cachyos-settings/usr/bin/sbctl-batch-sign

30 lines
999 B
Bash
Executable File

#!/usr/bin/env bash
# sbctl-batch-sign is a helper script designed to make it easier for users to sign files needed for secure boot support.
# The obvious case in which this script helps a lot is when dual booting Windows as there are a lot of files by Windows that
# needs to be signed in EFI.
set -e
if [ -f /boot/limine.conf ]; then
echo "Limine detected, please do not use this script."
exit 0
fi
if [ "$(id -u)" -ne 0 ]; then
echo "Error: This script must be run with root privileges."
exit 1
fi
export ESP_PATH=/boot
sbctl verify 2>/dev/null | awk '/✗/ {print $2}' | while IFS= read -r entry; do
# We expect users who use this script to enroll their
# own keys alongside Microsoft's.
# With that in mind, there's no need to sign MS ESP
# files with our own keys.
if [[ "$entry" =~ ^.*/EFI/(Microsoft|Windows) || "$entry" == *.mui || "$entry" == *.dll
|| "$entry" =~ ^/boot/grub ]]; then
continue
fi
sbctl sign -s "$entry"
done