Usage of shred instead of rm

Makefile

@@ -6,14 +6,14 @@ all:
 	@printf "Nothing to make. Run make install.\n"
 
 install:
-	cp ./sbin/grub2-verify /usr/sbin/
-	cp ./sbin/grub2-sign /usr/sbin/
-	cp ./sbin/grub2-unsign /usr/sbin/
-	cp ./sbin/grub2-update-kernel-signature /usr/sbin/
-	chown root:root /usr/sbin/grub2-{verify,sign,unsign,update-kernel-signature}
-	chmod 744 /usr/sbin/grub2-{verify,sign,unsign,update-kernel-signature}
+	@printf "Check for old scripts and remove them...\n"
+	rm -f /usr/sbin/grub2-{verify,sign,unsign,update-kernel-signature}
+	install -D -m744 sbin/grub-verify /usr/sbin/grub-verify
+	install -D -m744 sbin/grub-sign /usr/sbin/grub-sign
+	install -D -m744 sbin/grub-unsign /usr/sbin/grub-unsign
+	install -D -m744 sbin/grub-update-kernel-signature /usr/sbin/grub-update-kernel-signature
 	@printf "Done.\n"
 
 uninstall:
-	rm /usr/sbin/grub2-{verify,sign,unsign,update-kernel-signature}
+	rm -f /usr/sbin/grub-{verify,sign,unsign,update-kernel-signature}
 	@printf "Done.\n"

README.md

@@ -14,62 +14,57 @@ You need
 
 
 
-## Preparation
+## Installation
+### Arch Linux (AUR)
+- Import [Bandie's GPG key](https://bandie.org/assets/bandie.pub.asc) through running `gpg --recv-keys E2D7876915312785DC086BFCC1E133BC65A822DD`.
+- Use your favourite AUR helper to install [grub2-signing-extension](https://aur.archlinux.org/packages/grub2-signing-extension/).
 
-Before you can use the signing and verification feature you need to generate a keypair as root. Please use a secure passphrase.
+### From github
+- Import [Bandie's GPG key](https://bandie.org/assets/bandie.pub.asc) through running `gpg --recv-keys E2D7876915312785DC086BFCC1E133BC65A822DD`.
+- Download the [grub2-signing-extension](https://github.com/Bandie/grub2-signing-extension/releases/download/0.1.2/grub2-signing-extension-0.1.2.tar.gz) and it's [signature](https://github.com/Bandie/grub2-signing-extension/releases/download/0.1.2/grub2-signing-extension-0.1.2.tar.gz.asc). 
+- Run `gpg --verify grub2-signing-extension*.tar.gz.asc` to make sure that everything is alright.
+- Unpack the tar archive. `tar xvf grub2-signing-extension*.tar.gz`
+- Change into the grub2-signing-extension directory.
+- Run `make install` as root. 
 
-`# gpg --gen-key`
+You will now have `grub-sign`, `grub-unsign`, `grub-verify` and `grub-update-kernel-signature` as runable scripts.
 
 
-To make gpg able to sign and verify files in a `su` environment we need to activate the gpg-agent for root. 
+## Enabling GRUB2 check\_signatures feature
 
-Edit the file _/root/.gnupg/gpg.conf_ and add the line `use-agent`.
+Before you can use the signing and verification feature you need to generate a keypair as root.
 
