Fix up signing of boot files.

This commit is contained in:
Captain ALM 2024-06-04 14:44:43 +01:00
parent 4493e6e20f
commit 8d2d263b28
Signed by: alfred
GPG Key ID: 4E4ADD02609997B1
2 changed files with 36 additions and 9 deletions

View File

@ -25,12 +25,17 @@ do
rm "$i";
done;
echo "[+] Signing...";
for i in $(/usr/bin/find /boot -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
for i in $(/usr/bin/find /boot -iname "efi" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
do
echo $i;
/usr/bin/gpg --batch --detach-sign $i;
#gpg -v --batch --detach-sign --passphrase-fd 0 $i < \
# /dev/shm/sb-passpwd.txt;
done;
for i in $(/usr/bin/find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print)
do
echo $i;
/usr/bin/gpg --batch --detach-sign $i;
done;
#shred /dev/shm/sb-passpwd.txt;
echo "[*] Signing Complete!";

View File

@ -5,7 +5,14 @@ ec=0;
for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
do
if [ ! -f "$i.sig" ]; then
echo "$i";
echo "Missing: $i";
ec=1;
fi
done;
for i in $(find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print)
do
if [ ! -f "$i.sig" ]; then
echo "Missing: $i";
ec=1;
fi
done;
@ -13,13 +20,28 @@ bad='Good';
echo "[*] Signed:";
for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
do
if gpg --verify-files "$i.sig" > /dev/null 2>&1
then
echo "Good: $i";
else
echo "Bad: $i";
bad='Bad';
ec=2;
if [ -f "$i.sig" ]; then
if gpg --verify-files "$i.sig" > /dev/null 2>&1
then
echo "Good: $i";
else
echo "Bad: $i";
bad='Bad';
ec=2;
fi
fi
done;
for i in $(find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print)
do
if [ -f "$i.sig" ]; then
if gpg --verify-files "$i.sig" > /dev/null 2>&1
then
echo "Good: $i";
else
echo "Bad: $i";
bad='Bad';
ec=2;
fi
fi
done;
echo "[-] Signature State: $bad";