mirror of
https://github.com/Bandie/grub2-signing-extension.git
synced 2024-04-01 15:51:26 +00:00
52 lines
1010 B
Bash
52 lines
1010 B
Bash
#!/bin/bash
|
|
# grub2-sign
|
|
# Signs everything important in /boot. Depends on grub2-verify.
|
|
# Author: Bandie Kojote
|
|
# Licence: GNU-GPLv3
|
|
|
|
|
|
# Running grub2-verify first to prevent double signing
|
|
echo "Running grub2-verify to check if everything is unsigned..."
|
|
grub2-verify
|
|
if [ $? -lt 2 ]
|
|
then
|
|
echo "Run grub2-unsign first."
|
|
exit 1
|
|
fi
|
|
|
|
|
|
# Ask for passphrase
|
|
echo -n "Passphrase: "
|
|
stty -echo
|
|
read pp
|
|
stty echo
|
|
echo -e "\n"
|
|
|
|
|
|
# Find GRUB2 datas
|
|
for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \
|
|
-name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \
|
|
-name "grubenv" -or -name "*.asc" -or -name "*.pf2"`;
|
|
do
|
|
# Signing
|
|
echo $pp | gpg --batch --detach-sign --passphrase-fd 0 $i
|
|
if [ $? -eq 0 ]
|
|
then
|
|
echo "$i signed."
|
|
else
|
|
echo "ERROR!"
|
|
break
|
|
fi
|
|
done
|
|
|
|
|
|
# Shredding passphrase
|
|
echo "Shredding passphrase..."
|
|
for (( i=0; $i<10; i++ ))
|
|
do
|
|
pp=`cat /dev/urandom | tr -dc 'a-zA-Z0-9-!@#$%^&*()_+~' | fold -w ${#pp} | head -n 1`
|
|
done
|
|
|
|
echo "Done!"
|
|
exit 0
|