mirror of
https://github.com/Bandie/grub2-signing-extension.git
synced 2024-04-01 15:51:26 +00:00
Follow best practices for bash
- Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo | bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo | bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead.
This commit is contained in:
parent
cc5618ac7f
commit
cc43d546b2
50
sbin/grub2-sign
Normal file → Executable file
50
sbin/grub2-sign
Normal file → Executable file
@ -6,46 +6,44 @@
|
|||||||
|
|
||||||
|
|
||||||
# Running grub2-verify first to prevent double signing
|
# Running grub2-verify first to prevent double signing
|
||||||
echo "Running grub2-verify to check if everything is unsigned..."
|
echo "Running grub2-verify to check if everything is unsigned..." >&2
|
||||||
grub2-verify
|
grub2-verify
|
||||||
if [ $? -lt 2 ]
|
if (( $? < 2 )); then
|
||||||
then
|
echo "Run grub2-unsign first." >&2
|
||||||
echo "Run grub2-unsign first."
|
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
# Ask for passphrase
|
# Ask for passphrase
|
||||||
echo -n "Passphrase: "
|
IFS= read -r -s -p 'Passphrase: ' pp
|
||||||
stty -echo
|
|
||||||
read pp
|
|
||||||
stty echo
|
|
||||||
echo -e "\n"
|
|
||||||
|
|
||||||
|
# build a find command line matching relevant filenames
|
||||||
|
name_patterns=(
|
||||||
|
grubenv # fixed names
|
||||||
|
'*.'{cfg,lst,mod,asc,pf2} # names with interesting extensions
|
||||||
|
{vmlinuz,initrd}'*' # names with interesting prefixes
|
||||||
|
)
|
||||||
|
find_args=( '-false' )
|
||||||
|
for pattern in "${name_patterns[@]}"; do find_args+=( '-or' '-name' "$pattern" ); done
|
||||||
|
|
||||||
# Find GRUB2 datas
|
# Find GRUB2 datas
|
||||||
for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \
|
while IFS= read -r -d '' i; do
|
||||||
-name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \
|
|
||||||
-name "grubenv" -or -name "*.asc" -or -name "*.pf2"`;
|
|
||||||
do
|
|
||||||
# Signing
|
# Signing
|
||||||
echo $pp | gpg --batch --detach-sign --passphrase-fd 0 $i
|
if gpg --batch --detach-sign --passphrase-fd 0 "$i" <<<"$pp"; then
|
||||||
if [ $? -eq 0 ]
|
echo "$i signed." >&2
|
||||||
then
|
|
||||||
echo "$i signed."
|
|
||||||
else
|
else
|
||||||
echo "ERROR!"
|
echo "ERROR!" >&2
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
done
|
done < <(find /boot '(' "${find_args[@]}" ')' '-print0' )
|
||||||
|
|
||||||
|
|
||||||
# Shredding passphrase
|
# Shredding passphrase
|
||||||
echo "Shredding passphrase..."
|
if (( ${#pp} )); then
|
||||||
for (( i=0; $i<10; i++ ))
|
echo "Shredding passphrase..." >&2
|
||||||
do
|
for (( i=0; i<10; i++ )); do
|
||||||
pp=`cat /dev/urandom | tr -dc 'a-zA-Z0-9-!@#$%^&*()_+~' | fold -w ${#pp} | head -n 1`
|
pp=$(LC_ALL=C tr -cd '[:print:]' </dev/urandom | head -c ${#pp})
|
||||||
done
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
echo "Done!"
|
echo "Done!" >&2
|
||||||
exit 0
|
exit 0
|
||||||
|
7
sbin/grub2-unsign
Normal file → Executable file
7
sbin/grub2-unsign
Normal file → Executable file
@ -5,14 +5,11 @@
|
|||||||
# Licence: GNU-GPLv3
|
# Licence: GNU-GPLv3
|
||||||
|
|
||||||
# Check if something is wrong
|
# Check if something is wrong
|
||||||
grub2-verify
|
if ! grub2-verify; then
|
||||||
if [ $? -eq 1 ]
|
printf '%s\n' "grub2-verify has detected a one or more bad signatures." "Please check for malicious software before you're unsigning everything!" >&2
|
||||||
then
|
|
||||||
echo -e "grub2-verify has detected a one or more bad signatures.\nPlease check for malicious software before you're unsigning everything!"
