin/grub2-sign index 7a2ff83..a7520b1 100644 --- a/sbin/grub2-sign +++ b/sbin/grub2-sign @@ -4,6 +4,8 @@ # Author: Bandie Kojote # Licence: GNU-GPLv3 + +# Running grub2-verify first to prevent double signing echo "Running grub2-verify to check if everything is unsigned..." grub2-verify if [ $? -lt 2 ] @@ -12,15 +14,21 @@ then exit 1 fi + +# Ask for passphrase echo -n "Passphrase: " stty -echo read pp stty echo echo -e "\n" + + +# Find GRUB2 datas for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \ -name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \ -name "grubenv" -or -name "*.asc" -or -name "*.pf2"`; do + # Signing echo $pp | gpg --batch --detach-sign --passphrase-fd 0 $i if [ $? -eq 0 ] then @@ -30,4 +38,6 @@ do break fi done -pp=`cat /dev/urandom | tr -dc 'a-zA-Z0-9-!@#$%^&*()_+~' | fold -w 96 | head -n 1` + +# Shredding passphrase +pp=`cat /dev/urandom | tr -dc 'a-zA-Z0-9-!@#$%^&*()_+~' | fold -w ${#pp} | head -n 1` diff --git a/sbin/grub2-unsign b/sbin/grub2-unsign index 8366d64..401d922 100644 --- a/sbin/grub2-unsign +++ b/sbin/grub2-unsign @@ -4,14 +4,18 @@ # Author: Bandie Kojote # Licence: GNU-GPLv3 +# Check if something is wrong grub2-verify if [ $? -eq 1 ] then echo -e "grub2-verify has detected a one or more bad signatures.\nPlease check for malicious software before you're unsigning everything!" exit 1 fi + + +# Then remove the signatures. for i in `find /boot -name "*.sig"` do rm $i done -echo "GRUB2 unsigned." +echo "GRUB2 unsigned. WARNING: If you want to deactivate GRUB2's signature feature, change the check_signatures variable in the headers file!" diff --git a/sbin/grub2-verify b/sbin/grub2-verify index d18e363..a8e30ef 100644 --- a/sbin/grub2-verify +++ b/sbin/grub2-verify @@ -5,7 +5,11 @@ # Licence: GNU-GPLv3 errorcounter=0 -c=0 +filecounter=0 + + +# Signature check part + error counter + file counter + file list + echo "Checking signatures in /boot..." for i in `find /boot -name "*.sig"` do @@ -15,15 +19,19 @@ do ((errorcounter++)) files[$errorcounter]=$i fi - ((c++)) + ((filecounter++)) done - -if [ $c -eq 0 ] +# Nothing to verify? Exit 2. +if [ $filecounter -eq 0 ] then echo "Nothing to verify." exit 2 fi + + +# Message + echo -ne "There has been " if [ $errorcounter -eq 0 ] then @@ -38,6 +46,10 @@ else echo " bad signatures." fi + + +# File list and exit codes + if [ $errorcounter -gt 0 ] then for(( i=1; i<=${#files[@]}; i++))