.drone.yml

@@ -1,119 +0,0 @@
-kind: pipeline
-name: check
-
-volumes:
-- name: debian-package-cache
-  host:
-    path: /var/cache/debian-package-cache
-
-trigger:
-  event:
-    exclude:
-    - tag
-
-steps:
-- name: shellcheck
-  image: debian:stretch-slim
-  pull: always
-  commands:
-  - rm /etc/apt/apt.conf.d/docker-clean
-  - rm /var/cache/apt/archives/lock
-  - echo "APT::Default-Release \"stretch\";" >> /etc/apt/apt.conf.d/00default_release
-  - echo "deb http://deb.debian.org/debian buster main" >> /etc/apt/sources.list.d/buster.list
-  - apt-get update -q
-  - apt-get install -qy -t buster shellcheck
-  - shellcheck hashboot
-  volumes:
-  - name: debian-package-cache
-    path: /var/cache/apt/archives
-
-- name: notify
-  image: drillster/drone-email
-  pull: always
-  settings:
-    host: cryptoparty-celle.de
-    from: drone@tzend.de
-    username:
-      from_secret: email_username
-    password:
-      from_secret: email_password
-  when:
-    status: [ changed, failure ]
-
----
-
-kind: pipeline
-name: release
-
-volumes:
-- name: debian-package-cache
-  host:
-    path: /var/cache/debian-package-cache
-- name: gpg-key
-  host:
-    path: /home/tastytea/misc/autosign_gpg.key
-
-trigger:
-  event:
-    - tag
-
-steps:
-- name: download tar.gz
-  image: plugins/download
-  settings:
-    source: https://schlomp.space/tastytea/hashboot/archive/${DRONE_TAG}.tar.gz
-    destination: hashboot-${DRONE_TAG}.tar.gz
-
-- name: download zip
-  image: plugins/download
-  settings:
-    source: https://schlomp.space/tastytea/hashboot/archive/${DRONE_TAG}.zip
-    destination: hashboot-${DRONE_TAG}.zip
-
-- name: signature
-  image: debian:stretch-slim
-  pull: always
-  commands:
-  - rm /etc/apt/apt.conf.d/docker-clean
-  - rm -f /var/cache/apt/archives/lock
-  - apt-get update -q
-  - apt-get install -qy gnupg
-  - gpg --import /var/autosign_gpg.key
-  - gpg --verbose --detach-sign *.tar.gz
-  - gpg --verbose --detach-sign *.zip
-  volumes:
-  - name: debian-package-cache
-    path: /var/cache/apt/archives
-  - name: gpg-key
-    path: /var/autosign_gpg.key
-
-- name: release
-  image: plugins/gitea-release
-  pull: always
-  settings:
-    base_url: https://schlomp.space
-    api_key:
-      from_secret: gitea_token
-    title: ${DRONE_TAG}
-    prerelease: true
-    files:
-      - hashboot-${DRONE_TAG}.tar.gz
-      - hashboot-${DRONE_TAG}.tar.gz.sig
-      - hashboot-${DRONE_TAG}.zip
-      - hashboot-${DRONE_TAG}.zip.sig
-    checksum:
-      - sha256
-      - sha512
-
-- name: notify
-  image: drillster/drone-email
-  pull: always
-  settings:
-    host: cryptoparty-celle.de
-    from: drone@tzend.de
-    username:
-      from_secret: email_username
-    password:
-      from_secret: email_password
-  when:
-    status: [ changed, failure ]

LICENSE

@@ -1,4 +1,4 @@
 "THE HUG-WARE LICENSE" (Revision 2):
 teldra <teldra@rotce.de> and tastytea <tastytea@tastytea.de> wrote this.
-As long as you retain this notice you can do whatever you want with this.
+As Long as you retain this notice you can do whatever you want with this.
 If we meet some day, and you think this is nice, you can give us a hug.

README.md

@@ -4,73 +4,31 @@ boot partition. The checksums and a backup of the contents of `/boot` are stored
 in `/var/lib/hashboot` by default. If a checksum doesn't match, you have the
 option to restore the file from backup.
 
-If there is a core- or libreboot BIOS and [flashrom](https://flashrom.org/)
-installed, **hashboot** can check the BIOS for modifications too.
-
-We moved our code to
-[schlomp.space](https://schlomp.space/tastytea/hashboot) but we keep the
-[GitHub-repo](https://github.com/tastytea/hashboot) as a mirror.
+If there is a core- or libreboot bios and flashrom installed, **hashboot** can check bios for modifications too.
 
