mirror of
https://github.com/Bandie/grub2-signing-extension.git
synced 2024-04-01 15:51:26 +00:00
Compare commits
No commits in common. "master" and "0.1.4" have entirely different histories.
@ -45,8 +45,8 @@ Before you can use the signing and verification feature you need to generate a k
|
||||
```
|
||||
- Export your public key through running `gpg --export -o ~/pubkey`.
|
||||
- `mount /boot` (assuming your /boot partition is in your /etc/fstab)
|
||||
- (Re)install GRUB2. The following command will install root's public key into the core and instruct to load the modules `gcry_sha256`, `gcry_sha512` `gcry_dsa` and `gcry_rsa` at start so that GRUB2 will be able to do verifications. GRUB2 will take the right crypto for you then, depending on your system's configuration.
|
||||
- `grub-install /dev/sda -k /root/pubkey --modules="gcry_sha256 gcry_sha512 gcry_dsa gcry_rsa"`
|
||||
- (Re)install GRUB2. The following command will install root's public key into the core and instruct to load the modules `gcry_sha256` `gcry_dsa` and `gcry_rsa` at start so that GRUB2 will be able to do verifications.
|
||||
- `grub-install /dev/sda -k /root/pubkey --modules="gcry_sha256 gcry_dsa gcry_rsa"`
|
||||
- Enable GRUB2's check\_signatures feature:
|
||||
- Insert the following content at the end of the file of */etc/grub.d/00_header*
|
||||
```
|
||||
|
@ -5,7 +5,7 @@
|
||||
# Licence: GNU-GPLv3
|
||||
|
||||
function sign(){
|
||||
for f in $(find /boot -iname "efi" -prune -o -type f -print)
|
||||
for f in `find /boot -type f`
|
||||
do
|
||||
if gpg --detach-sign $f
|
||||
then
|
||||
@ -20,7 +20,7 @@ function sign(){
|
||||
|
||||
# Running grub2-verify first to prevent bad people and double signing
|
||||
echo "Running grub2-verify to check if everything is unsigned..." >&2
|
||||
grub-verify
|
||||
grub2-verify
|
||||
if (( $? < 2 )); then
|
||||
echo "Run grub2-unsign first." >&2
|
||||
exit 1
|
||||
|
@ -5,7 +5,7 @@
|
||||
# Licence: GNU-GPLv3
|
||||
|
||||
# Check if something is wrong
|
||||
grub-verify
|
||||
grub2-verify
|
||||
stat=$?
|
||||
case "$stat" in
|
||||
1)
|
||||
@ -21,7 +21,7 @@ case "$stat" in
|
||||
;&
|
||||
0|3)
|
||||
# Then remove the signatures.
|
||||
find /boot -iname "efi" -prune -o -name '*.sig' -exec shred --remove=unlink {} +
|
||||
find /boot -name '*.sig' -exec rm {} +
|
||||
|
||||
echo "GRUB2 unsigned. WARNING: If you want to deactivate GRUB2's signature feature, change the check_signatures variable in the headers file!"
|
||||
exit 0
|
||||
|
@ -24,8 +24,8 @@ function sign(){
|
||||
}
|
||||
|
||||
|
||||
shred --remove=unlink /boot/*.sig
|
||||
shred --remove=unlink /boot/grub/grub.cfg.sig
|
||||
rm /boot/*.sig
|
||||
rm /boot/grub/grub.cfg.sig
|
||||
|
||||
if ! sign
|
||||
then
|
||||
|
@ -22,7 +22,7 @@ do
|
||||
error_files+=( "$i" )
|
||||
fi
|
||||
all_files+=( "$i" )
|
||||
done < <(find /boot -iname "efi" -prune -o -type f -name "*.sig" -print0)
|
||||
done < <(find /boot -type f -name "*.sig" -print0)
|
||||
|
||||
echo "Checking missing signatures in /boot..." >&2
|
||||
while IFS= read -r -d '' i
|
||||
@ -31,7 +31,7 @@ do
|
||||
then
|
||||
missing_files+=( "$i" )
|
||||
fi
|
||||
done < <(find /boot -iname "efi" -prune -o -type f -not -name "*.sig" -print0)
|
||||
done < <(find /boot -type f -not -name "*.sig" -print0)
|
||||
|
||||
# Nothing to verify? Exit 2.
|
||||
if (( ${#all_files[@]} == 0 ))
|
||||
|
Loading…
Reference in New Issue
Block a user