Add info on how to fetch autosign key.

(GitHub issue #18)

.drone.yml

@@ -0,0 +1,119 @@
+kind: pipeline
+name: check
+
+volumes:
+- name: debian-package-cache
+  host:
+    path: /var/cache/debian-package-cache
+
+trigger:
+  event:
+    exclude:
+    - tag
+
+steps:
+- name: shellcheck
+  image: debian:stretch-slim
+  pull: always
+  commands:
+  - rm /etc/apt/apt.conf.d/docker-clean
+  - rm /var/cache/apt/archives/lock
+  - echo "APT::Default-Release \"stretch\";" >> /etc/apt/apt.conf.d/00default_release
+  - echo "deb http://deb.debian.org/debian buster main" >> /etc/apt/sources.list.d/buster.list
+  - apt-get update -q
+  - apt-get install -qy -t buster shellcheck
+  - shellcheck hashboot
+  volumes:
+  - name: debian-package-cache
+    path: /var/cache/apt/archives
+
+- name: notify
+  image: drillster/drone-email
+  pull: always
+  settings:
+    host: cryptoparty-celle.de
+    from: drone@tzend.de
+    username:
+      from_secret: email_username
+    password:
+      from_secret: email_password
+  when:
+    status: [ changed, failure ]
+
+---
+
+kind: pipeline
+name: release
+
+volumes:
+- name: debian-package-cache
+  host:
+    path: /var/cache/debian-package-cache
+- name: gpg-key
+  host:
+    path: /home/tastytea/misc/autosign_gpg.key
+
+trigger:
+  event:
+    - tag
+
+steps:
+- name: download tar.gz
+  image: plugins/download
+  settings:
+    source: https://schlomp.space/tastytea/hashboot/archive/${DRONE_TAG}.tar.gz
+    destination: hashboot-${DRONE_TAG}.tar.gz
+
+- name: download zip
+  image: plugins/download
+  settings:
+    source: https://schlomp.space/tastytea/hashboot/archive/${DRONE_TAG}.zip
+    destination: hashboot-${DRONE_TAG}.zip
+
+- name: signature
+  image: debian:stretch-slim
+  pull: always
+  commands:
+  - rm /etc/apt/apt.conf.d/docker-clean
+  - rm -f /var/cache/apt/archives/lock
+  - apt-get update -q
+  - apt-get install -qy gnupg
+  - gpg --import /var/autosign_gpg.key
+  - gpg --verbose --detach-sign *.tar.gz
+  - gpg --verbose --detach-sign *.zip
+  volumes:
+  - name: debian-package-cache
+    path: /var/cache/apt/archives
+  - name: gpg-key
+    path: /var/autosign_gpg.key
+
+- name: release
+  image: plugins/gitea-release
+  pull: always
+  settings:
+    base_url: https://schlomp.space
+    api_key:
+      from_secret: gitea_token
+    title: ${DRONE_TAG}
+    prerelease: true
+    files:
+      - hashboot-${DRONE_TAG}.tar.gz
+      - hashboot-${DRONE_TAG}.tar.gz.sig
+      - hashboot-${DRONE_TAG}.zip
+      - hashboot-${DRONE_TAG}.zip.sig
+    checksum:
+      - sha256
+      - sha512
+
+- name: notify
+  image: drillster/drone-email
+  pull: always
+  settings:
+    host: cryptoparty-celle.de
+    from: drone@tzend.de
+    username:
+      from_secret: email_username
+    password:
+      from_secret: email_password
+  when:
+    status: [ changed, failure ]

README.md

@@ -7,27 +7,48 @@ option to restore the file from backup.
 If there is a core- or libreboot BIOS and [flashrom](https://flashrom.org/)
 installed, **hashboot** can check the BIOS for modifications too.
 
+We moved our code to
+[schlomp.space](https://schlomp.space/tastytea/hashboot) but we keep the
+[GitHub-repo](https://github.com/tastytea/hashboot) as a mirror.
+
 # Install
 