 # Install
 
-## Packages
-
-### Void Linux
-
-``` shell
-xbps-install -S hashboot
-```
-
-### Gentoo Linux
-
-Ebuilds are available via the
-[tastytea repository](https://schlomp.space/tastytea/overlay).
-
-``` shell
-emerge -a sys-apps/hashboot
-rc-update add hashboot boot
-```
-
-### Arch Linux
-
-Use the [package from AUR](https://aur.archlinux.org/packages/hashboot/).
-
-## Manual
-
-### Any distro
-
-The releases on
-[schlomp.space](https://schlomp.space/tastytea/hashboot/releases) are
-PGP-signed. The key-ID is `F7301ADFC9ED262448C42B64242E5AC4DA587BF9`
-(`242E5AC4DA587BF9`). You can fetch it with `gpg --locate-key
-autosign@tastytea.de`.
-
 * Make hashboot executable
-* Place hashboot anywhere in ${PATH}
+* Place hashboot anywhere in $PATH
 * Install the appropriate init script
-* If applicable, copy `hooks/kernel-postinst` to /etc/kernel/post{inst,rm}.d/zzz-hashboot
-(make sure it is called after all other hooks)
-* To generate the manpage, install [asciidoc](http://asciidoc.org/) and run
-`build_manpage.sh`.
+* If applicable, copy kernel-hook to /etc/kernel/post{inst,rm}.d/zzz-hashboot (make sure it is called after all other hooks)
+* To generate the manpage, install asciidoc and run `build_manpage.sh`.
 
 # Usage
-
-* First run creates a configuration file. Select the desired checkroutines
-* Run `hashboot index` to generate checksums and a backup for /boot and MBR
-* Run `hashboot check` to check /boot and MBR
-* Run `hashboot recover` to replace corrupted files with the backup
+* First run creates a configuration file. Use bitmask to select desired checkroutines
+* Run "hashboot index" to generate checksums and a backup for /boot and MBR
+* Run "hashboot check" to check /boot and MBR
+* Run "hashboot recover" to replace corrupted files with the backup
 
 # Notes
 
 * You can't use the openrc/sysv init scripts with parallel boot.
-* The systemd and SysVinit init scripts have not been tested in a while, but
-will probably work.
 
 # License
 
 ```PLAIN
 "THE HUG-WARE LICENSE" (Revision 2):
 teldra <teldra@rotce.de> and tastytea <tastytea@tastytea.de> wrote this.
-As long as you retain this notice you can do whatever you want with this.
+As Long as you retain this notice you can do whatever you want with this.
 If we meet some day, and you think this is nice, you can give us a hug.
 ```

hashboot

@@ -8,14 +8,11 @@
 ###############################################################################
 # "THE HUG-WARE LICENSE" (Revision 2):                                        #
 # teldra <teldra@rotce.de> and tastytea <tastytea@tastytea.de> wrote this.    #
-# As Long as you retain this notice you can do whatever you want with this.   #
+# As Long as you retain this notice you can do whatever you want with this.   # 
 # If we meet some day, and you think this is nice, you can give us a hug.     #
 ###############################################################################
 
-# Disable warnings about $?.
-# shellcheck disable=SC2181
-
-VERSION="0.9.14"
+VERSION="0.9.12"
 PATH="/bin:/usr/bin:/sbin:/usr/sbin:${PATH}"
 DIGEST_FILE=""
 BACKUP_FILE=""
@@ -50,31 +47,29 @@ die ()
     rm -f "${DIGEST_FILE_TMP}" "${MBR_TMP}" "${BIOS_TMP}"
 
     [ -z "${2}" ] || echo "${2}" >&2
-    exit "${1}"
+    exit ${1}
 }
 
 write_hashes ()
 {
-    local file="${1}"
-    #Write header to ${file}
-    echo "#hashboot ${VERSION} - Algorithm: $(basename ${HASHER})" > "${file}"
+    #Write header to ${1}
+    echo "#hashboot ${VERSION} - Algorithm: $(basename ${HASHER})" > ${1}
 
