grub2-signing-extension/sbin/grub2-sign
2015-03-19 23:11:00 +01:00

52 lines
1010 B
Bash

#!/bin/bash
# grub2-sign
# Signs everything important in /boot. Depends on grub2-verify.
# Author: Bandie Kojote
# Licence: GNU-GPLv3
# Running grub2-verify first to prevent double signing
echo "Running grub2-verify to check if everything is unsigned..."
grub2-verify
if [ $? -lt 2 ]
then
echo "Run grub2-unsign first."
exit 1
fi
# Ask for passphrase
echo -n "Passphrase: "
stty -echo
read pp
stty echo
echo -e "\n"
# Find GRUB2 datas
for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \
-name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \
-name "grubenv" -or -name "*.asc" -or -name "*.pf2"`;
do
# Signing
echo $pp | gpg --batch --detach-sign --passphrase-fd 0 $i
if [ $? -eq 0 ]
then
echo "$i signed."
else
echo "ERROR!"
break
fi
done
# Shredding passphrase
echo "Shredding passphrase..."
for (( i=0; $i<10; i++ ))
do
pp=`cat /dev/urandom | tr -dc 'a-zA-Z0-9-!@#$%^&*()_+~' | fold -w ${#pp} | head -n 1`
done
echo "Done!"
exit 0