Bandie/grub2-signing-extension
1
0
Fork 0
mirror of https://github.com/Bandie/grub2-signing-extension.git synced 2024-04-01 15:51:26 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #2 from charles-dyfis-net/master

Browse Source 
Follow best practices for bash
This commit is contained in:
Bandie Yip Kojote 2015-12-31 02:49:10 +01:00
commit ea444b288b
3 changed files with 50 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
sbin/grub2-sign Normal file → Executable file
View File

@ -6,46 +6,44 @@
# Running grub2-verify first to prevent double signing # Running grub2-verify first to prevent double signing
echo "Running grub2-verify to check if everything is unsigned..." echo "Running grub2-verify to check if everything is unsigned..." >&2
grub2-verify grub2-verify
if [ $? -lt 2 ] if (( $? < 2 )); then
then echo "Run grub2-unsign first." >&2
echo "Run grub2-unsign first."
exit 1 exit 1
fi fi
# Ask for passphrase # Ask for passphrase
echo -n "Passphrase: " IFS= read -r -s -p 'Passphrase: ' pp
stty -echo
read pp
stty echo
echo -e "\n"
# build a find command line matching relevant filenames
name_patterns=(
grubenv # fixed names
'*.'{cfg,lst,mod,asc,pf2} # names with interesting extensions
{vmlinuz,initrd}'*' # names with interesting prefixes
)
find_args=( '-false' )
for pattern in "${name_patterns[@]}"; do find_args+=( '-or' '-name' "$pattern" ); done
# Find GRUB2 datas # Find GRUB2 datas
for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \ while IFS= read -r -d '' i; do
-name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \
-name "grubenv" -or -name "*.asc" -or -name "*.pf2"`;
do
# Signing # Signing
echo $pp | gpg --batch --detach-sign --passphrase-fd 0 $i if gpg --batch --detach-sign --passphrase-fd 0 "$i" <<<"$pp"; then
if [ $? -eq 0 ] echo "$i signed." >&2
then
echo "$i signed."
else else
echo "ERROR!" echo "ERROR!" >&2
break break
fi fi
done done < <(find /boot '(' "${find_args[@]}" ')' '-print0' )
# Shredding passphrase # Shredding passphrase
echo "Shredding passphrase..." if (( ${#pp} )); then
for (( i=0; $i<10; i++ )) echo "Shredding passphrase..." >&2
do for (( i=0; i<10; i++ )); do
pp=`cat /dev/urandom | tr -dc 'a-zA-Z0-9-!@#$%^&*()_+~' | fold -w ${#pp} | head -n 1` pp=$(LC_ALL=C tr -cd '[:print:]' </dev/urandom | head -c ${#pp})
done done
fi
echo "Done!" echo "Done!" >&2
exit 0 exit 0

7
sbin/grub2-unsign Normal file → Executable file
View File

@ -5,14 +5,11 @@
# Licence: GNU-GPLv3 # Licence: GNU-GPLv3
# Check if something is wrong # Check if something is wrong
grub2-verify if ! grub2-verify; then
if [ $? -eq 1 ] printf '%s\n' "grub2-verify has detected a one or more bad signatures." "Please check for malicious software before you're unsigning everything!" >&2
then
echo -e "grub2-verify has detected a one or more bad signatures.\nPlease check for malicious software before you're unsigning everything!"
exit 1 exit 1
fi fi
# Then remove the signatures. # Then remove the signatures.
find /boot -name '*.sig' -exec rm -- '{}' + find /boot -name '*.sig' -exec rm -- '{}' +

62
sbin/grub2-verify Normal file → Executable file
View File

@ -4,62 +4,48 @@
# Author: Bandie Kojote # Author: Bandie Kojote
# Licence: GNU-GPLv3 # Licence: GNU-GPLv3
errorcounter=0 red=$(tput setaf 1)
filecounter=0 green=$(tput setaf 2)
normal=$(tput sgr0)
all_files=( )
error_files=( )
# Signature check part + error counter + file counter + file list # Signature check part + error counter + file counter + file list
echo "Checking signatures in /boot..." echo "Checking signatures in /boot..." >&2
for i in `find /boot -name "*.sig"` while IFS= read -r -d '' i; do
do if ! gpg --verify-files "$i" >/dev/null 2>&1; then
gpg --verify-files $i > /dev/null 2>&1 error_files+=( "$i" )
if [ $? -ne 0 ]
then
((errorcounter++))
files[$errorcounter]=$i
fi fi
((filecounter++)) all_files+=( "$i" )
done done < <(find /boot -name "*.sig" -print0)
# Nothing to verify? Exit 2. # Nothing to verify? Exit 2.
if [ $filecounter -eq 0 ] if (( ${#all_files[@]} == 0 )); then
then echo "Nothing to verify." >&2
echo "Nothing to verify."
exit 2 exit 2
fi fi
# Message # Message
printf '%s' 'Found ' >&2
echo -ne "There has been " if (( ${#error_files} == 0 )); then
if [ $errorcounter -eq 0 ] printf '%s' "$green" "no" "$normal" >&2
then
echo -ne "\e[1;32mno\e[0m"
else else
echo -ne "\e[1;31m$errorcounter\e[0m" printf '%s' "$red" "${#error_files[@]}" "$normal" >&2
fi fi
if [ $errorcounter -eq 1 ] if (( ${#error_files[@]} == 1 )); then
then echo " bad signature." >&2
echo " bad signature."
else else
echo " bad signatures." echo " bad signatures." >&2
fi fi
# File list and exit codes # File list and exit codes
if (( ${#error_files[@]} > 0 )); then
if [ $errorcounter -gt 0 ] printf 'BAD signature: %s\n' "${error_files[@]}"
then
for(( i=1; i<=${#files[@]}; i++))
do
echo "BAD signature: ${files[$i]}"
done
exit 1 exit 1
else else
exit 0 exit 0
fi fi
# WHAT?! exit 99
exit 666