grub2-signing-extension/sbin/grub-verify

#!/bin/bash
# grub2-verify
# Checks the signatures of every file which is has a signature in /boot.
# Author: Bandie
# Licence: GNU-GPLv3

red=$(tput setaf 1)
green=$(tput setaf 2)
normal=$(tput sgr0)

all_files=( )
error_files=( )
missing_files=( )

# Signature check part + error counter + file counter + file list

echo "Checking signatures in /boot..." >&2
while IFS= read -r -d '' i
do
    if ! gpg --verify-files "$i" >/dev/null 2>&1
    then
        error_files+=( "$i" )
    fi
    all_files+=( "$i" )
done < <(find /boot -iname "efi" -prune -o -type f -name "*.sig" -print0)

echo "Checking missing signatures in /boot..." >&2
while IFS= read -r -d '' i
do
    if test ! -f ${i}.sig
    then
        missing_files+=( "$i" )
    fi
done < <(find /boot -iname "efi" -prune -o -type f -not -name "*.sig" -print0)

# Nothing to verify? Exit 2.
if (( ${#all_files[@]} == 0 ))
then
    echo "Nothing to verify." >&2
    exit 2
fi

# Message signatures
printf '%s' 'Found ' >&2
if (( ${#error_files} == 0 ))
then
    printf '%s' "$green" "no" "$normal" >&2
else
    printf '%s' "$red" "${#error_files[@]}" "$normal" >&2
fi
if (( ${#error_files[@]} == 1 ))
then
    echo " bad signature." >&2
else
    echo " bad signatures." >&2
fi

# Message missing
printf '%s' 'Found ' >&2
if (( ${#missing_files} == 0 ))
then
    printf '%s' "$green" "no" "$normal" >&2
else
    printf '%s' "$red" "${#missing_files[@]}" "$normal" >&2
fi
if (( ${#missing_files[@]} == 1 ))
then
    echo " missing signature." >&2
else
    echo " missing signatures." >&2
fi



# File list
if (( ${#error_files[@]} > 0 ))
then
    printf 'BAD signature: %s\n' "${error_files[@]}"
fi

if (( ${#missing_files[@]} > 0 ))
then
    printf 'MISSING signatures: %s\n' "${missing_files[@]}"
fi

# Exit codes
if (( ${#error_files[@]} > 0 ))
then
    exit 1
fi

if (( ${#missing_files[@]} > 0 ))
then
    exit 3
fi

exit 0