30 lines
999 B
Bash
Executable File
30 lines
999 B
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# sbctl-batch-sign is a helper script designed to make it easier for users to sign files needed for secure boot support.
|
|
# The obvious case in which this script helps a lot is when dual booting Windows as there are a lot of files by Windows that
|
|
# needs to be signed in EFI.
|
|
set -e
|
|
|
|
if [ -f /boot/limine.conf ]; then
|
|
echo "Limine detected, please do not use this script."
|
|
exit 0
|
|
fi
|
|
|
|
if [ "$(id -u)" -ne 0 ]; then
|
|
echo "Error: This script must be run with root privileges."
|
|
exit 1
|
|
fi
|
|
|
|
export ESP_PATH=/boot
|
|
sbctl verify 2>/dev/null | awk '/✗/ {print $2}' | while IFS= read -r entry; do
|
|
# We expect users who use this script to enroll their
|
|
# own keys alongside Microsoft's.
|
|
# With that in mind, there's no need to sign MS ESP
|
|
# files with our own keys.
|
|
if [[ "$entry" =~ ^.*/EFI/(Microsoft|Windows) || "$entry" == *.mui || "$entry" == *.dll
|
|
|| "$entry" =~ ^/boot/grub ]]; then
|
|
continue
|
|
fi
|
|
sbctl sign -s "$entry"
|
|
done
|