grub2-signing-extension/sbin/grub2-unsign
Charles Duffy cc43d546b2 Follow best practices for bash
- Use native bash math where doing so improves readability.
- Avoid illegal exit status codes (666 in impossible scenario).
- Avoid useless use of cat (`cat foo | bar` vs the more efficient `bar <foo`).
- Avoid needless echo pipelines (`echo foo | bar` vs `bar <<<"$foo"`).
- Never use a for loop to iterate over output from `find`; `for` loops depend
  on string-splitting, which is only available with globbing behavior. See
  http://mywiki.wooledge.org/DontReadLinesWithFor
- Use `read -s` to silence feedback rather than playing around with `stty`.
- Use `tput` to retrieve color codes correct for the current terminal rather
  than assuming a terminal compatible with ANSI color codes.
- Use a expression compatible with BSD `tr` in "passphrase-shredding" code.
  (BTW, I very much doubt that this code actually does any good; it's not a
  reasonable expectation that a new string assigned to a variable will actually
  be placed at the same location in memory).
- Implementations of `echo` which do anything other than print `-e` on output
  when `echo -e` is run are nonconformant with the POSIX spec for echo.
  Similarly, `echo -n` behavior is not defined by the standard. Avoid relying
  on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html,
  particularly the APPLICATION USAGE section).
- Always quote expansions to prevent string-splitting and glob-expansion
  (`"$i"`, not `$i`).
- Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can
  be used instead.
2015-12-30 15:46:52 -06:00

18 lines
576 B
Bash
Executable File

#!/bin/bash
# grub2-unsign
# Unsigns every file in /boot. Depends on grub2-verify
# Author: Bandie Kojote
# Licence: GNU-GPLv3
# Check if something is wrong
if ! grub2-verify; then
printf '%s\n' "grub2-verify has detected a one or more bad signatures." "Please check for malicious software before you're unsigning everything!" >&2
exit 1
fi
# Then remove the signatures.
find /boot -name '*.sig' -exec rm -- '{}' +
echo "GRUB2 unsigned. WARNING: If you want to deactivate GRUB2's signature feature, change the check_signatures variable in the headers file!"
exit 0