Add info on how to fetch autosign key.

(GitHub issue #18)

.drone.yml

@@ -0,0 +1,119 @@
+kind: pipeline
+name: check
+
+volumes:
+- name: debian-package-cache
+  host:
+    path: /var/cache/debian-package-cache
+
+trigger:
+  event:
+    exclude:
+    - tag
+
+steps:
+- name: shellcheck
+  image: debian:stretch-slim
+  pull: always
+  commands:
+  - rm /etc/apt/apt.conf.d/docker-clean
+  - rm /var/cache/apt/archives/lock
+  - echo "APT::Default-Release \"stretch\";" >> /etc/apt/apt.conf.d/00default_release
+  - echo "deb http://deb.debian.org/debian buster main" >> /etc/apt/sources.list.d/buster.list
+  - apt-get update -q
+  - apt-get install -qy -t buster shellcheck
+  - shellcheck hashboot
+  volumes:
+  - name: debian-package-cache
+    path: /var/cache/apt/archives
+
+- name: notify
+  image: drillster/drone-email
+  pull: always
+  settings:
+    host: cryptoparty-celle.de
+    from: drone@tzend.de
+    username:
+      from_secret: email_username
+    password:
+      from_secret: email_password
+  when:
+    status: [ changed, failure ]
+
+---
+
+kind: pipeline
+name: release
+
+volumes:
+- name: debian-package-cache
+  host:
+    path: /var/cache/debian-package-cache
+- name: gpg-key
+  host:
+    path: /home/tastytea/misc/autosign_gpg.key
+
+trigger:
+  event:
+    - tag
+
+steps:
+- name: download tar.gz
+  image: plugins/download
+  settings:
+    source: https://schlomp.space/tastytea/hashboot/archive/${DRONE_TAG}.tar.gz
+    destination: hashboot-${DRONE_TAG}.tar.gz
+
+- name: download zip
+  image: plugins/download
+  settings:
+    source: https://schlomp.space/tastytea/hashboot/archive/${DRONE_TAG}.zip
+    destination: hashboot-${DRONE_TAG}.zip
+
+- name: signature
+  image: debian:stretch-slim
+  pull: always
+  commands:
+  - rm /etc/apt/apt.conf.d/docker-clean
+  - rm -f /var/cache/apt/archives/lock
+  - apt-get update -q
+  - apt-get install -qy gnupg
+  - gpg --import /var/autosign_gpg.key
+  - gpg --verbose --detach-sign *.tar.gz
+  - gpg --verbose --detach-sign *.zip
+  volumes:
+  - name: debian-package-cache
+    path: /var/cache/apt/archives
+  - name: gpg-key
+    path: /var/autosign_gpg.key
+
+- name: release
+  image: plugins/gitea-release
+  pull: always
+  settings:
+    base_url: https://schlomp.space
+    api_key:
+      from_secret: gitea_token
+    title: ${DRONE_TAG}
+    prerelease: true
+    files:
+      - hashboot-${DRONE_TAG}.tar.gz
+      - hashboot-${DRONE_TAG}.tar.gz.sig
+      - hashboot-${DRONE_TAG}.zip
+      - hashboot-${DRONE_TAG}.zip.sig
+    checksum:
+      - sha256
+      - sha512
+
+- name: notify
+  image: drillster/drone-email
+  pull: always
+  settings:
+    host: cryptoparty-celle.de
+    from: drone@tzend.de
+    username:
+      from_secret: email_username
+    password:
+      from_secret: email_password
+  when:
+    status: [ changed, failure ]

LICENSE

@@ -1,4 +1,4 @@
 "THE HUG-WARE LICENSE" (Revision 2):
 teldra <teldra@rotce.de> and tastytea <tastytea@tastytea.de> wrote this.
-As Long as you retain this notice you can do whatever you want with this.
+As long as you retain this notice you can do whatever you want with this.
 If we meet some day, and you think this is nice, you can give us a hug.

README.md

@@ -4,31 +4,73 @@ boot partition. The checksums and a backup of the contents of `/boot` are stored
 in `/var/lib/hashboot` by default. If a checksum doesn't match, you have the
 option to restore the file from backup.
 
