-
Notifications
You must be signed in to change notification settings - Fork 493
/
replace-grub-pubkey
executable file
·45 lines (34 loc) · 1.36 KB
/
replace-grub-pubkey
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#!/usr/bin/env bash
set -e
readonly grub_image="${1:?expecting GRUB image as first argument}"
readonly public_key="${2:?expecting GPG public key file as second argument}"
readonly local_keys="${3:?expecting directory containing local signing keys as third argument}"
#
# Create unsigned image with embedded key replaced
#
rm -f "${grub_image}.unsigned"
pesign -r -u 0 -i "${grub_image}" -o "${grub_image}.unsigned"
objcopy --update-section .pubkey="${public_key}" "${grub_image}.unsigned"
#
# Re-sign resulting image (steps copied from rpm2img)
#
# Generate the PKCS12 archive for import.
openssl pkcs12 \
-export \
-passout pass: \
-inkey "${local_keys}/code-sign.key" \
-in "${local_keys}/code-sign.crt" \
-certfile "${local_keys}/CA.crt" \
-out "${local_keys}/code-sign.p12"
# Import certificates and private key archive.
PEDB="/etc/pki/pesign"
certutil -d "${PEDB}" -A -n CA -i "${local_keys}/CA.crt" -t "CT,C,C"
certutil -d "${PEDB}" -A -n code-sign-key -i "${local_keys}/code-sign.crt" -t ",,P"
pk12util -d "${PEDB}" -i "${local_keys}/code-sign.p12" -W ""
certutil -d "${PEDB}" -L
PESIGN_KEY="-c code-sign-key"
openssl x509 \
-inform PEM -in "${local_keys}/CA.crt" \
-outform DER -out "${local_keys}/CA.der"
pesign -i "${grub_image}.unsigned" -o "${grub_image}" -f -s ${PESIGN_KEY}
pesigcheck -i "${grub_image}" -n 0 -c "${local_keys}/CA.der"