-Save the file and create _/root/.gnupg/gpg-agent.conf_ with the following content
+- Run `gpg --gen-key` as root. Please use a secure passphrase.
+- Activate the `gpg-agent` for root so that you are able to sign and verify files in a `su` environment. To do that:
+  - Edit the file _/root/.gnupg/gpg.conf_ and add the line `use-agent`. Save the file.
+  - Create _/root/.gnupg/gpg-agent.conf_ with the following content
+      ```
+      pinentry-program /usr/bin/pinentry-curses
+      no-grab
+      default-cache-ttl 1800
+      ```
+- Export your public key through running `gpg --export -o ~/pubkey`.
+- `mount /boot` (assuming your /boot partition is in your /etc/fstab)
+- (Re)install GRUB2. The following command will install root's public key into the core and instruct to load the modules `gcry_sha256`, `gcry_sha512` `gcry_dsa` and `gcry_rsa` at start so that GRUB2 will be able to do verifications. GRUB2 will take the right crypto for you then, depending on your system's configuration.
+  - `grub-install /dev/sda -k /root/pubkey --modules="gcry_sha256 gcry_sha512 gcry_dsa gcry_rsa"`
+- Enable GRUB2's check\_signatures feature:
+  - Insert the following content at the end of the file of */etc/grub.d/00_header*
+      ```
+      cat << EOF
+      set check_signatures=enforce
+      EOF
+      ```    
+- Run`grub-mkconfig -o /boot/grub/grub.cfg` to make the new configuration valid.
+- Sign your bootloader running `grub-sign` and enter your GPG passphrase. 
 
-    pinentry-program /usr/bin/pinentry-curses
-    no-grab
-    default-cache-ttl 1800
+**It is also recommended to install a password in GRUB2! [See ADDENDUM]**
 
 
+## How to update the signatures on changes
 
-## How to install the GRUB2 check\_signatures feature and using the grub2-signing-extension
+On every change at the GRUB2 core files you need to run `grub-unsign` first before you make your changes. Please notice, if you reinstall GRUB2, you should do it as it is said above. Otherwise the signature check won't work.
 
-First, export your public key.
-
-`# gpg --export -o ~/pubkey`
-
-
-Next step, `mount /boot` and (re)install GRUB2. You need to install the public key into the core and instruct to load the modules `gcry_sha256` `gcry_dsa` and `gcry_rsa` at start. So you need the following arguments to install it this way
-
-`grub-install /dev/sda -k /root/pubkey --modules="gcry_sha256 gcry_dsa gcry_rsa"`
-
-
-Now download the grub2-signing-extension and run `make install` as root. You will now have `grub2-sign`, `grub2-unsign`, `grub2-verify` and `grub2-update-kernel-signature` as runable scripts.
-
-
-To _enable_ GRUB2's check\_signatures feature insert the following content at the end of the file of */etc/grub.d/00_header* 
-
-    cat << EOF
-    set check_signatures=enforce
-    EOF
-
-
-Run `grub-mkconfig -o /boot/grub/grub.cfg` to make the new configuration valid.
-
-Now the time is come to sign your GRUB2 bootloader. Just run `grub2-sign`, enter your passphrase and that's it.
-
-**It's also recommended to install a password in GRUB2! [See ADDENDUM]**
-
-
-
-
-
-## How to update the signatures on change
-
-On every change at the GRUB2 core files you need to run `grub2-unsign` first before you make your changes. Please notice, if you reinstall GRUB2, you should do it as it is said above. Otherwise the signature check won't work.
-
-If you do some changes or updates for the kernel or initramfs, you may want to use `grub2-update-kernel-signature` instead.
+If you do some changes or updates for the kernel or initramfs, you may want to use `grub-update-kernel-signature` instead.
 
 
 
@@ -78,15 +73,15 @@ If you do some changes or updates for the kernel or initramfs, you may want to u
 
 If you didn't read the instruction above here is what the scripts does:
 
-* `grub2-sign` is signing the bootloader files with root's keypair.
-* `grub2-unsign` is removing the signatures of the bootloader files.
-* `grub2-verify` is checking if your signatures are good. If not, you will see which signature is bad.
-* `grub2-update-kernel-signature` is renewing the signatures in /boot/. (without subdirs) regardless if grub2-verify fails.
+* `grub-sign` is signing the bootloader files with root's keypair.
+* `grub-unsign` is removing the signatures of the bootloader files.
+* `grub-verify` is checking if your signatures are good. If not, you will see which signature is bad.
+* `grub-update-kernel-signature` is renewing the signatures in /boot/ (without subdirs) and grub.cfg, regardless if grub-verify fails.
 
