#!/bin/bash set -euo pipefail # Needs to run as root to get all hashes [ $(id -u) -eq 0 ] || exec sudo $0 "$@" # Read command from CLI cmd=${1:-verify} KEY=${KEY:-6A64A47A} signature_file=/boot/files.sig case "${cmd}" in # Create a new signature file sign) find /boot -type f -! -name 'files.sig' -! -name 'files.sha512' -exec sha512sum '{}' \; >/boot/files.sha512 gpg --output ${signature_file} --detach-sign /boot/files.sha512 ;; # Verify signature file verify) [ -f ${signature_file} ] || { echo "Signature file not yet initialized. Use '$0 sign'" exit 1 } find /boot -type f -! -name 'files.sig' -! -name 'files.sha512' -exec sha512sum '{}' \; >/tmp/files.sha512 gpg --verify ${signature_file} /tmp/files.sha512 || { echo echo '/!\ ATTENTION: SIGNATURE MISMATCH! /!\' echo diff -wu /boot/files.sha512 /tmp/files.sha512 exit 1 } ;; *) echo "Unsupported command '${cmd}': $0 " exit 1 ;; esac