grub2-signing-extension/sbin/grub-verify

98 lines
1.8 KiB
Bash
Executable File

#!/bin/bash
# grub2-verify
# Checks the signatures of every file which is has a signature in /boot.
# Author: Bandie
# Licence: GNU-GPLv3
red=$(tput setaf 1)
green=$(tput setaf 2)
normal=$(tput sgr0)
all_files=( )
error_files=( )
missing_files=( )
# Signature check part + error counter + file counter + file list
echo "Checking signatures in /boot..." >&2
while IFS= read -r -d '' i
do
if ! gpg --verify-files "$i" >/dev/null 2>&1
then
error_files+=( "$i" )
fi
all_files+=( "$i" )
done < <(find /boot -iname "efi" -prune -o -type f -name "*.sig" -print0)
echo "Checking missing signatures in /boot..." >&2
while IFS= read -r -d '' i
do
if test ! -f ${i}.sig
then
missing_files+=( "$i" )
fi
done < <(find /boot -iname "efi" -prune -o -type f -not -name "*.sig" -print0)
# Nothing to verify? Exit 2.
if (( ${#all_files[@]} == 0 ))
then
echo "Nothing to verify." >&2
exit 2
fi
# Message signatures
printf '%s' 'Found ' >&2
if (( ${#error_files} == 0 ))
then
printf '%s' "$green" "no" "$normal" >&2
else
printf '%s' "$red" "${#error_files[@]}" "$normal" >&2
fi
if (( ${#error_files[@]} == 1 ))
then
echo " bad signature." >&2
else
echo " bad signatures." >&2
fi
# Message missing
printf '%s' 'Found ' >&2
if (( ${#missing_files} == 0 ))
then
printf '%s' "$green" "no" "$normal" >&2
else
printf '%s' "$red" "${#missing_files[@]}" "$normal" >&2
fi
if (( ${#missing_files[@]} == 1 ))
then
echo " missing signature." >&2
else
echo " missing signatures." >&2
fi
# File list
if (( ${#error_files[@]} > 0 ))
then
printf 'BAD signature: %s\n' "${error_files[@]}"
fi
if (( ${#missing_files[@]} > 0 ))
then
printf 'MISSING signatures: %s\n' "${missing_files[@]}"
fi
# Exit codes
if (( ${#error_files[@]} > 0 ))
then
exit 1
fi
if (( ${#missing_files[@]} > 0 ))
then
exit 3
fi
exit 0