cfg/bin/boot-verify

44 lines
942 B
Text
Raw Normal View History

#!/bin/bash
set -euo pipefail
# Needs to run as root to get all hashes
[ $(id -u) -eq 0 ] || exec sudo $0 "$@"
# Read command from CLI
cmd=${1:-verify}
KEY=${KEY:-6A64A47A}
signature_file=/boot/files.sig
case "${cmd}" in
# Create a new signature file
sign)
find /boot -type f -! -name 'files.sig' -! -name 'files.sha512' -exec sha512sum '{}' \; >/boot/files.sha512
gpg --output ${signature_file} --detach-sign /boot/files.sha512
;;
# Verify signature file
verify)
[ -f ${signature_file} ] || {
echo "Signature file not yet initialized. Use '$0 sign'"
exit 1
}
find /boot -type f -! -name 'files.sig' -! -name 'files.sha512' -exec sha512sum '{}' \; >/tmp/files.sha512
gpg --verify ${signature_file} /tmp/files.sha512 || {
echo
echo '/!\ ATTENTION: SIGNATURE MISMATCH! /!\'
echo
diff -wu /boot/files.sha512 /tmp/files.sha512
exit 1
}
;;
*)
echo "Unsupported command '${cmd}': $0 <sign|verify>"
exit 1
;;
esac