Bandie/grub2-signing-extension
1
0
Fork 0
mirror of https://github.com/Bandie/grub2-signing-extension.git synced 2024-04-01 15:51:26 +00:00
Code Issues Projects Releases Wiki Activity

First commit and release.

Browse Source
This commit is contained in:
Bandie Kojote
2015-03-16 20:38:36 +01:00
commit 89131845f1
6 changed files with 887 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
sbin/grub2-sign Normal file
View File

@ -0,0 +1,33 @@
#!/bin/bash
# grub2-sign
# Signs everything important in /boot. Depends on grub2-verify.
# Author: Bandie Kojote
# Licence: GNU-GPLv3
echo "Running grub2-verify to check if everything is unsigned..."
grub2-verify
if [ $? -lt 2 ]
then
echo "Run grub2-unsign first."
exit 1
fi
echo -n "Passphrase: "
stty -echo
read pp
stty echo
echo -e "\n"
for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \
-name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \
-name "grubenv" -or -name "*.asc" -or -name "*.pf2"`;
do
echo $pp | gpg --batch --detach-sign --passphrase-fd 0 $i
if [ $? -eq 0 ]
then
echo "$i signed."
else
echo "ERROR!"
break
fi
done
pp=`cat /dev/urandom | tr -dc 'a-zA-Z0-9-!@#$%^&*()_+~' | fold -w 96 | head -n 1`

17
sbin/grub2-unsign Normal file
View File

@ -0,0 +1,17 @@
#!/bin/bash
# grub2-unsign
# Unsigns every file in /boot. Depends on grub2-verify
# Author: Bandie Kojote
# Licence: GNU-GPLv3
grub2-verify
if [ $? -eq 1 ]
then
echo -e "grub2-verify has detected a one or more bad signatures.\nPlease check for malicious software before you're unsigning everything!"
exit 1
fi
for i in `find /boot -name "*.sig"`
do
rm $i
done
echo "GRUB2 unsigned."

50
sbin/grub2-verify Normal file
View File

@ -0,0 +1,50 @@
#!/bin/bash
# grub2-verify
# Checks the signatures of every file which is has a signature in /boot.
# Author: Bandie Kojote
# Licence: GNU-GPLv3
errorcounter=0
c=0
echo "Checks signature in /boot..."
for i in `find /boot -name "*.sig"`
do
gpg --verify-files $i > /dev/null 2>&1
if [ $? -ne 0 ]
then
((errorcounter++))
files[$errorcounter]=$i
fi
((c++))
done
if [ $c -eq 0 ]
then
echo "Nothing to verify."
exit 2
fi
echo -ne "There has been "
if [ $errorcounter -eq 0 ]
then
echo -ne "\e[1;32mno\e[0m"
else
echo -ne "\e[1;31m$errorcounter\e[0m"
fi
if [ $errorcounter -eq 1 ]
then
echo " bad signature."
else
echo " bad signatures."
fi
if [ $errorcounter -gt 0 ]
then
for(( i=1; i<=${#files[@]}; i++))
do
echo "BAD signature: ${files[$i]}"
done
exit 1
else
exit 0
fi