mirror of
https://github.com/Bandie/grub2-signing-extension.git
synced 2024-04-01 15:51:26 +00:00
cc43d546b2
- Use native bash math where doing so improves readability. - Avoid illegal exit status codes (666 in impossible scenario). - Avoid useless use of cat (`cat foo | bar` vs the more efficient `bar <foo`). - Avoid needless echo pipelines (`echo foo | bar` vs `bar <<<"$foo"`). - Never use a for loop to iterate over output from `find`; `for` loops depend on string-splitting, which is only available with globbing behavior. See http://mywiki.wooledge.org/DontReadLinesWithFor - Use `read -s` to silence feedback rather than playing around with `stty`. - Use `tput` to retrieve color codes correct for the current terminal rather than assuming a terminal compatible with ANSI color codes. - Use a expression compatible with BSD `tr` in "passphrase-shredding" code. (BTW, I very much doubt that this code actually does any good; it's not a reasonable expectation that a new string assigned to a variable will actually be placed at the same location in memory). - Implementations of `echo` which do anything other than print `-e` on output when `echo -e` is run are nonconformant with the POSIX spec for echo. Similarly, `echo -n` behavior is not defined by the standard. Avoid relying on either of these. (See http://pubs.opengroup.org/onlinepubs/009604599/utilities/echo.html, particularly the APPLICATION USAGE section). - Always quote expansions to prevent string-splitting and glob-expansion (`"$i"`, not `$i`). - Avoid `some_command; if [ $? -eq 0 ]; then` when `if some_command; then` can be used instead.
52 lines
1.1 KiB
Bash
Executable File
52 lines
1.1 KiB
Bash
Executable File
#!/bin/bash
|
|
# grub2-verify
|
|
# Checks the signatures of every file which is has a signature in /boot.
|
|
# Author: Bandie Kojote
|
|
# Licence: GNU-GPLv3
|
|
|
|
red=$(tput setaf 1)
|
|
green=$(tput setaf 2)
|
|
normal=$(tput sgr0)
|
|
|
|
all_files=( )
|
|
error_files=( )
|
|
|
|
# Signature check part + error counter + file counter + file list
|
|
|
|
echo "Checking signatures in /boot..." >&2
|
|
while IFS= read -r -d '' i; do
|
|
if ! gpg --verify-files "$i" >/dev/null 2>&1; then
|
|
error_files+=( "$i" )
|
|
fi
|
|
all_files+=( "$i" )
|
|
done < <(find /boot -name "*.sig" -print0)
|
|
|
|
# Nothing to verify? Exit 2.
|
|
if (( ${#all_files[@]} == 0 )); then
|
|
echo "Nothing to verify." >&2
|
|
exit 2
|
|
fi
|
|
|
|
# Message
|
|
printf '%s' 'Found ' >&2
|
|
if (( ${#error_files} == 0 )); then
|
|
printf '%s' "$green" "no" "$normal" >&2
|
|
else
|
|
printf '%s' "$red" "${#error_files[@]}" "$normal" >&2
|
|
fi
|
|
if (( ${#error_files[@]} == 1 )); then
|
|
echo " bad signature." >&2
|
|
else
|
|
echo " bad signatures." >&2
|
|
fi
|
|
|
|
# File list and exit codes
|
|
if (( ${#error_files[@]} > 0 )); then
|
|
printf 'BAD signature: %s\n' "${error_files[@]}"
|
|
exit 1
|
|
else
|
|
exit 0
|
|
fi
|
|
|
|
exit 99
|