blob: 779fe6a0db92590138b245249f504e0bb055b3a5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
#!/usr/bin/env bash
export MOKISKIP=0
MYCD="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd)"
if [ ! -r public_key.der ] && [ ! -r private_key.priv ]; then
openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config x509.cnf -outform DER -out public_key.der -keyout private_key.priv
chmod -v 0600 private_key.priv
chmod -v 0644 public_key.der
elif [ ! -r public_key.der ];then
openssl req -x509 -utf8 -sha256 -days 36500 -batch -config x509.cnf -key private_key.priv -outform DER -out public_key.der
chmod -v 0644 public_key.der
else
printf "Nothing to do in terms of key creation.\\n"
fi
printf "================\n"
openssl x509 -inform DER -noout -subject -issuer -issuer_hash -dates -serial -fingerprint -ocsp_uri -ext "subjectAltName,subjectKeyIdentifier" -in public_key.der|sed 's/^/ /'
OSLRET="${PIPESTATUS[0]}"
printf "================\n"
[ "$OSLRET" -ne 0 ]&&exit 1
read -rp "Is this OK? [y/N] " PROEMT
case "$PROEMT" in
# we are kartoffels, so we check for "j" as well (as in "JA!")
"y"|"Y"|"j"|"J") ;;
*) exit 2 ;;
esac
if [ -r public_key.der ];then
printf "Importing new public key to MOK import store..."
MOKIRET="$(sudo mokutil --import public_key.der 2>&1)"
case "$?" in
0)
if printf "%b" "$MOKIRET"|grep -P 'SKIP:.*already enrolled' >/dev/null;then
printf " SKIPPED (already enrolled).\\n"
export MOKISKIP=1
else
printf " OK.\\n"
fi
;;
*) printf " FAILED!\\n";exit 1;;
esac
else
printf "Public key cannot be read!\\n" >&2
exit 1
fi
(printf "LISTING NEW KEYS\\n================\\n";sudo mokutil --list-new)|less
[ "$MOKISKIP" -eq 0 ]&&[ "${PIPESTATUS[0]}" -ne 0 ]&&exit 1
read -rp "Was this key OK? [y/N] " PROEMT
case "$PROEMT" in
"y"|"Y"|"j"|"J") ;;
*)
printf "Deleting key from MOK import store..."
sudo mokutil --revoke-import
case "$?" in
0) printf " OK.\\n";;
*) printf " FAILED!\\n";exit 1;;
esac
exit 127
;;
esac
[ "$MOKISKIP" -eq 0 ]&&printf "\\n---- NOTICE ----\\nYou should reboot soon to finish the MOK import in UEFI.\\n\\n"
read -rp "Continue to sign NVIDIA kernel modules? [y/N] " PROEMT
case "$PROEMT" in
"y"|"Y"|"j"|"J") "$MYCD"/signko ;;
*) exit 0 ;;
esac
|
