From 84ae836a71e6f892e50ed137b7bf4eb2bd53d60b Mon Sep 17 00:00:00 2001
From: Captain ALM <captainalm@captainalm.com>
Date: Mon, 7 Oct 2024 17:14:49 +0100
Subject: [PATCH] Make sure sign and verify boot scripts are run one at a time.

---
 local-sbin/sign-boot   | 19 ++++++-------------
 local-sbin/verify-boot |  7 +++++++
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/local-sbin/sign-boot b/local-sbin/sign-boot
index c027e8f..70a6aac 100755
--- a/local-sbin/sign-boot
+++ b/local-sbin/sign-boot
@@ -1,15 +1,11 @@
 #!/bin/bash
-if [ -f /run/signing ]; then
-  echo "[-] Signing already in progress!";
+if [ -f /run/sign-verify-boot-flag ]; then
+  echo "[-] Waiting for in-progress Signing / Verifying!";
+  while lsof /run/sign-verify-boot-flag > /dev/null 2>&1; do sleep 0.1; done
+  while [ -f /run/sign-verify-boot-flag ]; do sleep 0.1; done
 fi;
-/usr/bin/touch /run/signing;
+/usr/bin/touch /run/sign-verify-boot-flag;
 echo "[*] Preparing to sign!";
-#touch /dev/shm/sb-passpwd.txt;
-#chown root:root /dev/shm/sb-passpwd.txt;
-#chmod u=rw,g=,o= /dev/shm/sb-passpwd.txt;
-#echo -n "Password: ";
-#read -s pwd;
-#echo -n "$pwd" > /dev/shm/sb-passpwd.txt;
 echo "[-] BMOK Un-Signing...";
 for i in $(/usr/bin/find /boot/grub -iname "*.efi" -type f -print)
 do
@@ -33,14 +29,11 @@ for i in $(/usr/bin/find /boot -iname "efi" -prune -o -iname "grubenv" -prune -o
 do
   echo $i;
   /usr/bin/gpg --batch --detach-sign $i;
-  #gpg -v --batch --detach-sign --passphrase-fd 0 $i < \
-  #  /dev/shm/sb-passpwd.txt;
 done;
 for i in $(/usr/bin/find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print)
 do
   echo $i;
   /usr/bin/gpg --batch --detach-sign $i;
 done;
-#shred /dev/shm/sb-passpwd.txt;
-/usr/bin/rm -f /run/signing;
+/usr/bin/rm -f /run/sign-verify-boot-flag;
 echo "[*] Signing Complete!";
diff --git a/local-sbin/verify-boot b/local-sbin/verify-boot
index d8ce70d..e2d03e9 100755
--- a/local-sbin/verify-boot
+++ b/local-sbin/verify-boot
@@ -1,4 +1,10 @@
 #!/bin/bash
+if [ -f /run/sign-verify-boot-flag ]; then
+  echo "[-] Waiting for in-progress Signing / Verifying!";
+  while lsof /run/sign-verify-boot-flag > /dev/null 2>&1; do sleep 0.1; done
+  while [ -f /run/sign-verify-boot-flag ]; do sleep 0.1; done
+fi;
+/usr/bin/touch /run/sign-verify-boot-flag;
 echo "[*] Preparing to verify!";
 echo "[-] Missing Signatures:";
 ec=0;
@@ -50,5 +56,6 @@ if [ $ec -ne 0 ]; then
 elif [ -f /boot/boot-tainted ]; then
   rm -f /boot/boot-tainted;
 fi
+/usr/bin/rm -f /run/sign-verify-boot-flag;
 echo "[*] Finished Verification!";
 exit $ec;