-    if [ $((CKMODES & 001)) -ne 0 ]; then
+    if [ $((${CKMODES} & 001)) -ne 0 ]; then
         #copy mbr to file
         dd if=${MBR_DEVICE} of=${MBR_TMP} bs=${MBR_SIZE}K count=1 status=${DD_STATUS} || die 8
-        #Write hash of MBR to ${file}
-        ${HASHER} ${MBR_TMP} >> "${file}"
+        #Write hash of MBR to ${1}
+        ${HASHER} ${MBR_TMP} >> ${1}
     fi
-    if [ $((CKMODES & 010)) -ne 0 ]; then
-        #Write hashes of all regular files to ${file}
-        # shellcheck disable=SC2227
-        find /boot -type f -exec ${HASHER} --binary {} >> "${file}" +
+    if [ $((${CKMODES} & 010)) -ne 0 ]; then
+        #Write hashes of all regular files to ${1}
+        find /boot -type f -exec ${HASHER} --binary {} >> ${1} +
     fi
-    if [ $((CKMODES & 100)) -ne 0 ]; then
+    if [ $((${CKMODES} & 100)) -ne 0 ]; then
         #read bios to file
         flashrom --programmer ${PROGRAMMER} -r ${BIOS_TMP} > /dev/null 2>&1
-        #and write hashes of bios files to ${file}
-        ${HASHER} ${BIOS_TMP} >> "${file}"
+        #and write hashes of bios files to ${1}
+        ${HASHER} ${BIOS_TMP} >> ${1}
 
     fi
 }
@@ -94,9 +89,7 @@ then
 fi
 
 # Debian < 8 check
-if command -v lsb_release > /dev/null \
-        && [ "$(lsb_release -si)" == "Debian" ] \
-        && [ "$(lsb_release -sr | cut -d'.' -f1)" -lt 8 ]
+if which lsb_release > /dev/null 2>&1 && [ "$(lsb_release -si)" == "Debian" ] && [ $(lsb_release -sr | cut -d'.' -f1) -lt 8 ]
 then
     DD_STATUS="noxfer"
 fi
@@ -104,10 +97,9 @@ fi
 #Look for config file and set ${MBR_DEVICE}.
 if [ -f ${CONFIG_FILE} ]
 then
-    # shellcheck source=/dev/null
     source ${CONFIG_FILE} || die 9 "Error reading config file"
     #compatibility to old cfg format
-    if [ -n "${BACKUP_FILE}" ]; then
+    if [ ! -z "${BACKUP_FILE}" ]; then
         SAVEDIR="/var/lib/hashboot"
         echo "SAVEDIR=${SAVEDIR}" >> ${CONFIG_FILE}
         mkdir -p ${SAVEDIR}
@@ -140,11 +132,11 @@ else
         echo "010=files"
         echo "100=core-/libreboot bios"
         echo "eg. 101 for mbr and bios: "
-        read -r CKMODES
+        read CKMODES
         echo "#001=mbr,010=files,100=bios" >> ${CONFIG_FILE}
         echo "CKMODES=$CKMODES" >> ${CONFIG_FILE}
 
-        if [ $((CKMODES & 001)) -ne 0 ]; then
+        if [ $((${CKMODES} & 001)) -ne 0 ]; then
             echo -n "Which device contains the MBR? [/dev/sda] "
             read -r MBR_DEVICE
             [ -z "${MBR_DEVICE}" ] && MBR_DEVICE="/dev/sda"
@@ -152,21 +144,21 @@ else
             echo "MBR_DEVICE=${MBR_DEVICE}" >> ${CONFIG_FILE}
         fi
 
-        if [ $((CKMODES & 100)) -ne 0 ]; then
-            if ! command -v flashrom > /dev/null; then
+        if [ $((${CKMODES} & 100)) -ne 0 ]; then
+            if ! which flashrom; then
                 echo "You need to have flashrom installed!"
                 echo "Currently it is not installed, don't reboot"
                 echo "If you need another programmer than internal"
-                echo "use the variable PROGRAMMER in ${CONFIG_FILE}!"
+                echo "use the variable PROGRAMMER in $CONFIG_FILE\!"
             fi
-        fi
+        fi            
 
     else
         die 9 "No config file found. Run hashboot interactively to generate one."
     fi
 fi
 
-if [ $((CKMODES & 001)) -ne 0 ]; then
+if [ $((${CKMODES} & 001)) -ne 0 ]; then
     # Find out where the first partition starts and set ${MBR_SIZE} in KiB
     sectorsize=$(LC_ALL=C fdisk -l ${MBR_DEVICE} | grep '^Units' | awk '{print $8}' )
     if [ "${sectorsize}" == "=" ] # Older versions of util-linux
@@ -179,7 +171,7 @@ if [ $((CKMODES & 001)) -ne 0 ]; then
         startsector=$(LC_ALL=C fdisk -l ${MBR_DEVICE} | grep -A1 'Device' | tail -n1 | awk '{print $3}' )
     fi
 
