From 5e4766cfa8310fba31fdc2076e8b620e934fbd2a Mon Sep 17 00:00:00 2001
From: Bandie Kojote <bandie@bandie.org>
Date: Tue, 17 Mar 2015 07:23:23 +0100
Subject: [PATCH] Comments and words.

---
 README.md         |  2 +-
 sbin/grub2-sign   | 12 +++++++++++-
 sbin/grub2-unsign |  6 +++++-
 sbin/grub2-verify | 20 ++++++++++++++++----
 4 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 71bbbbc..7a24b34 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # grub2-signing-extension for GRUB2
 
-GRUB2 has got a function which automatically checks if your GRUB2 files are signed and have a good signature. If the files aren't signed or have a bad signature GRUB2 won't run them to prevent running malicious software.
+GRUB2 has got a function called "check\_signatures" which automatically checks if your GRUB2 files are signed and have a good signature. If the files aren't signed or have a bad signature GRUB2 won't run them to prevent running malicious software.
 The GRUB2 signing extension are some scripts which helps you to verify, sign and unsign your GRUB2 bootloader files using gpg. 
 
 
diff --git a/sbin/grub2-sign b/sbin/grub2-sign
index 7a2ff83..a7520b1 100644
--- a/sbin/grub2-sign
+++ b/sbin/grub2-sign
@@ -4,6 +4,8 @@
 # Author: Bandie Kojote
 # Licence: GNU-GPLv3
 
+
+# Running grub2-verify first to prevent double signing
 echo "Running grub2-verify to check if everything is unsigned..."
 grub2-verify
 if [ $? -lt 2 ]
@@ -12,15 +14,21 @@ then
     exit 1
 fi
 
+
+# Ask for passphrase
 echo -n "Passphrase: "
 stty -echo
 read pp
 stty echo
 echo -e "\n"
+
+
+# Find GRUB2 datas
 for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \
  -name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \
  -name "grubenv" -or -name "*.asc" -or -name "*.pf2"`;
 do
+    # Signing
     echo $pp | gpg --batch --detach-sign --passphrase-fd 0 $i
     if [ $? -eq 0 ]
     then
@@ -30,4 +38,6 @@ do
 	break
     fi
 done
-pp=`cat /dev/urandom | tr -dc 'a-zA-Z0-9-!@#$%^&*()_+~' | fold -w 96 | head -n 1`
+
+# Shredding passphrase
+pp=`cat /dev/urandom | tr -dc 'a-zA-Z0-9-!@#$%^&*()_+~' | fold -w ${#pp} | head -n 1`
diff --git a/sbin/grub2-unsign b/sbin/grub2-unsign
index 8366d64..401d922 100644
--- a/sbin/grub2-unsign
+++ b/sbin/grub2-unsign
@@ -4,14 +4,18 @@
 # Author: Bandie Kojote
 # Licence: GNU-GPLv3
 
+# Check if something is wrong
 grub2-verify
 if [ $? -eq 1 ]
 then
     echo -e "grub2-verify has detected a one or more bad signatures.\nPlease check for malicious software before you're unsigning everything!"
     exit 1
 fi
+
+
+# Then remove the signatures.
 for i in `find /boot -name "*.sig"` 
 do
 	rm $i
 done
-echo "GRUB2 unsigned."
+echo "GRUB2 unsigned. WARNING: If you want to deactivate GRUB2's signature feature, change the check_signatures variable in the headers file!"
diff --git a/sbin/grub2-verify b/sbin/grub2-verify
index d18e363..a8e30ef 100644
--- a/sbin/grub2-verify
+++ b/sbin/grub2-verify
@@ -5,7 +5,11 @@
 # Licence: GNU-GPLv3
 
 errorcounter=0
-c=0
+filecounter=0
+
+
+# Signature check part + error counter + file counter + file list
+
 echo "Checking signatures in /boot..."  
 for i in `find /boot -name "*.sig"` 
 do 
@@ -15,15 +19,19 @@ do
         ((errorcounter++))
         files[$errorcounter]=$i
     fi
-    ((c++))
+    ((filecounter++))
 done
-
-if [ $c -eq 0 ]
+# Nothing to verify? Exit 2.
+if [ $filecounter -eq 0 ]
 then
     echo "Nothing to verify."
     exit 2
 fi
 
+
+
+# Message
+
 echo -ne "There has been "
 if [ $errorcounter -eq 0 ]
 then
@@ -38,6 +46,10 @@ else
     echo " bad signatures."
 fi
 
+
+
+# File list and exit codes
+
 if [ $errorcounter -gt 0 ]
 then
     for(( i=1; i<=${#files[@]}; i++))