#!/bin/bash
# grub2-verify
# Checks the signatures of every file which is has a signature in /boot.
# Author: Bandie Kojote
# Licence: GNU-GPLv3

red=$(tput setaf 1)
green=$(tput setaf 2)
normal=$(tput sgr0)

all_files=( )
error_files=( )

# Signature check part + error counter + file counter + file list

echo "Checking signatures in /boot..." >&2
while IFS= read -r -d '' i; do
    if ! gpg --verify-files "$i" >/dev/null 2>&1; then
        error_files+=( "$i" )
    fi
    all_files+=( "$i" )
done < <(find /boot -name "*.sig" -print0)

# Nothing to verify? Exit 2.
if (( ${#all_files[@]} == 0 )); then
    echo "Nothing to verify." >&2
    exit 2
fi

# Message
printf '%s' 'Found ' >&2
if (( ${#error_files} == 0 )); then
    printf '%s' "$green" "no" "$normal" >&2
else
    printf '%s' "$red" "${#error_files[@]}" "$normal" >&2
fi
if (( ${#error_files[@]} == 1 )); then
    echo " bad signature." >&2
else
    echo " bad signatures." >&2
fi

# File list and exit codes
if (( ${#error_files[@]} > 0 )); then
    printf 'BAD signature: %s\n' "${error_files[@]}"
    exit 1
else
    exit 0
fi

exit 99