bash-stuff/local-sbin/sign-boot

40 lines
1.3 KiB
Plaintext
Raw Normal View History

#!/bin/bash
if [ -f /run/sign-verify-boot-flag ]; then
echo "[-] Waiting for in-progress Signing / Verifying!";
while /usr/bin/lsof /run/sign-verify-boot-flag > /dev/null 2>&1; do sleep 0.1; done
while /usr/bin/kill -0 "$(cat /run/sign-verify-boot-flag)" > /dev/null 2>&1; do sleep 1; done
fi;
/usr/bin/echo -n "$$" > /run/sign-verify-boot-flag;
echo "[*] Preparing to sign!";
echo "[-] BMOK Un-Signing...";
for i in $(/usr/bin/find /boot/grub -iname "*.efi" -type f -print)
do
echo $i;
/usr/bin/sbattach --remove $i;
done;
echo "[+] BMOK Signing...";
for i in $(/usr/bin/find /boot/grub -iname "*.efi" -type f -print)
do
echo $i;
/usr/bin/sbsign --key /cert/BMOK.priv --cert /cert/BMOK.pem $i --output $i;
done;
echo "[-] Un-Signing...";
#-iname "efi" -prune -o
for i in $(/usr/bin/find /boot -iname "*.sig" -type f -print)
do
rm "$i";
done;
echo "[+] Signing...";
for i in $(/usr/bin/find /boot -iname "efi" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
do
echo $i;
/usr/bin/gpg --batch --detach-sign $i;
done;
for i in $(/usr/bin/find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print)
do
echo $i;
/usr/bin/gpg --batch --detach-sign $i;
done;
/usr/bin/rm -f /run/sign-verify-boot-flag;
echo "[*] Signing Complete!";