#!/bin/bash if [ -f /run/sign-verify-boot-flag ]; then echo "[-] Waiting for in-progress Signing / Verifying!"; while lsof /run/sign-verify-boot-flag > /dev/null 2>&1; do sleep 0.1; done while [ -f /run/sign-verify-boot-flag ]; do sleep 0.1; done fi; /usr/bin/touch /run/sign-verify-boot-flag; echo "[*] Preparing to verify!"; echo "[-] Missing Signatures:"; ec=0; for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print) do if [ ! -f "$i.sig" ]; then echo "Missing: $i"; ec=1; fi done; for i in $(find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print) do if [ ! -f "$i.sig" ]; then echo "Missing: $i"; ec=1; fi done; bad='Good'; echo "[*] Signed:"; for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print) do if [ -f "$i.sig" ]; then if gpg --verify-files "$i.sig" > /dev/null 2>&1 then echo "Good: $i"; else echo "Bad: $i"; bad='Bad'; ec=2; fi fi done; for i in $(find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print) do if [ -f "$i.sig" ]; then if gpg --verify-files "$i.sig" > /dev/null 2>&1 then echo "Good: $i"; else echo "Bad: $i"; bad='Bad'; ec=2; fi fi done; echo "[-] Signature State: $bad"; if [ $ec -ne 0 ]; then touch /boot/boot-tainted; elif [ -f /boot/boot-tainted ]; then rm -f /boot/boot-tainted; fi /usr/bin/rm -f /run/sign-verify-boot-flag; echo "[*] Finished Verification!"; exit $ec;