Handling of missing signatures

This commit is contained in:
Bandie 2018-03-22 13:34:56 +01:00
parent 6fb117571a
commit c97bd1d37d
Signed by: Bandie
GPG Key ID: C1E133BC65A822DD
2 changed files with 73 additions and 12 deletions

View File

@ -5,9 +5,22 @@
# Licence: GNU-GPLv3
# Check if something is wrong
if ! grub2-verify; then
grub2-verify
stat=$?
if (( $stat == 1 ))
then
printf '%s\n' "grub2-verify has detected a one or more bad signatures." "Please check for malicious software before you're unsigning everything!" >&2
exit 1
elif (( $stat == 2 ))
then
printf 'Everything is unsigned already.\n'
exit 0
elif (( $stat == 3 ))
then
printf 'Ignoring missing signatures...\n'
else
printf 'Something unknown happened!\n'
exit 99
fi
# Then remove the signatures.

View File

@ -8,42 +8,90 @@ red=$(tput setaf 1)
green=$(tput setaf 2)
normal=$(tput sgr0)
all_files=( )
all_files1=( )
all_files2=( )
error_files=( )
missing_files=( )
# Signature check part + error counter + file counter + file list
echo "Checking signatures in /boot..." >&2
while IFS= read -r -d '' i; do
if ! gpg --verify-files "$i" >/dev/null 2>&1; then
while IFS= read -r -d '' i
do
if ! gpg --verify-files "$i" >/dev/null 2>&1
then
error_files+=( "$i" )
fi
all_files+=( "$i" )
done < <(find /boot -name "*.sig" -print0)
all_files1+=( "$i" )
done < <(find /boot -type f -name "*.sig" -print0)
echo "Checking missing signatures in /boot..." >&2
while IFS= read -r -d '' i
do
if test ! -f ${i}.sig
then
missing_files+=( "$i" )
fi
all_files2+=( "$i" )
done < <(find /boot -type f -not -name "*.sig" -print0)
# Nothing to verify? Exit 2.
if (( ${#all_files[@]} == 0 )); then
if (( ${#all_files1[@]} == 0 ))
then
echo "Nothing to verify." >&2
exit 2
fi
# Message
# Message signatures
printf '%s' 'Found ' >&2
if (( ${#error_files} == 0 )); then
if (( ${#error_files} == 0 ))
then
printf '%s' "$green" "no" "$normal" >&2
else
printf '%s' "$red" "${#error_files[@]}" "$normal" >&2
fi
if (( ${#error_files[@]} == 1 )); then
if (( ${#error_files[@]} == 1 ))
then
echo " bad signature." >&2
else
echo " bad signatures." >&2
fi
# File list and exit codes
if (( ${#error_files[@]} > 0 )); then
# Message missing
printf '%s' 'Found ' >&2
if (( ${#missing_files} == 0 ))
then
printf '%s' "$green" "no" "$normal" >&2
else
printf '%s' "$red" "${#missing_files[@]}" "$normal" >&2
fi
if (( ${#missing_files[@]} == 1 ))
then
echo " missing signature." >&2
else
echo " missing signatures." >&2
fi
# File list
if (( ${#error_files[@]} > 0 ))
then
printf 'BAD signature: %s\n' "${error_files[@]}"
fi
if (( ${#missing_files[@]} > 0 ))
then
printf 'MISSING signatures: %s\n' "${missing_files[@]}"
fi
# Exit codes
if (( ${#error_files[@]} > 0 ))
then
exit 1
elif (( ${#missing_files[@]} > 0 ))
then
exit 3
else
exit 0
fi