-    MBR_SIZE=$((sectorsize * startsector / 1024))
+    MBR_SIZE=$(expr ${sectorsize} \* ${startsector} / 1024)
 
     if [ ${?} != 0 ]
     then
@@ -191,10 +183,10 @@ fi
 if [ "${1}" == "index" ]
 then
     #Try different hashers, use the most secure
-    HASHER=$(command -v sha512sum)
-    test -z "${HASHER}" && HASHER=$(command -v sha384sum)
-    test -z "${HASHER}" && HASHER=$(command -v sha256sum)
-    test -z "${HASHER}" && HASHER=$(command -v sha224sum)
+    HASHER=$(/usr/bin/which sha512sum 2> /dev/null)
+    test -z "${HASHER}" && HASHER=$(/usr/bin/which sha384sum 2> /dev/null)
+    test -z "${HASHER}" && HASHER=$(/usr/bin/which sha256sum 2> /dev/null)
+    test -z "${HASHER}" && HASHER=$(/usr/bin/which sha224sum 2> /dev/null)
     #If we found no hasher: exit
     [ -z "${HASHER}" ] && die 5 "No hash calculator found"
 
@@ -213,11 +205,11 @@ then
             for file in $(diff ${DIGEST_FILE} ${DIGEST_FILE_TMP} | grep -v '#hashboot' | grep '<' | cut -d'*' -f2 | sed 's/\ /\\ /g' );
             do
                 #delete from tar
-                tar --delete -v -P -f ${BACKUP_FILE} "${file}"
+                tar --delete -v -P -f $BACKUP_FILE $file
             done
             for file in $(diff ${DIGEST_FILE} ${DIGEST_FILE_TMP} | grep -v '#hashboot' | grep '>' | cut -d'*' -f2 | sed 's/\ /\\ /g' );
             do
-                tar -r -v -P -f $BACKUP_FILE "${file}"
+                tar -r -v -P -f $BACKUP_FILE $file
             done
         fi
     #nur, wenn das updaten des Backups geklappt hat. *im Hinterkopf behalt*
@@ -239,28 +231,28 @@ elif [ "${1}" == "check" ]
 then
     [ -f ${DIGEST_FILE} ] || die 9 "No digestfile"
     HASHER=$(head -n1 ${DIGEST_FILE} | awk '{print $5}')
-    if [ $((CKMODES & 001)) != 0 ]; then
+    if [ $((${CKMODES} & 001)) != 0 ]; then
         dd if=${MBR_DEVICE} of=${MBR_TMP} bs=${MBR_SIZE}K count=1 status=${DD_STATUS} || die 8
         grep ${MBR_TMP} ${DIGEST_FILE} | ${HASHER} --check --warn --quiet --strict | tee ${LOG_FILE}
-        if [ "${PIPESTATUS[2]}" -ne 0 ]
+        if [ ${PIPESTATUS[2]} -ne 0 ]
         then
             echo "    !! TIME TO PANIK: MBR WAS MODIFIED !!"
             COUNTER=$((COUNTER + 1))
         fi
     fi
-    if [ $((CKMODES & 010)) -ne 0 ]; then
+    if [ $((${CKMODES} & 010)) -ne 0 ]; then
         grep -v ${MBR_TMP} ${DIGEST_FILE} | grep -v ${BIOS_TMP} | ${HASHER} --check --warn --quiet --strict | tee -a ${LOG_FILE}
-        if [ "${PIPESTATUS[2]}" -ne 0 ]
+        if [ ${PIPESTATUS[2]} -ne 0 ]
         then
             echo "    !! TIME TO PANIK: AT LEAST 1 FILE WAS MODIFIED !!"
             COUNTER=$((COUNTER + 2))
         fi
     fi
-    if [ $((CKMODES & 100)) -ne 0 ]; then
+    if [ $((${CKMODES} & 100)) -ne 0 ]; then
         flashrom --programmer ${PROGRAMMER} -r ${BIOS_TMP} > /dev/null 2>&1
         #if we set an programmer chip in config, find line with hash for bios and compare. if smthg wrong, panic
         grep ${BIOS_TMP} ${DIGEST_FILE} | ${HASHER} --check --warn --quiet --strict | tee -a ${LOG_FILE}
-        if [ "${PIPESTATUS[2]}" -ne 0 ]
+        if [ ${PIPESTATUS[2]} -ne 0 ]
         then
             echo "    !! TIME TO PANIK: BIOS WAS MODIFIED !!"
             COUNTER=$((COUNTER + 10))
@@ -276,16 +268,15 @@ then
     echo "Restoring files from backup... (type yes or no for each file)"
 