 ## Packages
 
 ### Void Linux
 
-``` shellsession
+``` shell
 xbps-install -S hashboot
 ```
 
-### Gentoo
+### Gentoo Linux
 
 Ebuilds are available via the
 [tastytea repository](https://schlomp.space/tastytea/overlay).
 
+``` shell
+emerge -a sys-apps/hashboot
+rc-update add hashboot boot
+```
+
+### Arch Linux
+
+Use the [package from AUR](https://aur.archlinux.org/packages/hashboot/).
+
 ## Manual
 
+### Any distro
+
+The releases on
+[schlomp.space](https://schlomp.space/tastytea/hashboot/releases) are
+PGP-signed. The key-ID is `F7301ADFC9ED262448C42B64242E5AC4DA587BF9`
+(`242E5AC4DA587BF9`). You can fetch it with `gpg --locate-key
+autosign@tastytea.de`.
+
 * Make hashboot executable
 * Place hashboot anywhere in ${PATH}
 * Install the appropriate init script
-* If applicable, copy kernel-hook to /etc/kernel/post{inst,rm}.d/zzz-hashboot
+* If applicable, copy `hooks/kernel-postinst` to /etc/kernel/post{inst,rm}.d/zzz-hashboot
 (make sure it is called after all other hooks)
 * To generate the manpage, install [asciidoc](http://asciidoc.org/) and run
 `build_manpage.sh`.

hashboot

@@ -8,11 +8,14 @@
 ###############################################################################
 # "THE HUG-WARE LICENSE" (Revision 2):                                        #
 # teldra <teldra@rotce.de> and tastytea <tastytea@tastytea.de> wrote this.    #
-# As Long as you retain this notice you can do whatever you want with this.   # 
+# As Long as you retain this notice you can do whatever you want with this.   #
 # If we meet some day, and you think this is nice, you can give us a hug.     #
 ###############################################################################
 
-VERSION="0.9.12"
+# Disable warnings about $?.
+# shellcheck disable=SC2181
+
+VERSION="0.9.14"
 PATH="/bin:/usr/bin:/sbin:/usr/sbin:${PATH}"
 DIGEST_FILE=""
 BACKUP_FILE=""
@@ -47,29 +50,31 @@ die ()
     rm -f "${DIGEST_FILE_TMP}" "${MBR_TMP}" "${BIOS_TMP}"
 
     [ -z "${2}" ] || echo "${2}" >&2
-    exit ${1}
+    exit "${1}"
 }
 
 write_hashes ()
 {
-    #Write header to ${1}
-    echo "#hashboot ${VERSION} - Algorithm: $(basename ${HASHER})" > ${1}
+    local file="${1}"
+    #Write header to ${file}
+    echo "#hashboot ${VERSION} - Algorithm: $(basename ${HASHER})" > "${file}"
 
-    if [ $((${CKMODES} & 001)) -ne 0 ]; then
+    if [ $((CKMODES & 001)) -ne 0 ]; then
         #copy mbr to file
         dd if=${MBR_DEVICE} of=${MBR_TMP} bs=${MBR_SIZE}K count=1 status=${DD_STATUS} || die 8
-        #Write hash of MBR to ${1}
-        ${HASHER} ${MBR_TMP} >> ${1}
+        #Write hash of MBR to ${file}
+        ${HASHER} ${MBR_TMP} >> "${file}"
     fi
-    if [ $((${CKMODES} & 010)) -ne 0 ]; then
-        #Write hashes of all regular files to ${1}
-        find /boot -type f -exec ${HASHER} --binary {} >> ${1} +
+    if [ $((CKMODES & 010)) -ne 0 ]; then
+        #Write hashes of all regular files to ${file}
+        # shellcheck disable=SC2227
+        find /boot -type f -exec ${HASHER} --binary {} >> "${file}" +
     fi
-    if [ $((${CKMODES} & 100)) -ne 0 ]; then
+    if [ $((CKMODES & 100)) -ne 0 ]; then
         #read bios to file
         flashrom --programmer ${PROGRAMMER} -r ${BIOS_TMP} > /dev/null 2>&1
-        #and write hashes of bios files to ${1}
-        ${HASHER} ${BIOS_TMP} >> ${1}
+        #and write hashes of bios files to ${file}
+        ${HASHER} ${BIOS_TMP} >> "${file}"
 
     fi
 }
@@ -89,7 +94,9 @@ then
 fi
 
 # Debian < 8 check
-if which lsb_release > /dev/null 2>&1 && [ "$(lsb_release -si)" == "Debian" ] && [ $(lsb_release -sr | cut -d'.' -f1) -lt 8 ]
+if command -v lsb_release > /dev/null \
+        && [ "$(lsb_release -si)" == "Debian" ] \
+        && [ "$(lsb_release -sr | cut -d'.' -f1)" -lt 8 ]
