71 lines
1.6 KiB
Bash
Executable File
71 lines
1.6 KiB
Bash
Executable File
#!/bin/bash
|
|
set -e
|
|
# we need to set lastpipe so we can read the signers into the signers array below
|
|
shopt -s lastpipe
|
|
|
|
exit=0
|
|
|
|
quiet=""
|
|
if [ "$1" = "-q" ]; then
|
|
quiet=true
|
|
shift
|
|
fi
|
|
|
|
compress_type() {
|
|
local file="$1"
|
|
magic="$(od -x -N2 "$file" | head -1 | cut -d' ' -f2)"
|
|
case $magic in
|
|
8b1f)
|
|
echo "gzip"
|
|
;;
|
|
*)
|
|
echo "none"
|
|
;;
|
|
esac
|
|
}
|
|
|
|
for signed_binary in "$@"; do
|
|
if [ ! -e "$signed_binary" ]; then
|
|
echo "E: $signed_binary: file not found">&2
|
|
exit=1
|
|
continue
|
|
fi
|
|
|
|
if [ "$(compress_type "$signed_binary")" = "gzip" ]; then
|
|
_signed_binary="$(mktemp)"
|
|
trap 'rm -f "$_signed_binary"' EXIT
|
|
gunzip < "$signed_binary" > "$_signed_binary"
|
|
else
|
|
_signed_binary="$signed_binary"
|
|
fi
|
|
sbverify --list "$_signed_binary" | grep subject: | grep -E -o "CN=([^/]|\\/)*" | readarray -t signers
|
|
if [ -z "$signers" ]; then
|
|
echo "E: $signed_binary: Could not find signing subject, sbverify output follows:">&2
|
|
sbverify --list "$_signed_binary" >&2
|
|
exit=1
|
|
continue
|
|
fi
|
|
|
|
for signer in "${signers[@]}"; do
|
|
revoked=$(grep -xF "$signer" << EOF
|
|
CN=Canonical Ltd. Secure Boot Signing
|
|
CN=Canonical Ltd. Secure Boot Signing (2017)
|
|
CN=Canonical Ltd. Secure Boot Signing (ESM 2018)
|
|
CN=Canonical Ltd. Secure Boot Signing (2019)
|
|
CN=Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
|
|
CN=Canonical Ltd. Secure Boot Signing (2021 v1)
|
|
CN=Canonical Ltd. Secure Boot Signing (2021 v2)
|
|
CN=Canonical Ltd. Secure Boot Signing (2021 v3)
|
|
EOF
|
|
) || true
|
|
|
|
if [ "$revoked" ]; then
|
|
if [ -z "$quiet" ]; then
|
|
echo "E: $signed_binary: revoked key $revoked used">&2
|
|
fi
|
|
exit=1
|
|
fi
|
|
done
|
|
done
|
|
exit $exit
|