alfred/bash-stuff
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix up signing of boot files.

Browse Source
This commit is contained in:
Captain ALM 2024-06-04 14:44:43 +01:00
parent 4493e6e20f
commit 8d2d263b28
Signed by: alfred
GPG Key ID: 4E4ADD02609997B1
2 changed files with 36 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
sign-boot
View File

@ -25,12 +25,17 @@ do
rm "$i"; rm "$i";
done; done;
echo "[+] Signing..."; echo "[+] Signing...";
for i in $(/usr/bin/find /boot -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print) for i in $(/usr/bin/find /boot -iname "efi" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
do do
echo $i; echo $i;
/usr/bin/gpg --batch --detach-sign $i; /usr/bin/gpg --batch --detach-sign $i;
#gpg -v --batch --detach-sign --passphrase-fd 0 $i < \ #gpg -v --batch --detach-sign --passphrase-fd 0 $i < \
# /dev/shm/sb-passpwd.txt; # /dev/shm/sb-passpwd.txt;
done; done;
for i in $(/usr/bin/find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print)
do
echo $i;
/usr/bin/gpg --batch --detach-sign $i;
done;
#shred /dev/shm/sb-passpwd.txt; #shred /dev/shm/sb-passpwd.txt;
echo "[*] Signing Complete!"; echo "[*] Signing Complete!";

38
verify-boot
View File

@ -5,7 +5,14 @@ ec=0;
for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print) for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
do do
if [ ! -f "$i.sig" ]; then if [ ! -f "$i.sig" ]; then
echo "$i"; echo "Missing: $i";
ec=1;
fi
done;
for i in $(find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print)
do
if [ ! -f "$i.sig" ]; then
echo "Missing: $i";
ec=1; ec=1;
fi fi
done; done;
@ -13,13 +20,28 @@ bad='Good';
echo "[*] Signed:"; echo "[*] Signed:";
for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print) for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
do do
if gpg --verify-files "$i.sig" > /dev/null 2>&1 if [ -f "$i.sig" ]; then
then if gpg --verify-files "$i.sig" > /dev/null 2>&1
echo "Good: $i"; then
else echo "Good: $i";
echo "Bad: $i"; else
bad='Bad'; echo "Bad: $i";
ec=2; bad='Bad';
ec=2;
fi
fi
done;
for i in $(find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print)
do
if [ -f "$i.sig" ]; then
if gpg --verify-files "$i.sig" > /dev/null 2>&1
then
echo "Good: $i";
else
echo "Bad: $i";
bad='Bad';
ec=2;
fi
fi fi
done; done;
echo "[-] Signature State: $bad"; echo "[-] Signature State: $bad";