-If there is a core- or libreboot bios and flashrom installed, **hashboot** can check bios for modifications too.
+If there is a core- or libreboot BIOS and [flashrom](https://flashrom.org/)
+installed, **hashboot** can check the BIOS for modifications too.
+
+We moved our code to
+[schlomp.space](https://schlomp.space/tastytea/hashboot) but we keep the
+[GitHub-repo](https://github.com/tastytea/hashboot) as a mirror.
 
 # Install
 
+## Packages
+
+### Void Linux
+
+``` shell
+xbps-install -S hashboot
+```
+
+### Gentoo Linux
+
+Ebuilds are available via the
+[tastytea repository](https://schlomp.space/tastytea/overlay).
+
+``` shell
+emerge -a sys-apps/hashboot
+rc-update add hashboot boot
+```
+
+### Arch Linux
+
+Use the [package from AUR](https://aur.archlinux.org/packages/hashboot/).
+
+## Manual
+
+### Any distro
+
+The releases on
+[schlomp.space](https://schlomp.space/tastytea/hashboot/releases) are
+PGP-signed. The key-ID is `F7301ADFC9ED262448C42B64242E5AC4DA587BF9`
+(`242E5AC4DA587BF9`). You can fetch it with `gpg --locate-key
+autosign@tastytea.de`.
+
 * Make hashboot executable
-* Place hashboot anywhere in $PATH
+* Place hashboot anywhere in ${PATH}
 * Install the appropriate init script
-* If applicable, copy kernel-hook to /etc/kernel/post{inst,rm}.d/zzz-hashboot (make sure it is called after all other hooks)
-* To generate the manpage, install asciidoc and run `build_manpage.sh`.
+* If applicable, copy `hooks/kernel-postinst` to /etc/kernel/post{inst,rm}.d/zzz-hashboot
+(make sure it is called after all other hooks)
+* To generate the manpage, install [asciidoc](http://asciidoc.org/) and run
+`build_manpage.sh`.
 
 # Usage
-* First run creates a configuration file. Use bitmask to select desired checkroutines
-* Run "hashboot index" to generate checksums and a backup for /boot and MBR
-* Run "hashboot check" to check /boot and MBR
-* Run "hashboot recover" to replace corrupted files with the backup
+
+* First run creates a configuration file. Select the desired checkroutines
+* Run `hashboot index` to generate checksums and a backup for /boot and MBR
+* Run `hashboot check` to check /boot and MBR
+* Run `hashboot recover` to replace corrupted files with the backup
 
 # Notes
 
 * You can't use the openrc/sysv init scripts with parallel boot.
+* The systemd and SysVinit init scripts have not been tested in a while, but
+will probably work.
 
 # License
 
 ```PLAIN
 "THE HUG-WARE LICENSE" (Revision 2):
 teldra <teldra@rotce.de> and tastytea <tastytea@tastytea.de> wrote this.
-As Long as you retain this notice you can do whatever you want with this.
+As long as you retain this notice you can do whatever you want with this.
 If we meet some day, and you think this is nice, you can give us a hug.
 ```

hashboot

@@ -8,11 +8,14 @@
 ###############################################################################
 # "THE HUG-WARE LICENSE" (Revision 2):                                        #
 # teldra <teldra@rotce.de> and tastytea <tastytea@tastytea.de> wrote this.    #
-# As Long as you retain this notice you can do whatever you want with this.   # 
+# As Long as you retain this notice you can do whatever you want with this.   #
 # If we meet some day, and you think this is nice, you can give us a hug.     #
 ###############################################################################
 
-VERSION="0.9.12"
+# Disable warnings about $?.
+# shellcheck disable=SC2181
+
+VERSION="0.9.14"
 PATH="/bin:/usr/bin:/sbin:/usr/sbin:${PATH}"
 DIGEST_FILE=""
 BACKUP_FILE=""
@@ -47,29 +50,31 @@ die ()
     rm -f "${DIGEST_FILE_TMP}" "${MBR_TMP}" "${BIOS_TMP}"
 
     [ -z "${2}" ] || echo "${2}" >&2
-    exit ${1}
+    exit "${1}"
 }
 
 write_hashes ()
 {
-    #Write header to ${1}
-    echo "#hashboot ${VERSION} - Algorithm: $(basename ${HASHER})" > ${1}
+    local file="${1}"
+    #Write header to ${file}
+    echo "#hashboot ${VERSION} - Algorithm: $(basename ${HASHER})" > "${file}"
 
