From 69f1bdba2b4eb0383d3cbbafe1a4d90a352f3f19 Mon Sep 17 00:00:00 2001 From: Harald Pfeiffer Date: Thu, 28 Jan 2021 07:26:08 +0100 Subject: initial commit --- genkey | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100755 genkey (limited to 'genkey') diff --git a/genkey b/genkey new file mode 100755 index 0000000..779fe6a --- /dev/null +++ b/genkey @@ -0,0 +1,69 @@ +#!/usr/bin/env bash + +export MOKISKIP=0 +MYCD="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd)" + +if [ ! -r public_key.der ] && [ ! -r private_key.priv ]; then + openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config x509.cnf -outform DER -out public_key.der -keyout private_key.priv + chmod -v 0600 private_key.priv + chmod -v 0644 public_key.der +elif [ ! -r public_key.der ];then + openssl req -x509 -utf8 -sha256 -days 36500 -batch -config x509.cnf -key private_key.priv -outform DER -out public_key.der + chmod -v 0644 public_key.der +else + printf "Nothing to do in terms of key creation.\\n" +fi + +printf "================\n" +openssl x509 -inform DER -noout -subject -issuer -issuer_hash -dates -serial -fingerprint -ocsp_uri -ext "subjectAltName,subjectKeyIdentifier" -in public_key.der|sed 's/^/ /' +OSLRET="${PIPESTATUS[0]}" +printf "================\n" +[ "$OSLRET" -ne 0 ]&&exit 1 +read -rp "Is this OK? [y/N] " PROEMT +case "$PROEMT" in + # we are kartoffels, so we check for "j" as well (as in "JA!") + "y"|"Y"|"j"|"J") ;; + *) exit 2 ;; +esac + +if [ -r public_key.der ];then + printf "Importing new public key to MOK import store..." + MOKIRET="$(sudo mokutil --import public_key.der 2>&1)" + case "$?" in + 0) + if printf "%b" "$MOKIRET"|grep -P 'SKIP:.*already enrolled' >/dev/null;then + printf " SKIPPED (already enrolled).\\n" + export MOKISKIP=1 + else + printf " OK.\\n" + fi + ;; + *) printf " FAILED!\\n";exit 1;; + esac +else + printf "Public key cannot be read!\\n" >&2 + exit 1 +fi + +(printf "LISTING NEW KEYS\\n================\\n";sudo mokutil --list-new)|less +[ "$MOKISKIP" -eq 0 ]&&[ "${PIPESTATUS[0]}" -ne 0 ]&&exit 1 +read -rp "Was this key OK? [y/N] " PROEMT +case "$PROEMT" in + "y"|"Y"|"j"|"J") ;; + *) + printf "Deleting key from MOK import store..." + sudo mokutil --revoke-import + case "$?" in + 0) printf " OK.\\n";; + *) printf " FAILED!\\n";exit 1;; + esac + exit 127 + ;; +esac +[ "$MOKISKIP" -eq 0 ]&&printf "\\n---- NOTICE ----\\nYou should reboot soon to finish the MOK import in UEFI.\\n\\n" + +read -rp "Continue to sign NVIDIA kernel modules? [y/N] " PROEMT +case "$PROEMT" in + "y"|"Y"|"j"|"J") "$MYCD"/signko ;; + *) exit 0 ;; +esac -- cgit v1.2.3