Add boot-verify script
Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
parent
d3f1069965
commit
bf1491f800
GPG key ID:
DC2729FDD34BE99E
1 changed files with 36 additions and 0 deletions
36
bin/boot-verify
Executable file
36
bin/boot-verify
Executable file
|
|
@ -0,0 +1,36 @@
|
|||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
# Needs to run as root to get all hashes
|
||||
[ $(id -u) -eq 0 ] || exec sudo $0 "$@"
|
||||
|
||||
# Read command from CLI
|
||||
cmd=${1:-verify}
|
||||
KEY=${KEY:-6A64A47A}
|
||||
signature_file=/boot/files.sig
|
||||
|
||||
case "${cmd}" in
|
||||
|
||||
# Create a new signature file
|
||||
sign)
|
||||
find /boot -type f -! -name 'files.sig' -exec sha512sum '{}' \; |
|
||||
gpg --output ${signature_file} --detach-sign
|
||||
;;
|
||||
|
||||
# Verify signature file
|
||||
verify)
|
||||
[ -f ${signature_file} ] || {
|
||||
echo "Signature file not yet initialized. Use '$0 sign'"
|
||||
exit 1
|
||||
}
|
||||
|
||||
find /boot -type f -! -name 'files.sig' -exec sha512sum '{}' \; |
|
||||
gpg --verify ${signature_file} -
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "Unsupported command '${cmd}': $0 <sign|verify>"
|
||||
exit 1
|
||||
;;
|
||||
|
||||
esac
|
||||
Loading…
Reference in a new issue