-    if [ $((${CKMODES} & 001)) -ne 0 ]; then
+    if [ $((CKMODES & 001)) -ne 0 ]; then
         #copy mbr to file
         dd if=${MBR_DEVICE} of=${MBR_TMP} bs=${MBR_SIZE}K count=1 status=${DD_STATUS} || die 8
-        #Write hash of MBR to ${1}
-        ${HASHER} ${MBR_TMP} >> ${1}
+        #Write hash of MBR to ${file}
+        ${HASHER} ${MBR_TMP} >> "${file}"
     fi
-    if [ $((${CKMODES} & 010)) -ne 0 ]; then
-        #Write hashes of all regular files to ${1}
-        find /boot -type f -exec ${HASHER} --binary {} >> ${1} +
+    if [ $((CKMODES & 010)) -ne 0 ]; then
+        #Write hashes of all regular files to ${file}
+        # shellcheck disable=SC2227
+        find /boot -type f -exec ${HASHER} --binary {} >> "${file}" +
     fi
-    if [ $((${CKMODES} & 100)) -ne 0 ]; then
+    if [ $((CKMODES & 100)) -ne 0 ]; then
         #read bios to file
         flashrom --programmer ${PROGRAMMER} -r ${BIOS_TMP} > /dev/null 2>&1
-        #and write hashes of bios files to ${1}
-        ${HASHER} ${BIOS_TMP} >> ${1}
+        #and write hashes of bios files to ${file}
+        ${HASHER} ${BIOS_TMP} >> "${file}"
 
     fi
 }
@@ -89,7 +94,9 @@ then
 fi
 
 # Debian < 8 check
-if which lsb_release > /dev/null 2>&1 && [ "$(lsb_release -si)" == "Debian" ] && [ $(lsb_release -sr | cut -d'.' -f1) -lt 8 ]
+if command -v lsb_release > /dev/null \
+        && [ "$(lsb_release -si)" == "Debian" ] \
+        && [ "$(lsb_release -sr | cut -d'.' -f1)" -lt 8 ]
 then
     DD_STATUS="noxfer"
 fi
@@ -97,9 +104,10 @@ fi
 #Look for config file and set ${MBR_DEVICE}.
 if [ -f ${CONFIG_FILE} ]
 then
+    # shellcheck source=/dev/null
     source ${CONFIG_FILE} || die 9 "Error reading config file"
     #compatibility to old cfg format
-    if [ ! -z "${BACKUP_FILE}" ]; then
+    if [ -n "${BACKUP_FILE}" ]; then
         SAVEDIR="/var/lib/hashboot"
         echo "SAVEDIR=${SAVEDIR}" >> ${CONFIG_FILE}
         mkdir -p ${SAVEDIR}
@@ -132,11 +140,11 @@ else
         echo "010=files"
         echo "100=core-/libreboot bios"
         echo "eg. 101 for mbr and bios: "
-        read CKMODES
+        read -r CKMODES
         echo "#001=mbr,010=files,100=bios" >> ${CONFIG_FILE}
         echo "CKMODES=$CKMODES" >> ${CONFIG_FILE}
 
-        if [ $((${CKMODES} & 001)) -ne 0 ]; then
+        if [ $((CKMODES & 001)) -ne 0 ]; then
             echo -n "Which device contains the MBR? [/dev/sda] "
             read -r MBR_DEVICE
             [ -z "${MBR_DEVICE}" ] && MBR_DEVICE="/dev/sda"
@@ -144,21 +152,21 @@ else
             echo "MBR_DEVICE=${MBR_DEVICE}" >> ${CONFIG_FILE}
         fi
 
-        if [ $((${CKMODES} & 100)) -ne 0 ]; then
-            if ! which flashrom; then
+        if [ $((CKMODES & 100)) -ne 0 ]; then
+            if ! command -v flashrom > /dev/null; then
                 echo "You need to have flashrom installed!"
                 echo "Currently it is not installed, don't reboot"
                 echo "If you need another programmer than internal"
-                echo "use the variable PROGRAMMER in $CONFIG_FILE\!"
+                echo "use the variable PROGRAMMER in ${CONFIG_FILE}!"
             fi
-        fi            
+        fi
 
     else
         die 9 "No config file found. Run hashboot interactively to generate one."
     fi
 fi
 
