Bandie
/
grub2-signing-extension
mirror of https://github.com/Bandie/grub2-signing-extension.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Handling of missing signatures

This commit is contained in:
Bandie 2018-03-22 13:34:56 +01:00
parent 6fb117571a
commit c97bd1d37d
Signed by: Bandie
GPG Key ID: C1E133BC65A822DD
2 changed files with 73 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
sbin/grub2-unsign
View File

@ -5,9 +5,22 @@
# Licence: GNU-GPLv3 # Licence: GNU-GPLv3
# Check if something is wrong # Check if something is wrong
if ! grub2-verify; then grub2-verify
stat=$?
if (( $stat == 1 ))
then
printf '%s\n' "grub2-verify has detected a one or more bad signatures." "Please check for malicious software before you're unsigning everything!" >&2 printf '%s\n' "grub2-verify has detected a one or more bad signatures." "Please check for malicious software before you're unsigning everything!" >&2
exit 1 exit 1
elif (( $stat == 2 ))
then
printf 'Everything is unsigned already.\n'
exit 0
elif (( $stat == 3 ))
then
printf 'Ignoring missing signatures...\n'
else
printf 'Something unknown happened!\n'
exit 99
fi fi
# Then remove the signatures. # Then remove the signatures.

70
sbin/grub2-verify
View File

@ -8,42 +8,90 @@ red=$(tput setaf 1)
green=$(tput setaf 2) green=$(tput setaf 2)
normal=$(tput sgr0) normal=$(tput sgr0)
all_files=( ) all_files1=( )
all_files2=( )
error_files=( ) error_files=( )
missing_files=( )
# Signature check part + error counter + file counter + file list # Signature check part + error counter + file counter + file list
echo "Checking signatures in /boot..." >&2 echo "Checking signatures in /boot..." >&2
while IFS= read -r -d '' i; do while IFS= read -r -d '' i
if ! gpg --verify-files "$i" >/dev/null 2>&1; then do
if ! gpg --verify-files "$i" >/dev/null 2>&1
then
error_files+=( "$i" ) error_files+=( "$i" )
fi fi
all_files+=( "$i" ) all_files1+=( "$i" )
done < <(find /boot -name "*.sig" -print0) done < <(find /boot -type f -name "*.sig" -print0)
echo "Checking missing signatures in /boot..." >&2
while IFS= read -r -d '' i
do
if test ! -f ${i}.sig
then
missing_files+=( "$i" )
fi
all_files2+=( "$i" )
done < <(find /boot -type f -not -name "*.sig" -print0)
# Nothing to verify? Exit 2. # Nothing to verify? Exit 2.
if (( ${#all_files[@]} == 0 )); then if (( ${#all_files1[@]} == 0 ))
then
echo "Nothing to verify." >&2 echo "Nothing to verify." >&2
exit 2 exit 2
fi fi
# Message # Message signatures
printf '%s' 'Found ' >&2 printf '%s' 'Found ' >&2
if (( ${#error_files} == 0 )); then if (( ${#error_files} == 0 ))
then
printf '%s' "$green" "no" "$normal" >&2 printf '%s' "$green" "no" "$normal" >&2
else else
printf '%s' "$red" "${#error_files[@]}" "$normal" >&2 printf '%s' "$red" "${#error_files[@]}" "$normal" >&2
fi fi
if (( ${#error_files[@]} == 1 )); then if (( ${#error_files[@]} == 1 ))
then
echo " bad signature." >&2 echo " bad signature." >&2
else else
echo " bad signatures." >&2 echo " bad signatures." >&2
fi fi
# File list and exit codes # Message missing
if (( ${#error_files[@]} > 0 )); then printf '%s' 'Found ' >&2
if (( ${#missing_files} == 0 ))
then
printf '%s' "$green" "no" "$normal" >&2
else
printf '%s' "$red" "${#missing_files[@]}" "$normal" >&2
fi
if (( ${#missing_files[@]} == 1 ))
then
echo " missing signature." >&2
else
echo " missing signatures." >&2
fi
# File list
if (( ${#error_files[@]} > 0 ))
then
printf 'BAD signature: %s\n' "${error_files[@]}" printf 'BAD signature: %s\n' "${error_files[@]}"
fi
if (( ${#missing_files[@]} > 0 ))
then
printf 'MISSING signatures: %s\n' "${missing_files[@]}"
fi
# Exit codes
if (( ${#error_files[@]} > 0 ))
then
exit 1 exit 1
elif (( ${#missing_files[@]} > 0 ))
then
exit 3
else else
exit 0 exit 0
fi fi