 then
     DD_STATUS="noxfer"
 fi
@@ -97,9 +104,10 @@ fi
 #Look for config file and set ${MBR_DEVICE}.
 if [ -f ${CONFIG_FILE} ]
 then
+    # shellcheck source=/dev/null
     source ${CONFIG_FILE} || die 9 "Error reading config file"
     #compatibility to old cfg format
-    if [ ! -z "${BACKUP_FILE}" ]; then
+    if [ -n "${BACKUP_FILE}" ]; then
         SAVEDIR="/var/lib/hashboot"
         echo "SAVEDIR=${SAVEDIR}" >> ${CONFIG_FILE}
         mkdir -p ${SAVEDIR}
@@ -132,11 +140,11 @@ else
         echo "010=files"
         echo "100=core-/libreboot bios"
         echo "eg. 101 for mbr and bios: "
-        read CKMODES
+        read -r CKMODES
         echo "#001=mbr,010=files,100=bios" >> ${CONFIG_FILE}
         echo "CKMODES=$CKMODES" >> ${CONFIG_FILE}
 
-        if [ $((${CKMODES} & 001)) -ne 0 ]; then
+        if [ $((CKMODES & 001)) -ne 0 ]; then
             echo -n "Which device contains the MBR? [/dev/sda] "
             read -r MBR_DEVICE
             [ -z "${MBR_DEVICE}" ] && MBR_DEVICE="/dev/sda"
@@ -144,21 +152,21 @@ else
             echo "MBR_DEVICE=${MBR_DEVICE}" >> ${CONFIG_FILE}
         fi
 
-        if [ $((${CKMODES} & 100)) -ne 0 ]; then
-            if ! which flashrom; then
+        if [ $((CKMODES & 100)) -ne 0 ]; then
+            if ! command -v flashrom > /dev/null; then
                 echo "You need to have flashrom installed!"
                 echo "Currently it is not installed, don't reboot"
                 echo "If you need another programmer than internal"
-                echo "use the variable PROGRAMMER in $CONFIG_FILE\!"
+                echo "use the variable PROGRAMMER in ${CONFIG_FILE}!"
             fi
-        fi            
+        fi
 
     else
         die 9 "No config file found. Run hashboot interactively to generate one."
     fi
 fi
 
-if [ $((${CKMODES} & 001)) -ne 0 ]; then
+if [ $((CKMODES & 001)) -ne 0 ]; then
     # Find out where the first partition starts and set ${MBR_SIZE} in KiB
     sectorsize=$(LC_ALL=C fdisk -l ${MBR_DEVICE} | grep '^Units' | awk '{print $8}' )
     if [ "${sectorsize}" == "=" ] # Older versions of util-linux
@@ -171,7 +179,7 @@ if [ $((${CKMODES} & 001)) -ne 0 ]; then
         startsector=$(LC_ALL=C fdisk -l ${MBR_DEVICE} | grep -A1 'Device' | tail -n1 | awk '{print $3}' )
     fi
 
-    MBR_SIZE=$(expr ${sectorsize} \* ${startsector} / 1024)
+    MBR_SIZE=$((sectorsize * startsector / 1024))
 
     if [ ${?} != 0 ]
     then
@@ -183,10 +191,10 @@ fi
 if [ "${1}" == "index" ]
 then
     #Try different hashers, use the most secure
-    HASHER=$(/usr/bin/which sha512sum 2> /dev/null)
-    test -z "${HASHER}" && HASHER=$(/usr/bin/which sha384sum 2> /dev/null)
-    test -z "${HASHER}" && HASHER=$(/usr/bin/which sha256sum 2> /dev/null)
-    test -z "${HASHER}" && HASHER=$(/usr/bin/which sha224sum 2> /dev/null)
+    HASHER=$(command -v sha512sum)
+    test -z "${HASHER}" && HASHER=$(command -v sha384sum)
+    test -z "${HASHER}" && HASHER=$(command -v sha256sum)
+    test -z "${HASHER}" && HASHER=$(command -v sha224sum)
     #If we found no hasher: exit
     [ -z "${HASHER}" ] && die 5 "No hash calculator found"
 
@@ -205,11 +213,11 @@ then
             for file in $(diff ${DIGEST_FILE} ${DIGEST_FILE_TMP} | grep -v '#hashboot' | grep '<' | cut -d'*' -f2 | sed 's/\ /\\ /g' );
             do
                 #delete from tar
-                tar --delete -v -P -f $BACKUP_FILE $file
+                tar --delete -v -P -f ${BACKUP_FILE} "${file}"
             done
             for file in $(diff ${DIGEST_FILE} ${DIGEST_FILE_TMP} | grep -v '#hashboot' | grep '>' | cut -d'*' -f2 | sed 's/\ /\\ /g' );
             do
-                tar -r -v -P -f $BACKUP_FILE $file
