bandie / grub2-signing-extension Goto Github PK
View Code? Open in Web Editor NEWThe GRUB2 signing extension are some scripts which help you to verify, sign and unsign your GRUB2 bootloader files using GPG.
License: GNU General Public License v3.0
The GRUB2 signing extension are some scripts which help you to verify, sign and unsign your GRUB2 bootloader files using GPG.
License: GNU General Public License v3.0
@Bandie sorry I've been busy with other things and haven't had a chance to update the package in AUR. The script renaming will require some changes to the PKGBUILD, but nothing too extensive. Would you like to take over ownership of the package in AUR? If you don't want to (either because you don't want to or because you don't use Arch, or whatever reason), it's no problem.. I'll try to get to updating this package in the next few days. Sorry again for the delay..
Just a quick FYI, when I initally followed the readme I got that error when booting and it dropped me into a grub rescue
shell. I had to chroot, reinstall grub and then do grub-install /dev/sda -k /root/pubkey --modules="gcry_sha256 gcry_dsa gcry_rsa gcry_sha512"
to make it work.
The grub-unsign
command uses rm
to dispose of outdated digital signatures. This is not a good practice for signatures that should not be used anymore. The shred --remove=unlink
command might be better suited to dispose of the signatures.
A small problem with the shred
command is that it uses the disk more than rm
.
I would like to package this for Arch Linux's AUR. Normally I would just request the developer tag a release, but in this case I think it would be appropriate if you also signed the release package with your gpg key so that it can be verified when folks download/install it as a part of the AUR package.
Would you be able to do this? Thanks!
Consider a file named /boot/foo * .sig
.
The following code:
for i in `find /boot -name "*.sig"`
do
rm $i
done
...will first run rm /boot/foo
, then rm *
(expanding the wildcard for the current directory), then rm .sig
.
A safer way to write this would be:
find /boot -name '*.sig' -exec rm -- '{}' +
...or, less efficiently (but demonstrating safely passing filenames from find
into the shell in a manner that works correctly in all the corner cases -- names with literal backslashes, names with literal newlines, etc)...
while IFS= read -r -d '' f; do
rm -- "$f"
done < <(find /boot -name '*.sig' -print0)
Note the use of --
; this is to ensure that subsequent arguments are treated as positional rather even if they might otherwise be evaluated as options, per POSIX Utility Syntax Guidelines #10.
Similarly, for find
, the -exec ... {} +
usage can be found in the relevant POSIX specification; the quoting of {}
isn't needed for compliant shells, but can be required for zsh.
For IFS= read -r -d ''
, the -r
ensures that backslash literals are passed through unmodified; setting IFS
to an empty string prevents whitespace from being trimmed from filenames; -d ''
changes the record delimiter to a NUL byte (which is the only character which is guaranteed not to exist inside of a POSIX path). An in-depth discussion can be found in BashFAQ #1.
Using process substitution -- <()
-- to generate a filename (typically, on Linux, of the form of /dev/fd/##
) is a bashism which allows the loop to occur in the primary interpreter itself rather than in a subshell (as happens when piping into a loop in bash); see BashFAQ #24.
every time I try to get the gpg key it fails with gpg: keyserver receive failed: General error
I tried to manually download the key directly but bandie.org troughs an error stating that it isn't a known service
[crashbit@gt62vr-6re tmp]$ gpg --verify grub2-signing-extension-0.1.2.tar.gz.asc
gpg: assuming signed data in 'grub2-signing-extension-0.1.2.tar.gz'
gpg: Signature made diumenge, 5 d’agost de 2018, 22:03:40 CEST
gpg: using RSA key E2D7876915312785DC086BFCC1E133BC65A822DD
gpg: Good signature from "Bandie [email protected]" [desconeguda]
gpg: aka "Bandie [email protected]" [desconeguda]
gpg: AVÍS: Aquesta clau no ve certificada per una signatura de confiança!
gpg: No hi ha res que indique que la signatura pertany al seu propietari.
Empremtes digital de la clau primària: E2D7 8769 1531 2785 DC08 6BFC C1E1 33BC 65A8 22DD
Hi, I was packaging the latest release for Arch's AUR, and was curious why you decided to rename the scripts from grub-* to grub2-*?
When I have grub remember my last kernel selection. It changes the /boot/grob/grubenv file and grubenv.sig's signature won't be correct, and I can't boot into the kernel is I have secure boot enabled. Is there any way I can solve this? Thanks
Hi, thanks for your work. I am running Archlinux with UEFI secure mode. Currently I have two issues:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.