enforce signatures
This commit is contained in:
parent
62f0556e01
commit
04ad78a6e1
2 changed files with 30 additions and 15 deletions
43
build.sh
43
build.sh
|
|
@ -22,7 +22,25 @@ else
|
|||
DATA="${ESP}"
|
||||
fi
|
||||
|
||||
PGP_PUB='BADA5579'
|
||||
PGP_PUB='312ACDF9BB03C81ADE95B9C09C7613450C80C24F'
|
||||
function sign {
|
||||
if [ -d "${1}" ] ; then
|
||||
local file
|
||||
local files
|
||||
readarray -t files <<< "$(find "${1}" -type f | sort)"
|
||||
for file in "${files[@]}" ; do
|
||||
sign "${file}"
|
||||
done
|
||||
fi
|
||||
if [ -f "${1}" ] ; then
|
||||
echo "${1}"
|
||||
gpg \
|
||||
--quiet \
|
||||
--default-key "${PGP_PUB}!" \
|
||||
--detach-sign \
|
||||
"${1}"
|
||||
fi
|
||||
}
|
||||
|
||||
NAME="$(basename "${FILE}")"
|
||||
PREVIOUS="${PWD}"
|
||||
|
|
@ -129,7 +147,7 @@ fi
|
|||
mkdir "${BIOS_DIRECTORY}"
|
||||
|
||||
cp '/usr/lib/grub/i386-pc/boot.img' "${BIOS_DIRECTORY}"
|
||||
# gpg --detach-sign "${BIOS_DIRECTORY}/boot.img"
|
||||
sign "${BIOS_DIRECTORY}/boot.img"
|
||||
|
||||
grub-mkimage \
|
||||
--compress "${COMPRESSION}" \
|
||||
|
|
@ -138,7 +156,7 @@ grub-mkimage \
|
|||
--output "${BIOS_FILE}" \
|
||||
--pubkey "${MEMDISK_PUB}" \
|
||||
"${MODULES[@]}" "${MODULES_BIOS[@]}"
|
||||
# gpg --detach-sign "${BIOS_FILE}"
|
||||
sign "${BIOS_FILE}"
|
||||
|
||||
echo -n '#! /usr/bin/env bash
|
||||
FILE="$(realpath "${BASH_SOURCE[0]}")"
|
||||
|
|
@ -148,7 +166,7 @@ DIRECTORY="$(dirname "${FILE}")"
|
|||
--directory "${DIRECTORY}" \
|
||||
"${1}"
|
||||
' >> "${BIOS_SETUP}"
|
||||
# gpg --detach-sign "${BIOS_SETUP}"
|
||||
sign "${BIOS_SETUP}"
|
||||
|
||||
# grub ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅
|
||||
|
||||
|
|
@ -201,6 +219,8 @@ if [ \"\${cmdroot}\" != \"\${root}\" ] ; then
|
|||
fi
|
||||
fi
|
||||
unset cmdroot
|
||||
check_signatures='enforce'
|
||||
trust --skip-sig \"\${prefix}/grub.pub\"
|
||||
|
||||
function set_init {
|
||||
data_uuid='${DATA}'
|
||||
|
|
@ -218,12 +238,7 @@ function set_init {
|
|||
unset file
|
||||
}
|
||||
|
||||
function normal_init {
|
||||
check_signatures='no'
|
||||
set_init
|
||||
}
|
||||
|
||||
normal_init
|
||||
set_init
|
||||
|
||||
source \"\${live}/main.sh\"
|
||||
|
||||
|
|
@ -306,11 +321,9 @@ cd "${DIRECTORY}"
|
|||
|
||||
# sign ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅
|
||||
|
||||
readarray -t files <<< "$(find "${GRUB_ROOT}" -type f | sort)"
|
||||
for file in "${files[@]}" ; do
|
||||
echo "${file}"
|
||||
# gpg --detach-sign "${file}"
|
||||
done
|
||||
sign "${ROOT}/${PROJECT}/live"
|
||||
sign "${GRUB_ROOT}"
|
||||
sign "${UEFI_DIRECTORY}"
|
||||
|
||||
# display ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅
|
||||
|
||||
|
|
|
|||
|
|
@ -12,4 +12,6 @@ menu_split
|
|||
menuentry 'bash / stable / tui' { debsquash '/boot/bash/stable/tui' }
|
||||
menuentry 'bash / stable / gui' { debsquash '/boot/bash/stable/gui' }
|
||||
menuentry 'bash / latest / tui' { debsquash '/boot/bash/latest/tui' }
|
||||
menuentry 'check_signatures = enforce' { check_signatures='enforce' }
|
||||
menuentry 'check_signatures = no' { check_signatures='no' }
|
||||
menuentry 'bash / latest / gui' { debsquash '/boot/bash/latest/gui' }
|
||||
|
|
|
|||
Loading…
Reference in a new issue