-if [ $((${CKMODES} & 001)) -ne 0 ]; then
+if [ $((CKMODES & 001)) -ne 0 ]; then
     # Find out where the first partition starts and set ${MBR_SIZE} in KiB
     sectorsize=$(LC_ALL=C fdisk -l ${MBR_DEVICE} | grep '^Units' | awk '{print $8}' )
     if [ "${sectorsize}" == "=" ] # Older versions of util-linux
@@ -171,7 +179,7 @@ if [ $((${CKMODES} & 001)) -ne 0 ]; then
         startsector=$(LC_ALL=C fdisk -l ${MBR_DEVICE} | grep -A1 'Device' | tail -n1 | awk '{print $3}' )
     fi
 
-    MBR_SIZE=$(expr ${sectorsize} \* ${startsector} / 1024)
+    MBR_SIZE=$((sectorsize * startsector / 1024))
 
     if [ ${?} != 0 ]
     then
@@ -183,10 +191,10 @@ fi
 if [ "${1}" == "index" ]
 then
     #Try different hashers, use the most secure
-    HASHER=$(/usr/bin/which sha512sum 2> /dev/null)
-    test -z "${HASHER}" && HASHER=$(/usr/bin/which sha384sum 2> /dev/null)
-    test -z "${HASHER}" && HASHER=$(/usr/bin/which sha256sum 2> /dev/null)
-    test -z "${HASHER}" && HASHER=$(/usr/bin/which sha224sum 2> /dev/null)
+    HASHER=$(command -v sha512sum)
+    test -z "${HASHER}" && HASHER=$(command -v sha384sum)
+    test -z "${HASHER}" && HASHER=$(command -v sha256sum)
+    test -z "${HASHER}" && HASHER=$(command -v sha224sum)
     #If we found no hasher: exit
     [ -z "${HASHER}" ] && die 5 "No hash calculator found"
 
@@ -205,11 +213,11 @@ then
             for file in $(diff ${DIGEST_FILE} ${DIGEST_FILE_TMP} | grep -v '#hashboot' | grep '<' | cut -d'*' -f2 | sed 's/\ /\\ /g' );
             do
                 #delete from tar
-                tar --delete -v -P -f $BACKUP_FILE $file
+                tar --delete -v -P -f ${BACKUP_FILE} "${file}"
             done
             for file in $(diff ${DIGEST_FILE} ${DIGEST_FILE_TMP} | grep -v '#hashboot' | grep '>' | cut -d'*' -f2 | sed 's/\ /\\ /g' );
             do
-                tar -r -v -P -f $BACKUP_FILE $file
+                tar -r -v -P -f $BACKUP_FILE "${file}"
             done
         fi
     #nur, wenn das updaten des Backups geklappt hat. *im Hinterkopf behalt*
@@ -231,28 +239,28 @@ elif [ "${1}" == "check" ]
 then
     [ -f ${DIGEST_FILE} ] || die 9 "No digestfile"
     HASHER=$(head -n1 ${DIGEST_FILE} | awk '{print $5}')
-    if [ $((${CKMODES} & 001)) != 0 ]; then
+    if [ $((CKMODES & 001)) != 0 ]; then
         dd if=${MBR_DEVICE} of=${MBR_TMP} bs=${MBR_SIZE}K count=1 status=${DD_STATUS} || die 8
         grep ${MBR_TMP} ${DIGEST_FILE} | ${HASHER} --check --warn --quiet --strict | tee ${LOG_FILE}
-        if [ ${PIPESTATUS[2]} -ne 0 ]
+        if [ "${PIPESTATUS[2]}" -ne 0 ]
         then
             echo "    !! TIME TO PANIK: MBR WAS MODIFIED !!"
             COUNTER=$((COUNTER + 1))
         fi
     fi
-    if [ $((${CKMODES} & 010)) -ne 0 ]; then
+    if [ $((CKMODES & 010)) -ne 0 ]; then
         grep -v ${MBR_TMP} ${DIGEST_FILE} | grep -v ${BIOS_TMP} | ${HASHER} --check --warn --quiet --strict | tee -a ${LOG_FILE}
-        if [ ${PIPESTATUS[2]} -ne 0 ]
+        if [ "${PIPESTATUS[2]}" -ne 0 ]
         then
             echo "    !! TIME TO PANIK: AT LEAST 1 FILE WAS MODIFIED !!"
             COUNTER=$((COUNTER + 2))
         fi
     fi
-    if [ $((${CKMODES} & 100)) -ne 0 ]; then
+    if [ $((CKMODES & 100)) -ne 0 ]; then
         flashrom --programmer ${PROGRAMMER} -r ${BIOS_TMP} > /dev/null 2>&1
         #if we set an programmer chip in config, find line with hash for bios and compare. if smthg wrong, panic
         grep ${BIOS_TMP} ${DIGEST_FILE} | ${HASHER} --check --warn --quiet --strict | tee -a ${LOG_FILE}
-        if [ ${PIPESTATUS[2]} -ne 0 ]
+        if [ "${PIPESTATUS[2]}" -ne 0 ]
         then
             echo "    !! TIME TO PANIK: BIOS WAS MODIFIED !!"
             COUNTER=$((COUNTER + 10))
@@ -268,15 +276,16 @@ then
     echo "Restoring files from backup... (type yes or no for each file)"
 
