From 8d2d263b2896832ff4cad3c30b3414cfbe889426 Mon Sep 17 00:00:00 2001
From: Captain ALM <captainalm@captainalm.com>
Date: Tue, 4 Jun 2024 14:44:43 +0100
Subject: [PATCH] Fix up signing of boot files.

---
 sign-boot   |  7 ++++++-
 verify-boot | 38 ++++++++++++++++++++++++++++++--------
 2 files changed, 36 insertions(+), 9 deletions(-)

diff --git a/sign-boot b/sign-boot
index 9b7efce..6e6f75c 100644
--- a/sign-boot
+++ b/sign-boot
@@ -25,12 +25,17 @@ do
   rm "$i";
 done;
 echo "[+] Signing...";
-for i in $(/usr/bin/find /boot -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
+for i in $(/usr/bin/find /boot -iname "efi" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
 do
   echo $i;
   /usr/bin/gpg --batch --detach-sign $i;
   #gpg -v --batch --detach-sign --passphrase-fd 0 $i < \
   #  /dev/shm/sb-passpwd.txt;
 done;
+for i in $(/usr/bin/find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print)
+do
+  echo $i;
+  /usr/bin/gpg --batch --detach-sign $i;
+done;
 #shred /dev/shm/sb-passpwd.txt;
 echo "[*] Signing Complete!";
diff --git a/verify-boot b/verify-boot
index d183e5a..d8ce70d 100644
--- a/verify-boot
+++ b/verify-boot
@@ -5,7 +5,14 @@ ec=0;
 for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
 do
   if [ ! -f "$i.sig" ]; then
-    echo "$i";
+    echo "Missing: $i";
+    ec=1;
+  fi
+done;
+for i in $(find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print)
+do
+  if [ ! -f "$i.sig" ]; then
+    echo "Missing: $i";
     ec=1;
   fi
 done;
@@ -13,13 +20,28 @@ bad='Good';
 echo "[*] Signed:";
 for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
 do
-  if gpg --verify-files "$i.sig" > /dev/null 2>&1
-  then
-    echo "Good: $i";
-  else
-    echo "Bad: $i";
-    bad='Bad';
-    ec=2;
+  if [ -f "$i.sig" ]; then
+    if gpg --verify-files "$i.sig" > /dev/null 2>&1
+    then
+      echo "Good: $i";
+    else
+      echo "Bad: $i";
+      bad='Bad';
+      ec=2;
+    fi
+  fi
+done;
+for i in $(find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print)
+do
+  if [ -f "$i.sig" ]; then
+    if gpg --verify-files "$i.sig" > /dev/null 2>&1
+    then
+      echo "Good: $i";
+    else
+      echo "Bad: $i";
+      bad='Bad';
+      ec=2;
+    fi
   fi
 done;
 echo "[-] Signature State: $bad";