add signing check

2025-09-26 17:21:01 -05:00 · 2025-09-26 17:21:01 -05:00 · 6fba299baa
commit 6fba299baa
parent 2565b1f565
1 changed files with 41 additions and 10 deletions
--- a/src/ksigner.in
+++ b/src/ksigner.in
@ -27,6 +27,7 @@ REQUIRED_BINARIES=(
 	"openssl"
 	"mokutil"
 	"sbsign"
+	"sbverify"
 	"sha512hmac"
 )

@ -110,6 +111,29 @@ version_greater() {
 	[ "$ver1" = "$(printf '%s\n%s' "$ver1" "$ver2" | sort -V | tail -n1)" ]
 }

+check_kernel_signature() {
+	local kernel_file="$1"
+
+	if [[ -z "$kernel_file" ]]; then
+		echo "Error: File '$kernel_file' not provided"
+		return 1
+	fi
+
+	if [[ ! -f "$kernel_file" ]]; then
+		echo "Error: File '$kernel_file' not found"
+		return 1
+	fi
+
+	local output
+	output=$(sbverify --list "$kernel_file" 2>&1)
+
+	if [[ -n "$output" ]] && ([[ "$output" == *"signature"* ]] || [[ "$output" == *"issuer"* ]] || [[ "$output" == *"Certificate"* ]]); then
+		return 0
+	fi
+
+	return 1
+}
+
 find_all_kernels() {
 	local all_files=()
 	for file in /boot/vmlinuz-*; do
@ -190,8 +214,15 @@ sign_kernel() {
 	local kern_version="$1"
 	local kern_file="$2"

-	# Step 1: Sign the kernel
-	log "[Step 1] Signing '$kern_version'..."
+	# Step 1: Check if the kernel is already signed
+	log "[Step 1] Checking if '$kern_version' is already signed..."
+	if check_kernel_signature "$kern_file"; then
+		log "'$kern_version' is already signed, skipping"
+		return
+	fi
+
+	# Step 2: Sign the kernel
+	log "[Step 2] Signing '$kern_version'..."
 	/usr/bin/sbsign \
 		--key "$KEY_PRIV_DIR$KEY_PRIV" \
 		--cert "$KEY_PUB_DIR$KEY_PUB" \
@ -199,23 +230,23 @@ sign_kernel() {
 		--output "$kern_file.signed" ||
 		panic "[Step 1] Failed to sign '$kern_version'"

-	# Step 2: Verify the kernel was signed
-	log "[Step 2] Verifying '$kern_file' was signed"
+	# Step 3: Verify the kernel was signed
+	log "[Step 3] Verifying '$kern_file' was signed"
 	[ -f "$kern_file.signed" ] ||
 		panic "'$kern_file.signed' was not found"

-	# Step 3: Move the signed kernel
-	log "[Step 3] Moving '$kern_file.signed' to '$kern_file'"
+	# Step 4: Move the signed kernel
+	log "[Step 4] Moving '$kern_file.signed' to '$kern_file'"
 	mv -f "$kern_file.signed" "$kern_file" ||
 		panic "Failed to move '$kern_file.signed'"

-	# Step 4: Make the kernel executable
-	log "[Step 4] Setting permissions for '$kern_file'"
+	# Step 5: Make the kernel executable
+	log "[Step 5] Setting permissions for '$kern_file'"
 	chmod +x "$kern_file" ||
 		panic "Failed to make '$kern_file' executable"

-	# Step 5: Create the HMAC
-	log "[Step 5] Creating HMAC for '$kern_file'"
+	# Step 6: Create the HMAC
+	log "[Step 6] Creating HMAC for '$kern_file'"
 	sha512hmac "$kern_file" >"${kern_file/vmlinuz/.vmlinuz}.hmac" ||
 		panic "Failed to create HMAC for '$kern_file'"