+                tar -r -v -P -f $BACKUP_FILE "${file}"
             done
         fi
     #nur, wenn das updaten des Backups geklappt hat. *im Hinterkopf behalt*
@@ -231,28 +239,28 @@ elif [ "${1}" == "check" ]
 then
     [ -f ${DIGEST_FILE} ] || die 9 "No digestfile"
     HASHER=$(head -n1 ${DIGEST_FILE} | awk '{print $5}')
-    if [ $((${CKMODES} & 001)) != 0 ]; then
+    if [ $((CKMODES & 001)) != 0 ]; then
         dd if=${MBR_DEVICE} of=${MBR_TMP} bs=${MBR_SIZE}K count=1 status=${DD_STATUS} || die 8
         grep ${MBR_TMP} ${DIGEST_FILE} | ${HASHER} --check --warn --quiet --strict | tee ${LOG_FILE}
-        if [ ${PIPESTATUS[2]} -ne 0 ]
+        if [ "${PIPESTATUS[2]}" -ne 0 ]
         then
             echo "    !! TIME TO PANIK: MBR WAS MODIFIED !!"
             COUNTER=$((COUNTER + 1))
         fi
     fi
-    if [ $((${CKMODES} & 010)) -ne 0 ]; then
+    if [ $((CKMODES & 010)) -ne 0 ]; then
         grep -v ${MBR_TMP} ${DIGEST_FILE} | grep -v ${BIOS_TMP} | ${HASHER} --check --warn --quiet --strict | tee -a ${LOG_FILE}
-        if [ ${PIPESTATUS[2]} -ne 0 ]
+        if [ "${PIPESTATUS[2]}" -ne 0 ]
         then
             echo "    !! TIME TO PANIK: AT LEAST 1 FILE WAS MODIFIED !!"
             COUNTER=$((COUNTER + 2))
         fi
     fi
-    if [ $((${CKMODES} & 100)) -ne 0 ]; then
+    if [ $((CKMODES & 100)) -ne 0 ]; then
         flashrom --programmer ${PROGRAMMER} -r ${BIOS_TMP} > /dev/null 2>&1
         #if we set an programmer chip in config, find line with hash for bios and compare. if smthg wrong, panic
         grep ${BIOS_TMP} ${DIGEST_FILE} | ${HASHER} --check --warn --quiet --strict | tee -a ${LOG_FILE}
-        if [ ${PIPESTATUS[2]} -ne 0 ]
+        if [ "${PIPESTATUS[2]}" -ne 0 ]
         then
             echo "    !! TIME TO PANIK: BIOS WAS MODIFIED !!"
             COUNTER=$((COUNTER + 10))
@@ -268,15 +276,16 @@ then
     echo "Restoring files from backup... (type yes or no for each file)"
 
     #For each failed file: ask if it should be recovered from backup
+    # shellcheck disable=2013
     for file in $(cut -d: -f1 ${LOG_FILE})
     do
-        tar -xpPvwf ${BACKUP_FILE} ${file}
-        [ $? != 0 ] && echo "Error restoring ${file} from backup, continuing" >&2
+        tar -xpPvwf ${BACKUP_FILE} "${file}"
+        [ ${?} != 0 ] && echo "Error restoring ${file} from backup, continuing" >&2
         #If the MBR is to be recovered, copy to ${MBR_DEVICE}
         if [ "${file}" == ${MBR_TMP} ]
         then
             cp ${MBR_TMP} ${MBR_DEVICE}
-            [ $? != 0 ] && echo "Error restoring MBR from backup, continuing" >&2
+            [ ${?} != 0 ] && echo "Error restoring MBR from backup, continuing" >&2
         fi
     done
 else

hashboot.1.adoc

@@ -1,6 +1,6 @@
 = hashboot(1)
 tastytea <tastytea@tastytea.de>; teldra <teldra@rotce.de>
-:Date:          2019-02-24
+:Date:          2019-04-12
 :Revision:      0.9.8
 :man source:    hashboot
 :man version:   {revision}
@@ -27,12 +27,14 @@ check bios for modifications too.
 
 == OPTIONS
 
-[frame="none",grid="none"]
-|============
-| *index*   | generate checksums and a backup for `/boot`, MBR and BIOS.
-| *check*   | check `/boot`, MBR and BIOS.
-| *recover* | replace corrupted files with the backup.
-|============
+*index*::
+    generate checksums and a backup for `/boot`, MBR and BIOS.
+
+*check*::
+    check `/boot`, MBR and BIOS.
+
+*recover*::
+    replace corrupted files with the backup.
 
 == CONFIGURATION
 

hooks/pacman.hook

@@ -0,0 +1,12 @@
+[Trigger]
+Operation = Install
+Operation = Upgrade
+Operation = Remove
+Type = Package
+Target = *
+
+[Action]
+Description = Regenerating hashboot checksums...
+When = PostTransaction
+Exec = /usr/bin/hashboot index
+Depends = hashboot