     #For each failed file: ask if it should be recovered from backup
+    # shellcheck disable=2013
     for file in $(cut -d: -f1 ${LOG_FILE})
     do
-        tar -xpPvwf ${BACKUP_FILE} ${file}
-        [ $? != 0 ] && echo "Error restoring ${file} from backup, continuing" >&2
+        tar -xpPvwf ${BACKUP_FILE} "${file}"
+        [ ${?} != 0 ] && echo "Error restoring ${file} from backup, continuing" >&2
         #If the MBR is to be recovered, copy to ${MBR_DEVICE}
         if [ "${file}" == ${MBR_TMP} ]
         then
             cp ${MBR_TMP} ${MBR_DEVICE}
-            [ $? != 0 ] && echo "Error restoring MBR from backup, continuing" >&2
+            [ ${?} != 0 ] && echo "Error restoring MBR from backup, continuing" >&2
         fi
     done
 else

hashboot.1.adoc

@@ -1,6 +1,6 @@
 = hashboot(1)
 tastytea <tastytea@tastytea.de>; teldra <teldra@rotce.de>
-:Date:          2019-02-24
+:Date:          2019-04-12
 :Revision:      0.9.8
 :man source:    hashboot
 :man version:   {revision}
@@ -27,12 +27,14 @@ check bios for modifications too.
 
 == OPTIONS
 
-[frame="none",grid="none"]
-|============
-| *index*   | generate checksums and a backup for `/boot`, MBR and BIOS.
-| *check*   | check `/boot`, MBR and BIOS.
-| *recover* | replace corrupted files with the backup.
-|============
+*index*::
+    generate checksums and a backup for `/boot`, MBR and BIOS.
+
+*check*::
+    check `/boot`, MBR and BIOS.
+
+*recover*::
+    replace corrupted files with the backup.
 
 == CONFIGURATION
 

hooks/pacman.hook

@@ -0,0 +1,12 @@
+[Trigger]
+Operation = Install
+Operation = Upgrade
+Operation = Remove
+Type = Package
+Target = *
+
+[Action]
+Description = Regenerating hashboot checksums...
+When = PostTransaction
+Exec = /usr/bin/hashboot index
+Depends = hashboot

init/openrc

@@ -0,0 +1,39 @@
+#!/sbin/openrc-run
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+description="Check integrity of files in /boot"
+
+depend()
+{
+    need localmount
+    before xdm
+}
+
+start()
+{
+    ebegin "Checking integrity of files in /boot"
+
+    # See if hashboot is accessible
+    which hashboot > /dev/null || return 255
+
+    hashboot check
+    ret=$?
+    # If return code is 1-3 or 10-13
+    if [ ${ret} -ge 1 ] && [ ${ret} -le 3 ] || [ ${ret} -ge 10 ] && [ ${ret} -le 13 ]; then
+        echo -n "Recover files? [y/N] "
+        read -r yesno
+        if [ "${yesno}" == "y" ]; then
+            hashboot recover
+        fi
+
+        echo "Dropping to shell. Type exit to continue."
+        sh
+        return ${ret}
+    elif [ ${ret} != 0 ]; then
+        eerror "Unexpected error number ${ret}."
+        return ${ret}
+    fi
+
+    eend 0
+}

