#!/bin/bash # grub2-sign # Signs everything important in /boot. Depends on grub2-verify. # Author: Bandie Kojote # Licence: GNU-GPLv3 # Running grub2-verify first to prevent double signing echo "Running grub2-verify to check if everything is unsigned..." grub2-verify if [ $? -lt 2 ] then echo "Run grub2-unsign first." exit 1 fi # Ask for passphrase echo -n "Passphrase: " stty -echo read pp stty echo echo -e "\n" # Find GRUB2 datas for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \ -name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \ -name "grubenv" -or -name "*.asc" -or -name "*.pf2"`; do # Signing echo $pp | gpg --batch --detach-sign --passphrase-fd 0 $i if [ $? -eq 0 ] then echo "$i signed." else echo "ERROR!" break fi done # Shredding passphrase echo "Shredding passphrase..." for ( i=0; $i<10; i++ ) do pp=`cat /dev/urandom | tr -dc 'a-zA-Z0-9-!@#$%^&*()_+~' | fold -w ${#pp} | head -n 1` done echo "Done!" exit 0