Bandie/grub2-signing-extension
1
0
Fork 0
mirror of https://github.com/Bandie/grub2-signing-extension.git synced 2024-04-01 15:51:26 +00:00
Code Issues Projects Releases Wiki Activity

Follow best practices for bash

Browse Source 
- Use native bash math where doing so improves readability.
- Avoid illegal exit status codes (666 in impossible scenario).
- Avoid useless use of cat (`cat foo | bar` vs the more efficient `bar <foo`).
- Avoid needless echo pipelines (`echo foo | bar` vs `bar <<<"$foo"`).
- Never use a for loop to iterate over output from `find`; `for` loops depend
  on string-splitting, which is only available with globbing behavior. See
  http://mywiki.wooledge.org/DontReadLinesWithFor
- Use `read -s` to silence feedback rather than playing around with `stty`.
- Use `tput` to retrieve color codes correct for the current terminal rather
  than assuming a terminal compatible with ANSI color codes.
- Use a expression compatible with BSD `tr` in "passphrase-shredding" code.
  (BTW, I very much doubt that this code actually does any good; it's not a
  reasonable expectation that a new string assigned to a variable will actually
  be placed at the same location in memory).
- Implementations of `echo` which do anything other than print `-e` on output
  when `echo -e` is run are nonconformant with the POSIX spec for echo.
  Similarly, `echo -n` behavior is not defined by the standard. Avoid relying
  on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html,
  particularly the APPLICATION USAGE section).
- Always quote expansions to prevent string-splitting and glob-expansion
  (`"$i"`, not `$i`).
- Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can
  be used instead.
This commit is contained in:
Charles Duffy
2015-12-30 15:32:46 -06:00
parent cc5618ac7f
commit cc43d546b2
3 changed files with 50 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
sbin/grub2-sign Normal file → Executable file
View File

@ -6,46 +6,44 @@
# Running grub2-verify first to prevent double signing
echo "Running grub2-verify to check if everything is unsigned..."
echo "Running grub2-verify to check if everything is unsigned..." >&2
grub2-verify
if [ $? -lt 2 ]
then
echo "Run grub2-unsign first."
if (( $? < 2 )); then
echo "Run grub2-unsign first." >&2
exit 1
fi
# Ask for passphrase
echo -n "Passphrase: "
stty -echo
read pp
stty echo
echo -e "\n"
IFS= read -r -s -p 'Passphrase: ' pp
# build a find command line matching relevant filenames
name_patterns=(
grubenv # fixed names
'*.'{cfg,lst,mod,asc,pf2} # names with interesting extensions
{vmlinuz,initrd}'*' # names with interesting prefixes
)
find_args=( '-false' )
for pattern in "${name_patterns[@]}"; do find_args+=( '-or' '-name' "$pattern" ); done
# Find GRUB2 datas
for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \
-name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \
-name "grubenv" -or -name "*.asc" -or -name "*.pf2"`;
do
while IFS= read -r -d '' i; do
# Signing
echo $pp | gpg --batch --detach-sign --passphrase-fd 0 $i
if [ $? -eq 0 ]
then
echo "$i signed."
if gpg --batch --detach-sign --passphrase-fd 0 "$i" <<<"$pp"; then
echo "$i signed." >&2
else
echo "ERROR!"
echo "ERROR!" >&2
break
fi
done
done < <(find /boot '(' "${find_args[@]}" ')' '-print0' )
# Shredding passphrase
echo "Shredding passphrase..."
for (( i=0; $i<10; i++ ))
do
pp=`cat /dev/urandom | tr -dc 'a-zA-Z0-9-!@#$%^&*()_+~' | fold -w ${#pp} | head -n 1`
done
if (( ${#pp} )); then
echo "Shredding passphrase..." >&2
for (( i=0; i<10; i++ )); do
pp=$(LC_ALL=C tr -cd '[:print:]' </dev/urandom | head -c ${#pp})
done
fi
echo "Done!"
echo "Done!" >&2
exit 0