init/sysv

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+### BEGIN INIT INFO
+# Provides:          hashboot
+# Required-Start:    $mountall
+# Required-Stop:
+# Default-Start:     S
+# Default-Stop:
+# Short-Description: Check integrity of files in /boot
+### END INIT INFO
+
+#PATH=/sbin:/bin:/usr/bin:/usr
+
+# See if hashboot is accessible
+test -x $(which hashboot) || exit 255
+
+case "$1" in
+    start)
+        log_daemon_msg "Checking integrity of files in /boot"
+
+        hashboot check
+        ret=$?
+        if [ ${ret} -ge 1 ] && [ ${ret} -le 3 ] || [ ${ret} -ge 10 ] && [ ${ret} -le 13 ]; then
+            log_end_msg ${ret}
+
+            echo -n "Recover files? [y/N] "
+            read -r yesno
+            if [ "${yesno}" == "y" ]; then
+                hashboot recover
+            fi
+
+            echo "Dropping to shell. Type exit to continue."
+            sh
+            exit ${ret}
+        elif [ ${ret} != 0 ]; then
+             log_end_msg ${ret}
+             eerror "Unexpected error number ${ret}."
+             exit ${ret}
+        fi
+
+        log_end_msg 0
+        ;;
+    stop)
+        # No-op
+        ;;
+    restart|reload|force-reload|status)
+        echo "Error: argument '$1' not supported" >&2
+        exit 1
+        ;;
+    *)
+        echo "Usage: /etc/init.d/hashboot {start|stop}"
+        exit 1
+        ;;
+esac
+
+exit 0

initscript.openrc

@@ -1,37 +0,0 @@
-#!/sbin/openrc-run
-
-description="Check integrity of files in /boot"
-
-depend()
-{
-	need localmount
-	before xdm
-}
-
-start()
-{
-	ebegin "Checking integrity of files in /boot"
-
-	# See if hashboot is accessible
-	which hashboot > /dev/null || return 255
-
-	hashboot check
-	if [ $? -gt 0 ] && [ $? -le 3 ]
-	then
-		echo -n "Recover files? [y/N] "
-		read -r yesno
-		if [ "${yesno}" == "y" ]
-		then
-			hashboot recover
-		fi
-
-		echo "Dropping to shell. Type exit to continue."
-		sh
-		return 3
-	elif [ $? != 0 ]
-	then
-		return $?
-	fi
-	
-	eend 0
-}

initscript.sysv

@@ -1,58 +0,0 @@
-#!/bin/bash
-
-### BEGIN INIT INFO
-# Provides:          hashboot
-# Required-Start:    $mountall
-# Required-Stop:     
-# Default-Start:     S
-# Default-Stop:      
-# Short-Description: Check integrity of files in /boot
-### END INIT INFO
-
-#PATH=/sbin:/bin:/usr/bin:/usr
-
-# See if hashboot is accessible
-test -x $(which hashboot) || exit 255
-
-case "$1" in
-	start)
-		log_daemon_msg "Checking integrity of files in /boot"
-
-		hashboot check
-		if [ $? -gt 0 ] && [ $? -le 3 ]
-		then
-			log_end_msg 4
-			
-			echo -n "Recover files? [y/N] "
-			read -r yesno
-			if [ "${yesno}" == "y" ]
-			then
-				hashboot recover
-			fi
-
-			echo "Dropping to shell. Type exit to continue."
-			sh
-			exit 3
-		elif [ $? != 0 ]
-		then
-			log_end_msg $?
-			exit $?
-		fi
-		
-		log_end_msg 0
-		;;
-	stop)
-		# No-op
-
-		;;
-	restart|reload|force-reload|status)
-		echo "Error: argument '$1' not supported" >&2
-		exit 1
-		;;
-	*)
-		echo "Usage: /etc/init.d/hashboot {start|stop}"
-		exit 1
-		;;
-esac
-
-exit 0