43 lines
950 B
Bash
Executable file
43 lines
950 B
Bash
Executable file
#!/bin/bash
|
|
set -euo pipefail
|
|
|
|
# Needs to run as root to get all hashes
|
|
[ $(id -u) -eq 0 ] || exec sudo $0 "$@"
|
|
|
|
# Read command from CLI
|
|
cmd=${1:-verify}
|
|
KEY=${KEY:-6A64A47A}
|
|
signature_file=/boot/files.sig
|
|
|
|
case "${cmd}" in
|
|
|
|
# Create a new signature file
|
|
sign)
|
|
find /boot -type f -! -name 'files.sig' -! -name 'files.sha512' -exec sha512sum '{}' \; >/boot/files.sha512
|
|
gpg --output ${signature_file} --detach-sign /boot/files.sha512
|
|
;;
|
|
|
|
# Verify signature file
|
|
verify)
|
|
[ -f ${signature_file} ] || {
|
|
echo "Signature file not yet initialized. Use '$0 sign'"
|
|
exit 1
|
|
}
|
|
|
|
find /boot -type f -! -name 'files.sig' -! -name 'files.sha512' -exec sha512sum '{}' \; >/tmp/files.sha512
|
|
gpg --verify ${signature_file} /tmp/files.sha512 || {
|
|
echo
|
|
echo '/!\ ATTENTION: SIGNATURE MISMATCH! /!\'
|
|
echo
|
|
diff -wu --color /boot/files.sha512 /tmp/files.sha512
|
|
|
|
exit 1
|
|
}
|
|
;;
|
|
|
|
*)
|
|
echo "Unsupported command '${cmd}': $0 <sign|verify>"
|
|
exit 1
|
|
;;
|
|
|
|
esac
|