grub2-signing-extension/sbin/grub-sign

#!/bin/bash
# grub2-sign
# Signs everything important in /boot. Depends on grub2-verify.
# Author: Bandie
# Licence: GNU-GPLv3

function sign(){
  for f in $(find /boot -iname "efi" -prune -o -type f -print)
  do
    if gpg --detach-sign $f
    then
      echo $f signed.
    else
      return 1
    fi
  done
  return 0
}


# Running grub2-verify first to prevent bad people and double signing
echo "Running grub2-verify to check if everything is unsigned..." >&2
grub-verify
if (( $? < 2 )); then
    echo "Run grub2-unsign first." >&2
    exit 1
fi


if ! sign
then
  sign
else
  echo -e "\nDone!"
fi