bash-stuff/local-sbin/verify-boot

#!/bin/bash
if [ -f /run/sign-verify-boot-flag ]; then
  echo "[-] Waiting for in-progress Signing / Verifying!";
  while /usr/bin/lsof /run/sign-verify-boot-flag > /dev/null 2>&1; do sleep 0.1; done
  while /usr/bin/kill -0 "$(cat /run/sign-verify-boot-flag)" > /dev/null 2>&1; do sleep 1; done
fi;
/usr/bin/echo -n "$$" > /run/sign-verify-boot-flag;
echo "[*] Preparing to verify!";
echo "[-] Missing Signatures:";
ec=0;
for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
do
  if [ ! -f "$i.sig" ]; then
    echo "Missing: $i";
    ec=1;
  fi
done;
for i in $(find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print)
do
  if [ ! -f "$i.sig" ]; then
    echo "Missing: $i";
    ec=1;
  fi
done;
bad='Good';
echo "[*] Signed:";
for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
do
  if [ -f "$i.sig" ]; then
    if gpg --verify-files "$i.sig" > /dev/null 2>&1
    then
      echo "Good: $i";
    else
      echo "Bad: $i";
      bad='Bad';
      ec=2;
    fi
  fi
done;
for i in $(find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print)
do
  if [ -f "$i.sig" ]; then
    if gpg --verify-files "$i.sig" > /dev/null 2>&1
    then
      echo "Good: $i";
    else
      echo "Bad: $i";
      bad='Bad';
      ec=2;
    fi
  fi
done;
echo "[-] Signature State: $bad";
if [ $ec -ne 0 ]; then
  touch /boot/boot-tainted;
elif [ -f /boot/boot-tainted ]; then
  rm -f /boot/boot-tainted;
fi
/usr/bin/rm -f /run/sign-verify-boot-flag;
echo "[*] Finished Verification!";
exit $ec;