Fix up signing of boot files.

sign-boot

@@ -25,12 +25,17 @@ do
   rm "$i";
 done;
 echo "[+] Signing...";
-for i in $(/usr/bin/find /boot -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
+for i in $(/usr/bin/find /boot -iname "efi" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
 do
   echo $i;
   /usr/bin/gpg --batch --detach-sign $i;
   #gpg -v --batch --detach-sign --passphrase-fd 0 $i < \
   #  /dev/shm/sb-passpwd.txt;
 done;
+for i in $(/usr/bin/find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print)
+do
+  echo $i;
+  /usr/bin/gpg --batch --detach-sign $i;
+done;
 #shred /dev/shm/sb-passpwd.txt;
 echo "[*] Signing Complete!";

verify-boot

@@ -5,7 +5,14 @@ ec=0;
 for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
 do
   if [ ! -f "$i.sig" ]; then
-    echo "$i";
+    echo "Missing: $i";
+    ec=1;
+  fi
+done;
+for i in $(find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print)
+do
+  if [ ! -f "$i.sig" ]; then
+    echo "Missing: $i";
     ec=1;
   fi
 done;
@@ -13,6 +20,7 @@ bad='Good';
 echo "[*] Signed:";
 for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
 do
+  if [ -f "$i.sig" ]; then
     if gpg --verify-files "$i.sig" > /dev/null 2>&1
     then
       echo "Good: $i";
@@ -21,6 +29,20 @@ do
       bad='Bad';
       ec=2;
     fi
+  fi
+done;
+for i in $(find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print)
+do
+  if [ -f "$i.sig" ]; then
+    if gpg --verify-files "$i.sig" > /dev/null 2>&1
+    then
+      echo "Good: $i";
+    else
+      echo "Bad: $i";
+      bad='Bad';
+      ec=2;
+    fi
+  fi
 done;
 echo "[-] Signature State: $bad";
 if [ $ec -ne 0 ]; then