Usage of shred instead of rm

Excluding the EFI directory. Fixes #10
gcry_sha512 in README
2021-07-22 23:15:09 +02:00 · 2021-02-13 13:54:17 +01:00 · 2020-07-26 21:02:16 +02:00 · 2020-01-25 11:17:05 +01:00
5 changed files with 8 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -45,8 +45,8 @@ Before you can use the signing and verification feature you need to generate a k
      ```
 - Export your public key through running `gpg --export -o ~/pubkey`.
 - `mount /boot` (assuming your /boot partition is in your /etc/fstab)
- (Re)install GRUB2. The following command will install root's public key into the core and instruct to load the modules `gcry_sha256` `gcry_dsa` and `gcry_rsa` at start so that GRUB2 will be able to do verifications.
-  - `grub-install /dev/sda -k /root/pubkey --modules="gcry_sha256 gcry_dsa gcry_rsa"`
+- (Re)install GRUB2. The following command will install root's public key into the core and instruct to load the modules `gcry_sha256`, `gcry_sha512` `gcry_dsa` and `gcry_rsa` at start so that GRUB2 will be able to do verifications. GRUB2 will take the right crypto for you then, depending on your system's configuration.
+  - `grub-install /dev/sda -k /root/pubkey --modules="gcry_sha256 gcry_sha512 gcry_dsa gcry_rsa"`
 - Enable GRUB2's check\_signatures feature:
  - Insert the following content at the end of the file of */etc/grub.d/00_header*
      ```
--- a/sbin/grub-sign
+++ b/sbin/grub-sign
@ -5,7 +5,7 @@
 # Licence: GNU-GPLv3

 function sign(){
-  for f in `find /boot -type f`
+  for f in $(find /boot -iname "efi" -prune -o -type f -print)
  do
    if gpg --detach-sign $f
    then
--- a/sbin/grub-unsign
+++ b/sbin/grub-unsign
@ -21,7 +21,7 @@ case "$stat" in
 	;&
 0|3)	
  # Then remove the signatures.
-  find /boot -name '*.sig' -exec rm {} +
+  find /boot -iname "efi" -prune -o -name '*.sig' -exec shred --remove=unlink {} +

  echo "GRUB2 unsigned. WARNING: If you want to deactivate GRUB2's signature feature, change the check_signatures variable in the headers file!"
  exit 0
--- a/sbin/grub-update-kernel-signature
+++ b/sbin/grub-update-kernel-signature
@ -24,8 +24,8 @@ function sign(){
 }


-rm /boot/*.sig
-rm /boot/grub/grub.cfg.sig
+shred --remove=unlink /boot/*.sig
+shred --remove=unlink /boot/grub/grub.cfg.sig

 if ! sign
 then
--- a/sbin/grub-verify
+++ b/sbin/grub-verify
@ -22,7 +22,7 @@ do
        error_files+=( "$i" )
    fi
    all_files+=( "$i" )
-done < <(find /boot -type f -name "*.sig" -print0)
+done < <(find /boot -iname "efi" -prune -o -type f -name "*.sig" -print0)

 echo "Checking missing signatures in /boot..." >&2
 while IFS= read -r -d '' i
@ -31,7 +31,7 @@ do
    then
        missing_files+=( "$i" )
    fi
-done < <(find /boot -type f -not -name "*.sig" -print0)
+done < <(find /boot -iname "efi" -prune -o -type f -not -name "*.sig" -print0)

 # Nothing to verify? Exit 2.
 if (( ${#all_files[@]} == 0 ))
Author	SHA1	Message	Date
Bandie	c7b049cc96	Usage of shred instead of rm	2021-07-22 23:15:09 +02:00
Bandie	4b42d088eb	Excluding the EFI directory. Fixes #10	2021-02-13 13:54:17 +01:00
Bandie	d04a4e5151	gcry_sha512 in README	2020-07-26 21:02:16 +02:00
Bandie	a582827367	gcry_sha512	2020-01-25 11:17:05 +01:00