mirror of
https://github.com/Bandie/grub2-signing-extension.git
synced 2024-04-01 15:51:26 +00:00
Merge pull request #2 from charles-dyfis-net/master
Follow best practices for bash
This commit is contained in:
commit
ea444b288b
50
sbin/grub2-sign
Normal file → Executable file
50
sbin/grub2-sign
Normal file → Executable file
@ -6,46 +6,44 @@
|
||||
|
||||
|
||||
# Running grub2-verify first to prevent double signing
|
||||
echo "Running grub2-verify to check if everything is unsigned..."
|
||||
echo "Running grub2-verify to check if everything is unsigned..." >&2
|
||||
grub2-verify
|
||||
if [ $? -lt 2 ]
|
||||
then
|
||||
echo "Run grub2-unsign first."
|
||||
if (( $? < 2 )); then
|
||||
echo "Run grub2-unsign first." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
# Ask for passphrase
|
||||
echo -n "Passphrase: "
|
||||
stty -echo
|
||||
read pp
|
||||
stty echo
|
||||
echo -e "\n"
|
||||
IFS= read -r -s -p 'Passphrase: ' pp
|
||||
|
||||
# build a find command line matching relevant filenames
|
||||
name_patterns=(
|
||||
grubenv # fixed names
|
||||
'*.'{cfg,lst,mod,asc,pf2} # names with interesting extensions
|
||||
{vmlinuz,initrd}'*' # names with interesting prefixes
|
||||
)
|
||||
find_args=( '-false' )
|
||||
for pattern in "${name_patterns[@]}"; do find_args+=( '-or' '-name' "$pattern" ); done
|
||||
|
||||
# Find GRUB2 datas
|
||||
for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \
|
||||
-name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \
|
||||
-name "grubenv" -or -name "*.asc" -or -name "*.pf2"`;
|
||||
do
|
||||
while IFS= read -r -d '' i; do
|
||||
# Signing
|
||||
echo $pp | gpg --batch --detach-sign --passphrase-fd 0 $i
|
||||
if [ $? -eq 0 ]
|
||||
then
|
||||
echo "$i signed."
|
||||
if gpg --batch --detach-sign --passphrase-fd 0 "$i" <<<"$pp"; then
|
||||
echo "$i signed." >&2
|
||||
else
|
||||
echo "ERROR!"
|
||||
echo "ERROR!" >&2
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
done < <(find /boot '(' "${find_args[@]}" ')' '-print0' )
|
||||
|
||||
# Shredding passphrase
|
||||
echo "Shredding passphrase..."
|
||||
for (( i=0; $i<10; i++ ))
|
||||
do
|
||||
pp=`cat /dev/urandom | tr -dc 'a-zA-Z0-9-!@#$%^&*()_+~' | fold -w ${#pp} | head -n 1`
|
||||
done
|
||||
if (( ${#pp} )); then
|
||||
echo "Shredding passphrase..." >&2
|
||||
for (( i=0; i<10; i++ )); do
|
||||
pp=$(LC_ALL=C tr -cd '[:print:]' </dev/urandom | head -c ${#pp})
|
||||
done
|
||||
fi
|
||||
|
||||
echo "Done!"
|
||||
echo "Done!" >&2
|
||||
exit 0
|
||||
|
7
sbin/grub2-unsign
Normal file → Executable file
7
sbin/grub2-unsign
Normal file → Executable file
@ -5,14 +5,11 @@
|
||||
# Licence: GNU-GPLv3
|
||||
|
||||
# Check if something is wrong
|
||||
grub2-verify
|
||||
if [ $? -eq 1 ]
|
||||
then
|
||||
echo -e "grub2-verify has detected a one or more bad signatures.\nPlease check for malicious software before you're unsigning everything!"
|
||||
if ! grub2-verify; then
|
||||
printf '%s\n' "grub2-verify has detected a one or more bad signatures." "Please check for malicious software before you're unsigning everything!" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
# Then remove the signatures.
|
||||
find /boot -name '*.sig' -exec rm -- '{}' +
|
||||
|
||||
|
62
sbin/grub2-verify
Normal file → Executable file
62
sbin/grub2-verify
Normal file → Executable file
@ -4,62 +4,48 @@
|
||||
# Author: Bandie Kojote
|
||||
# Licence: GNU-GPLv3
|
||||
|
||||
errorcounter=0
|
||||
filecounter=0
|
||||
red=$(tput setaf 1)
|
||||
green=$(tput setaf 2)
|
||||
normal=$(tput sgr0)
|
||||
|
||||
all_files=( )
|
||||
error_files=( )
|
||||
|
||||
# Signature check part + error counter + file counter + file list
|
||||
|
||||
echo "Checking signatures in /boot..."
|
||||
for i in `find /boot -name "*.sig"`
|
||||
do
|
||||
gpg --verify-files $i > /dev/null 2>&1
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
((errorcounter++))
|
||||
files[$errorcounter]=$i
|
||||
echo "Checking signatures in /boot..." >&2
|
||||
while IFS= read -r -d '' i; do
|
||||
if ! gpg --verify-files "$i" >/dev/null 2>&1; then
|
||||
error_files+=( "$i" )
|
||||
fi
|
||||
((filecounter++))
|
||||
done
|
||||
all_files+=( "$i" )
|
||||
done < <(find /boot -name "*.sig" -print0)
|
||||
|
||||
# Nothing to verify? Exit 2.
|
||||
if [ $filecounter -eq 0 ]
|
||||
then
|
||||
echo "Nothing to verify."
|
||||
if (( ${#all_files[@]} == 0 )); then
|
||||
echo "Nothing to verify." >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
|
||||
|
||||
# Message
|
||||
|
||||
echo -ne "There has been "
|
||||
if [ $errorcounter -eq 0 ]
|
||||
then
|
||||
echo -ne "\e[1;32mno\e[0m"
|
||||
printf '%s' 'Found ' >&2
|
||||
if (( ${#error_files} == 0 )); then
|
||||
printf '%s' "$green" "no" "$normal" >&2
|
||||
else
|
||||
echo -ne "\e[1;31m$errorcounter\e[0m"
|
||||
printf '%s' "$red" "${#error_files[@]}" "$normal" >&2
|
||||
fi
|
||||
if [ $errorcounter -eq 1 ]
|
||||
then
|
||||
echo " bad signature."
|
||||
if (( ${#error_files[@]} == 1 )); then
|
||||
echo " bad signature." >&2
|
||||
else
|
||||
echo " bad signatures."
|
||||
echo " bad signatures." >&2
|
||||
fi
|
||||
|
||||
|
||||
|
||||
# File list and exit codes
|
||||
|
||||
if [ $errorcounter -gt 0 ]
|
||||
then
|
||||
for(( i=1; i<=${#files[@]}; i++))
|
||||
do
|
||||
echo "BAD signature: ${files[$i]}"
|
||||
done
|
||||
if (( ${#error_files[@]} > 0 )); then
|
||||
printf 'BAD signature: %s\n' "${error_files[@]}"
|
||||
exit 1
|
||||
else
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# WHAT?!
|
||||
exit 666
|
||||
exit 99
|
||||
|
Loading…
Reference in New Issue
Block a user