 
 ## Exit codes
 
-You might be interested in the exit codes of `grub2-verify` to use it in your monitoring tools:
+You might be interested in the exit codes of `grub-verify` to use it in your monitoring tools:
 
 ```
 0 - Everything is okay
@@ -112,8 +107,8 @@ chown root:root $(tty)
 
 ### I forgot to run grub2-unsign before I made changes. What now?
 
-Run `grub2-verify` to see, which signature is bad. Remove the signature and run `grub2-unsign`, after this `grub2-sign`.
-Alternatively, if you just updated your kernel/initramfs, run `grub2-update-kernel-signatures`.
+Run `grub-verify` to see, which signature is bad. Remove the signature and run `grub-unsign`, after this `grub-sign`.
+Alternatively, if you just updated your kernel/initramfs/grub.cfg, run `grub-update-kernel-signatures`.
 
 
 ### How can I switch off GRUB2's check\_signature feature?
@@ -124,7 +119,7 @@ Open */etc/grub.d/00_header* and remove the part
     set check_signatures=enforce
     EOF
 
-Run `grub2-unsign` and `grub-mkconfig -o /boot/grub/grub.cfg`.
+Run `grub-unsign` and `grub-mkconfig -o /boot/grub/grub.cfg`.
 
 Also you should reinstall grub2, using something like `grub-install /dev/sda`.
 
@@ -132,8 +127,8 @@ Also you should reinstall grub2, using something like `grub-install /dev/sda`.
 ### Suddenly I can't boot! This is YOUR FAULT!
 
 No. An important signature is bad. So GRUB2 didn't run this part of code/configuration/kernel/whatever.
-You could do a chroot using an USB dongle with a GNU/Linux distribution on it. If you're chrooted to your system run `grub2-verify`. 
-If you think this happened through an update shortly done by you, you may want to run `gpg-agent --daemon ; grub2-update-kernel-signatures`.
+You could do a chroot using an USB dongle with a GNU/Linux distribution on it. If you're chrooted to your system run `grub-verify`. 
+If you think this happened through an update shortly done by you, you may want to run `gpg-agent --daemon ; grub-update-kernel-signatures`.
 
 
 ### Okay, I really got some bad signatures not caused by me. What do I do now?
@@ -146,35 +141,33 @@ Check your system thoroughly. Check it about malicious software. Check it about
 
 ## How to install a GRUB2 password
 
-Run `grub-mkpasswd-pbkdf2` and type a password. Please take care because in the GRUB2 standard installation the keyboard layout is set to en\_US.
-Copy the content of *grub.pbkdf2.[...]* to your clipboard. Open the file */etc/grub.d/00_header* and insert this at the end of the file
-
+- Generate a GRUB2 password string through running `grub-mkpasswd-pbkdf2`. Please take care because in the GRUB2 standard installation the keyboard layout is set to en\_US.
+- Copy the generated *grub.pbkdf2.[...]* string to your clipboard.
+- Open the file */etc/grub.d/00_header* and insert this at the end of the file
+    ```
     cat << EOF
     set superusers="yourUsername"
     export superusers
-    password_pbkdf2 yourUsername grub.pbkdf2.[...this string from the clipboard...]
+    password_pbkdf2 yourUsername [...this grub.pbkdf2.* string from the clipboard...]
     EOF
-
-To boot GNU/Linux automatically and without authentication open */etc/grub.d/10_linux* and change the following lines like this
-
-     echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+    ```
+- To boot GNU/Linux automatically and without authentication open */etc/grub.d/10_linux* and change the following lines from
+  ```
+      echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
     else
-     echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+      echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
     fi
+  ```
+  to
 
