Comments and words.

README.md

@@ -1,6 +1,6 @@
 # grub2-signing-extension for GRUB2
 
-GRUB2 has got a function which automatically checks if your GRUB2 files are signed and have a good signature. If the files aren't signed or have a bad signature GRUB2 won't run them to prevent running malicious software.
+GRUB2 has got a function called "check\_signatures" which automatically checks if your GRUB2 files are signed and have a good signature. If the files aren't signed or have a bad signature GRUB2 won't run them to prevent running malicious software.
 The GRUB2 signing extension are some scripts which helps you to verify, sign and unsign your GRUB2 bootloader files using gpg. 
 
 

sbin/grub2-sign

@@ -4,6 +4,8 @@
 # Author: Bandie Kojote
 # Licence: GNU-GPLv3
 
+
+# Running grub2-verify first to prevent double signing
 echo "Running grub2-verify to check if everything is unsigned..."
 grub2-verify
 if [ $? -lt 2 ]
@@ -12,15 +14,21 @@ then
     exit 1
 fi
 
+
+# Ask for passphrase
 echo -n "Passphrase: "
 stty -echo
 read pp
 stty echo
 echo -e "\n"
+
+
+# Find GRUB2 datas
 for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \
  -name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \
  -name "grubenv" -or -name "*.asc" -or -name "*.pf2"`;
 do
+    # Signing
     echo $pp | gpg --batch --detach-sign --passphrase-fd 0 $i
     if [ $? -eq 0 ]
     then
@@ -30,4 +38,6 @@ do
 	break
     fi
 done
-pp=`cat /dev/urandom | tr -dc 'a-zA-Z0-9-!@#$%^&*()_+~' | fold -w 96 | head -n 1`
+
+# Shredding passphrase
+pp=`cat /dev/urandom | tr -dc 'a-zA-Z0-9-!@#$%^&*()_+~' | fold -w ${#pp} | head -n 1`

sbin/grub2-unsign

@@ -4,14 +4,18 @@
 # Author: Bandie Kojote
 # Licence: GNU-GPLv3
 
+# Check if something is wrong
 grub2-verify
 if [ $? -eq 1 ]
 then
     echo -e "grub2-verify has detected a one or more bad signatures.\nPlease check for malicious software before you're unsigning everything!"
     exit 1
 fi
+
+
+# Then remove the signatures.
 for i in `find /boot -name "*.sig"` 
 do
 	rm $i
 done
-echo "GRUB2 unsigned."
+echo "GRUB2 unsigned. WARNING: If you want to deactivate GRUB2's signature feature, change the check_signatures variable in the headers file!"

sbin/grub2-verify

@@ -5,7 +5,11 @@
 # Licence: GNU-GPLv3
 
 errorcounter=0
-c=0
+filecounter=0
+
+
+# Signature check part + error counter + file counter + file list
+
 echo "Checking signatures in /boot..."  
 for i in `find /boot -name "*.sig"` 
 do 
@@ -15,15 +19,19 @@ do
         ((errorcounter++))
         files[$errorcounter]=$i
     fi
-    ((c++))
+    ((filecounter++))
 done
-
-if [ $c -eq 0 ]
+# Nothing to verify? Exit 2.
+if [ $filecounter -eq 0 ]
 then
     echo "Nothing to verify."
     exit 2
 fi
 
+
+
+# Message
+
 echo -ne "There has been "
 if [ $errorcounter -eq 0 ]
 then
@@ -38,6 +46,10 @@ else
     echo " bad signatures."
 fi
 
+
+
+# File list and exit codes
+
 if [ $errorcounter -gt 0 ]
 then
     for(( i=1; i<=${#files[@]}; i++))