bandie / grub2-signing-extension Goto Github PK

@Bandie sorry I've been busy with other things and haven't had a chance to update the package in AUR. The script renaming will require some changes to the PKGBUILD, but nothing too extensive. Would you like to take over ownership of the package in AUR? If you don't want to (either because you don't want to or because you don't use Arch, or whatever reason), it's no problem.. I'll try to get to updating this package in the next few days. Sorry again for the delay..

Just a quick FYI, when I initally followed the readme I got that error when booting and it dropped me into a grub rescue shell. I had to chroot, reinstall grub and then do grub-install /dev/sda -k /root/pubkey --modules="gcry_sha256 gcry_dsa gcry_rsa gcry_sha512" to make it work.

The grub-unsign command uses rm to dispose of outdated digital signatures. This is not a good practice for signatures that should not be used anymore. The shred --remove=unlink command might be better suited to dispose of the signatures.

A small problem with the shred command is that it uses the disk more than rm.

I would like to package this for Arch Linux's AUR. Normally I would just request the developer tag a release, but in this case I think it would be appropriate if you also signed the release package with your gpg key so that it can be verified when folks download/install it as a part of the AUR package.

Would you be able to do this? Thanks!

Consider a file named /boot/foo * .sig.

The following code:

for i in `find /boot -name "*.sig"` 
do
    rm $i
done

...will first run rm /boot/foo, then rm * (expanding the wildcard for the current directory), then rm .sig.

A safer way to write this would be:

find /boot -name '*.sig' -exec rm -- '{}' +

...or, less efficiently (but demonstrating safely passing filenames from find into the shell in a manner that works correctly in all the corner cases -- names with literal backslashes, names with literal newlines, etc)...

while IFS= read -r -d '' f; do
  rm -- "$f"
done < <(find /boot -name '*.sig' -print0)

Note the use of --; this is to ensure that subsequent arguments are treated as positional rather even if they might otherwise be evaluated as options, per POSIX Utility Syntax Guidelines #10.

Similarly, for find, the -exec ... {} + usage can be found in the relevant POSIX specification; the quoting of {} isn't needed for compliant shells, but can be required for zsh.

For IFS= read -r -d '', the -r ensures that backslash literals are passed through unmodified; setting IFS to an empty string prevents whitespace from being trimmed from filenames; -d '' changes the record delimiter to a NUL byte (which is the only character which is guaranteed not to exist inside of a POSIX path). An in-depth discussion can be found in BashFAQ #1.

Using process substitution -- <() -- to generate a filename (typically, on Linux, of the form of /dev/fd/##) is a bashism which allows the loop to occur in the primary interpreter itself rather than in a subshell (as happens when piping into a loop in bash); see BashFAQ #24.

every time I try to get the gpg key it fails with gpg: keyserver receive failed: General error I tried to manually download the key directly but bandie.org troughs an error stating that it isn't a known service

[crashbit@gt62vr-6re tmp]$ gpg --verify grub2-signing-extension-0.1.2.tar.gz.asc
gpg: assuming signed data in 'grub2-signing-extension-0.1.2.tar.gz'
gpg: Signature made diumenge, 5 d’agost de 2018, 22:03:40 CEST
gpg: using RSA key E2D7876915312785DC086BFCC1E133BC65A822DD
gpg: Good signature from "Bandie [email protected]" [desconeguda]
gpg: aka "Bandie [email protected]" [desconeguda]
gpg: AVÍS: Aquesta clau no ve certificada per una signatura de confiança!
gpg: No hi ha res que indique que la signatura pertany al seu propietari.
Empremtes digital de la clau primària: E2D7 8769 1531 2785 DC08 6BFC C1E1 33BC 65A8 22DD

Hi, I was packaging the latest release for Arch's AUR, and was curious why you decided to rename the scripts from grub-* to grub2-*?

When I have grub remember my last kernel selection. It changes the /boot/grob/grubenv file and grubenv.sig's signature won't be correct, and I can't boot into the kernel is I have secure boot enabled. Is there any way I can solve this? Thanks

Hi, thanks for your work. I am running Archlinux with UEFI secure mode. Currently I have two issues:

1. The script will generate *.sig files and try to overwrite them again for signing purpose. I have to answer yes for each overwriting individually otherwise it will create a new rename file for each *.sig.
2. As /boot/EFI/grub/*.efi has been signed for security boot mode, should the script exclude *.efi to avoid double signing?