-to
-
-     echo "menuentry '$(echo "$title" | grub_quote)' --unrestricted ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+  ```
+      echo "menuentry '$(echo "$title" | grub_quote)' --unrestricted ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
     else
-     echo "menuentry '$(echo "$os" | grub_quote)' --unrestricted ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+      echo "menuentry '$(echo "$os" | grub_quote)' --unrestricted ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
     fi
-
-The important changing is the flag *--unrestricted*.
-
-
-Run `grub2-unsign` to unsign the bootloader. 
-
-Then run `grub-mkconfig -o /boot/grub/grub.cfg` to write the new config. 
-
-After this run `grub2-sign` again to sign the new changings.
-
+  ```
+  The important changing is the flag *--unrestricted*.
+  
+- Run `grub-unsign` to unsign the bootloader.
+- Run `grub-mkconfig -o /boot/grub/grub.cfg` to write the new config.
+- Run `grub-sign` to sign the new changings.

sbin/grub-sign

@@ -5,7 +5,7 @@
 # Licence: GNU-GPLv3
 
 function sign(){
-  for f in `find /boot -type f`
+  for f in $(find /boot -iname "efi" -prune -o -type f -print)
   do
     if gpg --detach-sign $f
     then
@@ -20,7 +20,7 @@ function sign(){
 
 # Running grub2-verify first to prevent bad people and double signing
 echo "Running grub2-verify to check if everything is unsigned..." >&2
-grub2-verify
+grub-verify
 if (( $? < 2 )); then
     echo "Run grub2-unsign first." >&2
     exit 1

sbin/grub-unsign

@@ -5,30 +5,28 @@
 # Licence: GNU-GPLv3
 
 # Check if something is wrong
-grub2-verify
+grub-verify
 stat=$?
-if (( $stat == 1 ))
-then
+case "$stat" in
+1)
   printf '%s\n' "grub2-verify has detected a one or more bad signatures." "Please check for malicious software before you're unsigning everything!" >&2
   exit 1
-elif (( $stat == 2 ))
-then
+	;;
+2)
   printf 'Everything is unsigned already.\n'
   exit 0
-elif (( $stat == 3 ))
-then
+	;;
+3)
   printf 'Ignoring missing signatures...\n'
-elif (( $stat == 0 ))
-then
+	;&
+0|3)	
   # Then remove the signatures.
-  find /boot -name '*.sig' -exec rm -- '{}' +
+  find /boot -iname "efi" -prune -o -name '*.sig' -exec shred --remove=unlink {} +
 
   echo "GRUB2 unsigned. WARNING: If you want to deactivate GRUB2's signature feature, change the check_signatures variable in the headers file!"
   exit 0
-
-else
+	;;
+*)
   printf 'Something unknown happened!\n'
   exit 99
-fi
-
-
+esac

sbin/grub-update-kernel-signature

@@ -14,11 +14,18 @@ function sign(){
       return 1
     fi
   done
+  if gpg --detach-sign "/boot/grub/grub.cfg"
+  then
+    echo /boot/grub/grub.cfg signed.
+  else
+    return 1
+  fi
   return 0
 }
 
 
-rm /boot/*.sig
+shred --remove=unlink /boot/*.sig
+shred --remove=unlink /boot/grub/grub.cfg.sig
 
 if ! sign
 then

sbin/grub-verify

@@ -22,7 +22,7 @@ do
         error_files+=( "$i" )
     fi
     all_files+=( "$i" )
-done < <(find /boot -type f -name "*.sig" -print0)
+done < <(find /boot -iname "efi" -prune -o -type f -name "*.sig" -print0)
 
 echo "Checking missing signatures in /boot..." >&2
 while IFS= read -r -d '' i
@@ -31,7 +31,7 @@ do
     then
         missing_files+=( "$i" )
     fi
-done < <(find /boot -type f -not -name "*.sig" -print0)
+done < <(find /boot -iname "efi" -prune -o -type f -not -name "*.sig" -print0)
 
 # Nothing to verify? Exit 2.
 if (( ${#all_files[@]} == 0 ))