rwx.work/lsgm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

enforce signatures

Browse source
This commit is contained in:
Marc Beninca 2023-11-08 09:24:45 +01:00
parent 62f0556e01
commit 04ad78a6e1
2 changed files with 30 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
build.sh
View file

@ -22,7 +22,25 @@ else
DATA="${ESP}" DATA="${ESP}"
fi fi
PGP_PUB='BADA5579' PGP_PUB='312ACDF9BB03C81ADE95B9C09C7613450C80C24F'
function sign {
if [ -d "${1}" ] ; then
local file
local files
readarray -t files <<< "$(find "${1}" -type f | sort)"
for file in "${files[@]}" ; do
sign "${file}"
done
fi
if [ -f "${1}" ] ; then
echo "${1}"
gpg \
--quiet \
--default-key "${PGP_PUB}!" \
--detach-sign \
"${1}"
fi
}
NAME="$(basename "${FILE}")" NAME="$(basename "${FILE}")"
PREVIOUS="${PWD}" PREVIOUS="${PWD}"
@ -129,7 +147,7 @@ fi
mkdir "${BIOS_DIRECTORY}" mkdir "${BIOS_DIRECTORY}"
cp '/usr/lib/grub/i386-pc/boot.img' "${BIOS_DIRECTORY}" cp '/usr/lib/grub/i386-pc/boot.img' "${BIOS_DIRECTORY}"
# gpg --detach-sign "${BIOS_DIRECTORY}/boot.img" sign "${BIOS_DIRECTORY}/boot.img"
grub-mkimage \ grub-mkimage \
--compress "${COMPRESSION}" \ --compress "${COMPRESSION}" \
@ -138,7 +156,7 @@ grub-mkimage \
--output "${BIOS_FILE}" \ --output "${BIOS_FILE}" \
--pubkey "${MEMDISK_PUB}" \ --pubkey "${MEMDISK_PUB}" \
"${MODULES[@]}" "${MODULES_BIOS[@]}" "${MODULES[@]}" "${MODULES_BIOS[@]}"
# gpg --detach-sign "${BIOS_FILE}" sign "${BIOS_FILE}"
echo -n '#! /usr/bin/env bash echo -n '#! /usr/bin/env bash
FILE="$(realpath "${BASH_SOURCE[0]}")" FILE="$(realpath "${BASH_SOURCE[0]}")"
@ -148,7 +166,7 @@ DIRECTORY="$(dirname "${FILE}")"
--directory "${DIRECTORY}" \ --directory "${DIRECTORY}" \
"${1}" "${1}"
' >> "${BIOS_SETUP}" ' >> "${BIOS_SETUP}"
# gpg --detach-sign "${BIOS_SETUP}" sign "${BIOS_SETUP}"
# grub ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ # grub ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅
@ -201,6 +219,8 @@ if [ \"\${cmdroot}\" != \"\${root}\" ] ; then
fi fi
fi fi
unset cmdroot unset cmdroot
check_signatures='enforce'
trust --skip-sig \"\${prefix}/grub.pub\"
function set_init { function set_init {
data_uuid='${DATA}' data_uuid='${DATA}'
@ -218,12 +238,7 @@ function set_init {
unset file unset file
} }
function normal_init {
check_signatures='no'
set_init set_init
}
normal_init
source \"\${live}/main.sh\" source \"\${live}/main.sh\"
@ -306,11 +321,9 @@ cd "${DIRECTORY}"
# sign ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ # sign ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅
readarray -t files <<< "$(find "${GRUB_ROOT}" -type f | sort)" sign "${ROOT}/${PROJECT}/live"
for file in "${files[@]}" ; do sign "${GRUB_ROOT}"
echo "${file}" sign "${UEFI_DIRECTORY}"
# gpg --detach-sign "${file}"
done
# display ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ # display ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅

2
live/main.sh
View file

@ -12,4 +12,6 @@ menu_split
menuentry 'bash / stable / tui' { debsquash '/boot/bash/stable/tui' } menuentry 'bash / stable / tui' { debsquash '/boot/bash/stable/tui' }
menuentry 'bash / stable / gui' { debsquash '/boot/bash/stable/gui' } menuentry 'bash / stable / gui' { debsquash '/boot/bash/stable/gui' }
menuentry 'bash / latest / tui' { debsquash '/boot/bash/latest/tui' } menuentry 'bash / latest / tui' { debsquash '/boot/bash/latest/tui' }
menuentry 'check_signatures = enforce' { check_signatures='enforce' }
menuentry 'check_signatures = no' { check_signatures='no' }
menuentry 'bash / latest / gui' { debsquash '/boot/bash/latest/gui' } menuentry 'bash / latest / gui' { debsquash '/boot/bash/latest/gui' }