mirror of
https://github.com/Bandie/grub2-signing-extension.git
synced 2024-04-01 15:51:26 +00:00
Compare commits
5 Commits
Author | SHA1 | Date | |
---|---|---|---|
c7b049cc96 | |||
4b42d088eb | |||
d04a4e5151 | |||
a582827367 | |||
13345bc188 |
|
@ -45,8 +45,8 @@ Before you can use the signing and verification feature you need to generate a k
|
||||||
```
|
```
|
||||||
- Export your public key through running `gpg --export -o ~/pubkey`.
|
- Export your public key through running `gpg --export -o ~/pubkey`.
|
||||||
- `mount /boot` (assuming your /boot partition is in your /etc/fstab)
|
- `mount /boot` (assuming your /boot partition is in your /etc/fstab)
|
||||||
- (Re)install GRUB2. The following command will install root's public key into the core and instruct to load the modules `gcry_sha256` `gcry_dsa` and `gcry_rsa` at start so that GRUB2 will be able to do verifications.
|
- (Re)install GRUB2. The following command will install root's public key into the core and instruct to load the modules `gcry_sha256`, `gcry_sha512` `gcry_dsa` and `gcry_rsa` at start so that GRUB2 will be able to do verifications. GRUB2 will take the right crypto for you then, depending on your system's configuration.
|
||||||
- `grub-install /dev/sda -k /root/pubkey --modules="gcry_sha256 gcry_dsa gcry_rsa"`
|
- `grub-install /dev/sda -k /root/pubkey --modules="gcry_sha256 gcry_sha512 gcry_dsa gcry_rsa"`
|
||||||
- Enable GRUB2's check\_signatures feature:
|
- Enable GRUB2's check\_signatures feature:
|
||||||
- Insert the following content at the end of the file of */etc/grub.d/00_header*
|
- Insert the following content at the end of the file of */etc/grub.d/00_header*
|
||||||
```
|
```
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
# Licence: GNU-GPLv3
|
# Licence: GNU-GPLv3
|
||||||
|
|
||||||
function sign(){
|
function sign(){
|
||||||
for f in `find /boot -type f`
|
for f in $(find /boot -iname "efi" -prune -o -type f -print)
|
||||||
do
|
do
|
||||||
if gpg --detach-sign $f
|
if gpg --detach-sign $f
|
||||||
then
|
then
|
||||||
|
@ -20,7 +20,7 @@ function sign(){
|
||||||
|
|
||||||
# Running grub2-verify first to prevent bad people and double signing
|
# Running grub2-verify first to prevent bad people and double signing
|
||||||
echo "Running grub2-verify to check if everything is unsigned..." >&2
|
echo "Running grub2-verify to check if everything is unsigned..." >&2
|
||||||
grub2-verify
|
grub-verify
|
||||||
if (( $? < 2 )); then
|
if (( $? < 2 )); then
|
||||||
echo "Run grub2-unsign first." >&2
|
echo "Run grub2-unsign first." >&2
|
||||||
exit 1
|
exit 1
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
# Licence: GNU-GPLv3
|
# Licence: GNU-GPLv3
|
||||||
|
|
||||||
# Check if something is wrong
|
# Check if something is wrong
|
||||||
grub2-verify
|
grub-verify
|
||||||
stat=$?
|
stat=$?
|
||||||
case "$stat" in
|
case "$stat" in
|
||||||
1)
|
1)
|
||||||
|
@ -21,7 +21,7 @@ case "$stat" in
|
||||||
;&
|
;&
|
||||||
0|3)
|
0|3)
|
||||||
# Then remove the signatures.
|
# Then remove the signatures.
|
||||||
find /boot -name '*.sig' -exec rm {} +
|
find /boot -iname "efi" -prune -o -name '*.sig' -exec shred --remove=unlink {} +
|
||||||
|
|
||||||
echo "GRUB2 unsigned. WARNING: If you want to deactivate GRUB2's signature feature, change the check_signatures variable in the headers file!"
|
echo "GRUB2 unsigned. WARNING: If you want to deactivate GRUB2's signature feature, change the check_signatures variable in the headers file!"
|
||||||
exit 0
|
exit 0
|
||||||
|
|
|
@ -24,8 +24,8 @@ function sign(){
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
rm /boot/*.sig
|
shred --remove=unlink /boot/*.sig
|
||||||
rm /boot/grub/grub.cfg.sig
|
shred --remove=unlink /boot/grub/grub.cfg.sig
|
||||||
|
|
||||||
if ! sign
|
if ! sign
|
||||||
then
|
then
|
||||||
|
|
|
@ -22,7 +22,7 @@ do
|
||||||
error_files+=( "$i" )
|
error_files+=( "$i" )
|
||||||
fi
|
fi
|
||||||
all_files+=( "$i" )
|
all_files+=( "$i" )
|
||||||
done < <(find /boot -type f -name "*.sig" -print0)
|
done < <(find /boot -iname "efi" -prune -o -type f -name "*.sig" -print0)
|
||||||
|
|
||||||
echo "Checking missing signatures in /boot..." >&2
|
echo "Checking missing signatures in /boot..." >&2
|
||||||
while IFS= read -r -d '' i
|
while IFS= read -r -d '' i
|
||||||
|
@ -31,7 +31,7 @@ do
|
||||||
then
|
then
|
||||||
missing_files+=( "$i" )
|
missing_files+=( "$i" )
|
||||||
fi
|
fi
|
||||||
done < <(find /boot -type f -not -name "*.sig" -print0)
|
done < <(find /boot -iname "efi" -prune -o -type f -not -name "*.sig" -print0)
|
||||||
|
|
||||||
# Nothing to verify? Exit 2.
|
# Nothing to verify? Exit 2.
|
||||||
if (( ${#all_files[@]} == 0 ))
|
if (( ${#all_files[@]} == 0 ))
|
||||||
|
|
Loading…
Reference in New Issue
Block a user