|
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
# Then remove the signatures.
|
# Then remove the signatures.
|
||||||
find /boot -name '*.sig' -exec rm -- '{}' +
|
find /boot -name '*.sig' -exec rm -- '{}' +
|
||||||
|
|
||||||
|
62
sbin/grub2-verify
Normal file → Executable file
62
sbin/grub2-verify
Normal file → Executable file
@ -4,62 +4,48 @@
|
|||||||
# Author: Bandie Kojote
|
# Author: Bandie Kojote
|
||||||
# Licence: GNU-GPLv3
|
# Licence: GNU-GPLv3
|
||||||
|
|
||||||
errorcounter=0
|
red=$(tput setaf 1)
|
||||||
filecounter=0
|
green=$(tput setaf 2)
|
||||||
|
normal=$(tput sgr0)
|
||||||
|
|
||||||
|
all_files=( )
|
||||||
|
error_files=( )
|
||||||
|
|
||||||
# Signature check part + error counter + file counter + file list
|
# Signature check part + error counter + file counter + file list
|
||||||
|
|
||||||
echo "Checking signatures in /boot..."
|
echo "Checking signatures in /boot..." >&2
|
||||||
for i in `find /boot -name "*.sig"`
|
while IFS= read -r -d '' i; do
|
||||||
do
|
if ! gpg --verify-files "$i" >/dev/null 2>&1; then
|
||||||
gpg --verify-files $i > /dev/null 2>&1
|
error_files+=( "$i" )
|
||||||
if [ $? -ne 0 ]
|
|
||||||
then
|
|
||||||
((errorcounter++))
|
|
||||||
files[$errorcounter]=$i
|
|
||||||
fi
|
fi
|
||||||
((filecounter++))
|
all_files+=( "$i" )
|
||||||
done
|
done < <(find /boot -name "*.sig" -print0)
|
||||||
|
|
||||||
# Nothing to verify? Exit 2.
|
# Nothing to verify? Exit 2.
|
||||||
if [ $filecounter -eq 0 ]
|
if (( ${#all_files[@]} == 0 )); then
|
||||||
then
|
echo "Nothing to verify." >&2
|
||||||
echo "Nothing to verify."
|
|
||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# Message
|
# Message
|
||||||
|
printf '%s' 'Found ' >&2
|
||||||
echo -ne "There has been "
|
if (( ${#error_files} == 0 )); then
|
||||||
if [ $errorcounter -eq 0 ]
|
printf '%s' "$green" "no" "$normal" >&2
|
||||||
then
|
|
||||||
echo -ne "\e[1;32mno\e[0m"
|
|
||||||
else
|
else
|
||||||
echo -ne "\e[1;31m$errorcounter\e[0m"
|
printf '%s' "$red" "${#error_files[@]}" "$normal" >&2
|
||||||
fi
|
fi
|
||||||
if [ $errorcounter -eq 1 ]
|
if (( ${#error_files[@]} == 1 )); then
|
||||||
then
|
echo " bad signature." >&2
|
||||||
echo " bad signature."
|
|
||||||
else
|
else
|
||||||
echo " bad signatures."
|
echo " bad signatures." >&2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# File list and exit codes
|
# File list and exit codes
|
||||||
|
if (( ${#error_files[@]} > 0 )); then
|
||||||
if [ $errorcounter -gt 0 ]
|
printf 'BAD signature: %s\n' "${error_files[@]}"
|
||||||
then
|
|
||||||
for(( i=1; i<=${#files[@]}; i++))
|
|
||||||
do
|
|
||||||
echo "BAD signature: ${files[$i]}"
|
|
||||||
done
|
|
||||||
exit 1
|
exit 1
|
||||||
else
|
else
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# WHAT?!
|
exit 99
|
||||||
exit 666
|
|
||||||
|
Loading…
Reference in New Issue
Block a user