Fix up signing of boot files.
This commit is contained in:
parent
4493e6e20f
commit
8d2d263b28
@ -25,12 +25,17 @@ do
|
||||
rm "$i";
|
||||
done;
|
||||
echo "[+] Signing...";
|
||||
for i in $(/usr/bin/find /boot -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
|
||||
for i in $(/usr/bin/find /boot -iname "efi" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
|
||||
do
|
||||
echo $i;
|
||||
/usr/bin/gpg --batch --detach-sign $i;
|
||||
#gpg -v --batch --detach-sign --passphrase-fd 0 $i < \
|
||||
# /dev/shm/sb-passpwd.txt;
|
||||
done;
|
||||
for i in $(/usr/bin/find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print)
|
||||
do
|
||||
echo $i;
|
||||
/usr/bin/gpg --batch --detach-sign $i;
|
||||
done;
|
||||
#shred /dev/shm/sb-passpwd.txt;
|
||||
echo "[*] Signing Complete!";
|
||||
|
38
verify-boot
38
verify-boot
@ -5,7 +5,14 @@ ec=0;
|
||||
for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
|
||||
do
|
||||
if [ ! -f "$i.sig" ]; then
|
||||
echo "$i";
|
||||
echo "Missing: $i";
|
||||
ec=1;
|
||||
fi
|
||||
done;
|
||||
for i in $(find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print)
|
||||
do
|
||||
if [ ! -f "$i.sig" ]; then
|
||||
echo "Missing: $i";
|
||||
ec=1;
|
||||
fi
|
||||
done;
|
||||
@ -13,13 +20,28 @@ bad='Good';
|
||||
echo "[*] Signed:";
|
||||
for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
|
||||
do
|
||||
if gpg --verify-files "$i.sig" > /dev/null 2>&1
|
||||
then
|
||||
echo "Good: $i";
|
||||
else
|
||||
echo "Bad: $i";
|
||||
bad='Bad';
|
||||
ec=2;
|
||||
if [ -f "$i.sig" ]; then
|
||||
if gpg --verify-files "$i.sig" > /dev/null 2>&1
|
||||
then
|
||||
echo "Good: $i";
|
||||
else
|
||||
echo "Bad: $i";
|
||||
bad='Bad';
|
||||
ec=2;
|
||||
fi
|
||||
fi
|
||||
done;
|
||||
for i in $(find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print)
|
||||
do
|
||||
if [ -f "$i.sig" ]; then
|
||||
if gpg --verify-files "$i.sig" > /dev/null 2>&1
|
||||
then
|
||||
echo "Good: $i";
|
||||
else
|
||||
echo "Bad: $i";
|
||||
bad='Bad';
|
||||
ec=2;
|
||||
fi
|
||||
fi
|
||||
done;
|
||||
echo "[-] Signature State: $bad";
|
||||
|
Loading…
Reference in New Issue
Block a user