radon/ksigner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add signing check

Browse Source
This commit is contained in:
Radon 2025-09-26 17:21:01 -05:00
parent 2565b1f565
commit 6fba299baa
1 changed files with 41 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
src/ksigner.in Normal file → Executable file
View File

@ -27,6 +27,7 @@ REQUIRED_BINARIES=(
"openssl" "openssl"
"mokutil" "mokutil"
"sbsign" "sbsign"
"sbverify"
"sha512hmac" "sha512hmac"
) )
@ -110,6 +111,29 @@ version_greater() {
[ "$ver1" = "$(printf '%s\n%s' "$ver1" "$ver2" | sort -V | tail -n1)" ] [ "$ver1" = "$(printf '%s\n%s' "$ver1" "$ver2" | sort -V | tail -n1)" ]
} }
check_kernel_signature() {
local kernel_file="$1"
if [[ -z "$kernel_file" ]]; then
echo "Error: File '$kernel_file' not provided"
return 1
fi
if [[ ! -f "$kernel_file" ]]; then
echo "Error: File '$kernel_file' not found"
return 1
fi
local output
output=$(sbverify --list "$kernel_file" 2>&1)
if [[ -n "$output" ]] && ([[ "$output" == *"signature"* ]] || [[ "$output" == *"issuer"* ]] || [[ "$output" == *"Certificate"* ]]); then
return 0
fi
return 1
}
find_all_kernels() { find_all_kernels() {
local all_files=() local all_files=()
for file in /boot/vmlinuz-*; do for file in /boot/vmlinuz-*; do
@ -190,8 +214,15 @@ sign_kernel() {
local kern_version="$1" local kern_version="$1"
local kern_file="$2" local kern_file="$2"
# Step 1: Sign the kernel # Step 1: Check if the kernel is already signed
log "[Step 1] Signing '$kern_version'..." log "[Step 1] Checking if '$kern_version' is already signed..."
if check_kernel_signature "$kern_file"; then
log "'$kern_version' is already signed, skipping"
return
fi
# Step 2: Sign the kernel
log "[Step 2] Signing '$kern_version'..."
/usr/bin/sbsign \ /usr/bin/sbsign \
--key "$KEY_PRIV_DIR$KEY_PRIV" \ --key "$KEY_PRIV_DIR$KEY_PRIV" \
--cert "$KEY_PUB_DIR$KEY_PUB" \ --cert "$KEY_PUB_DIR$KEY_PUB" \
@ -199,23 +230,23 @@ sign_kernel() {
--output "$kern_file.signed" || --output "$kern_file.signed" ||
panic "[Step 1] Failed to sign '$kern_version'" panic "[Step 1] Failed to sign '$kern_version'"
# Step 2: Verify the kernel was signed # Step 3: Verify the kernel was signed
log "[Step 2] Verifying '$kern_file' was signed" log "[Step 3] Verifying '$kern_file' was signed"
[ -f "$kern_file.signed" ] || [ -f "$kern_file.signed" ] ||
panic "'$kern_file.signed' was not found" panic "'$kern_file.signed' was not found"
# Step 3: Move the signed kernel # Step 4: Move the signed kernel
log "[Step 3] Moving '$kern_file.signed' to '$kern_file'" log "[Step 4] Moving '$kern_file.signed' to '$kern_file'"
mv -f "$kern_file.signed" "$kern_file" || mv -f "$kern_file.signed" "$kern_file" ||
panic "Failed to move '$kern_file.signed'" panic "Failed to move '$kern_file.signed'"
# Step 4: Make the kernel executable # Step 5: Make the kernel executable
log "[Step 4] Setting permissions for '$kern_file'" log "[Step 5] Setting permissions for '$kern_file'"
chmod +x "$kern_file" || chmod +x "$kern_file" ||
panic "Failed to make '$kern_file' executable" panic "Failed to make '$kern_file' executable"
# Step 5: Create the HMAC # Step 6: Create the HMAC
log "[Step 5] Creating HMAC for '$kern_file'" log "[Step 6] Creating HMAC for '$kern_file'"
sha512hmac "$kern_file" >"${kern_file/vmlinuz/.vmlinuz}.hmac" || sha512hmac "$kern_file" >"${kern_file/vmlinuz/.vmlinuz}.hmac" ||
panic "Failed to create HMAC for '$kern_file'" panic "Failed to create HMAC for '$kern_file'"