diff --git a/src/ksigner.in b/src/ksigner.in old mode 100644 new mode 100755 index 78c4535..9c0a4ec --- a/src/ksigner.in +++ b/src/ksigner.in @@ -27,6 +27,7 @@ REQUIRED_BINARIES=( "openssl" "mokutil" "sbsign" + "sbverify" "sha512hmac" ) @@ -110,6 +111,29 @@ version_greater() { [ "$ver1" = "$(printf '%s\n%s' "$ver1" "$ver2" | sort -V | tail -n1)" ] } +check_kernel_signature() { + local kernel_file="$1" + + if [[ -z "$kernel_file" ]]; then + echo "Error: File '$kernel_file' not provided" + return 1 + fi + + if [[ ! -f "$kernel_file" ]]; then + echo "Error: File '$kernel_file' not found" + return 1 + fi + + local output + output=$(sbverify --list "$kernel_file" 2>&1) + + if [[ -n "$output" ]] && ([[ "$output" == *"signature"* ]] || [[ "$output" == *"issuer"* ]] || [[ "$output" == *"Certificate"* ]]); then + return 0 + fi + + return 1 +} + find_all_kernels() { local all_files=() for file in /boot/vmlinuz-*; do @@ -190,8 +214,15 @@ sign_kernel() { local kern_version="$1" local kern_file="$2" - # Step 1: Sign the kernel - log "[Step 1] Signing '$kern_version'..." + # Step 1: Check if the kernel is already signed + log "[Step 1] Checking if '$kern_version' is already signed..." + if check_kernel_signature "$kern_file"; then + log "'$kern_version' is already signed, skipping" + return + fi + + # Step 2: Sign the kernel + log "[Step 2] Signing '$kern_version'..." /usr/bin/sbsign \ --key "$KEY_PRIV_DIR$KEY_PRIV" \ --cert "$KEY_PUB_DIR$KEY_PUB" \ @@ -199,23 +230,23 @@ sign_kernel() { --output "$kern_file.signed" || panic "[Step 1] Failed to sign '$kern_version'" - # Step 2: Verify the kernel was signed - log "[Step 2] Verifying '$kern_file' was signed" + # Step 3: Verify the kernel was signed + log "[Step 3] Verifying '$kern_file' was signed" [ -f "$kern_file.signed" ] || panic "'$kern_file.signed' was not found" - # Step 3: Move the signed kernel - log "[Step 3] Moving '$kern_file.signed' to '$kern_file'" + # Step 4: Move the signed kernel + log "[Step 4] Moving '$kern_file.signed' to '$kern_file'" mv -f "$kern_file.signed" "$kern_file" || panic "Failed to move '$kern_file.signed'" - # Step 4: Make the kernel executable - log "[Step 4] Setting permissions for '$kern_file'" + # Step 5: Make the kernel executable + log "[Step 5] Setting permissions for '$kern_file'" chmod +x "$kern_file" || panic "Failed to make '$kern_file' executable" - # Step 5: Create the HMAC - log "[Step 5] Creating HMAC for '$kern_file'" + # Step 6: Create the HMAC + log "[Step 6] Creating HMAC for '$kern_file'" sha512hmac "$kern_file" >"${kern_file/vmlinuz/.vmlinuz}.hmac" || panic "Failed to create HMAC for '$kern_file'"