grub-sbctl-sign


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

#!/bin/sh
[ $EUID = 0 ] || exit 1

source /etc/gsb.conf

grub-mkconfig -o $GRUB_CONFDIR/grub.cfg

for f in $(find $BL_PATH -mindepth 2 -maxdepth 2 -type f -iname "grub*.efi" | head -1) /boot/vmlinu[xz]-* /boot/kernel-*; do
	[ -f $f ] || continue 
	cmd_out=$(sbctl verify $f)
	if [ $? == 0 ]; then
		case $cmd_out in
		*"not signed") ;;
		*) continue ;;
		esac
	fi
	echo "Signing $f..."
	sbctl sign -s $f
done

for f in $(find $BL_PATH -type f | grep -Ev "\.(efi|sig)"); do
	if [ -f "${f}.sig" ]; then
		gpg --homedir $GRUB_KEYDIR --verify "${f}.sig" 2>/dev/null && continue
		rm -f "${f}.sig"
	fi
	echo "Signing $f..."
	gpg --homedir $GRUB_KEYDIR --detach-sign $f 2>/dev/null
done