     #For each failed file: ask if it should be recovered from backup
-    # shellcheck disable=2013
     for file in $(cut -d: -f1 ${LOG_FILE})
     do
-        tar -xpPvwf ${BACKUP_FILE} "${file}"
-        [ ${?} != 0 ] && echo "Error restoring ${file} from backup, continuing" >&2
+        tar -xpPvwf ${BACKUP_FILE} ${file}
+        [ $? != 0 ] && echo "Error restoring ${file} from backup, continuing" >&2
         #If the MBR is to be recovered, copy to ${MBR_DEVICE}
         if [ "${file}" == ${MBR_TMP} ]
         then
             cp ${MBR_TMP} ${MBR_DEVICE}
-            [ ${?} != 0 ] && echo "Error restoring MBR from backup, continuing" >&2
+            [ $? != 0 ] && echo "Error restoring MBR from backup, continuing" >&2
         fi
     done
 else

hashboot.1.adoc

@@ -1,6 +1,6 @@
 = hashboot(1)
 tastytea <tastytea@tastytea.de>; teldra <teldra@rotce.de>
-:Date:          2019-04-12
+:Date:          2019-02-24
 :Revision:      0.9.8
 :man source:    hashboot
 :man version:   {revision}
@@ -27,14 +27,12 @@ check bios for modifications too.
 
 == OPTIONS
 
-*index*::
-    generate checksums and a backup for `/boot`, MBR and BIOS.
-
-*check*::
-    check `/boot`, MBR and BIOS.
-
-*recover*::
-    replace corrupted files with the backup.
+[frame="none",grid="none"]
+|============
+| *index*   | generate checksums and a backup for `/boot`, MBR and BIOS.
+| *check*   | check `/boot`, MBR and BIOS.
+| *recover* | replace corrupted files with the backup.
+|============
 
 == CONFIGURATION
 

hooks/pacman.hook

@@ -1,12 +0,0 @@
-[Trigger]
-Operation = Install
-Operation = Upgrade
-Operation = Remove
-Type = Package
-Target = *
-
-[Action]
-Description = Regenerating hashboot checksums...
-When = PostTransaction
-Exec = /usr/bin/hashboot index
-Depends = hashboot

init/openrc

@@ -1,39 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2019 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-description="Check integrity of files in /boot"
-
-depend()
-{
-    need localmount
-    before xdm
-}
-
-start()
-{
-    ebegin "Checking integrity of files in /boot"
-
-    # See if hashboot is accessible
-    which hashboot > /dev/null || return 255
-
-    hashboot check
-    ret=$?
-    # If return code is 1-3 or 10-13
-    if [ ${ret} -ge 1 ] && [ ${ret} -le 3 ] || [ ${ret} -ge 10 ] && [ ${ret} -le 13 ]; then
-        echo -n "Recover files? [y/N] "
-        read -r yesno
-        if [ "${yesno}" == "y" ]; then
-            hashboot recover
-        fi
-
-        echo "Dropping to shell. Type exit to continue."
-        sh
-        return ${ret}
-    elif [ ${ret} != 0 ]; then
-        eerror "Unexpected error number ${ret}."
-        return ${ret}
-    fi
-
-    eend 0
-}

init/sysv

@@ -1,56 +0,0 @@
-#!/bin/bash
-
-### BEGIN INIT INFO
-# Provides:          hashboot
-# Required-Start:    $mountall
-# Required-Stop:
-# Default-Start:     S
-# Default-Stop:
-# Short-Description: Check integrity of files in /boot
-### END INIT INFO
-
-#PATH=/sbin:/bin:/usr/bin:/usr
-
-# See if hashboot is accessible
-test -x $(which hashboot) || exit 255
-
-case "$1" in
-    start)
-        log_daemon_msg "Checking integrity of files in /boot"
-
-        hashboot check
-        ret=$?
-        if [ ${ret} -ge 1 ] && [ ${ret} -le 3 ] || [ ${ret} -ge 10 ] && [ ${ret} -le 13 ]; then
-            log_end_msg ${ret}
-
-            echo -n "Recover files? [y/N] "
-            read -r yesno
-            if [ "${yesno}" == "y" ]; then
-                hashboot recover
-            fi
-
-            echo "Dropping to shell. Type exit to continue."
-            sh
-            exit ${ret}
-        elif [ ${ret} != 0 ]; then
-             log_end_msg ${ret}
-             eerror "Unexpected error number ${ret}."
-             exit ${ret}
-        fi
-
-        log_end_msg 0
-        ;;
-    stop)
-        # No-op
-        ;;
-    restart|reload|force-reload|status)
-        echo "Error: argument '$1' not supported" >&2
-        exit 1
-        ;;
-    *)
-        echo "Usage: /etc/init.d/hashboot {start|stop}"
-        exit 1
-        ;;
-esac
-
-exit 0

initscript.openrc

@@ -0,0 +1,37 @@
+#!/sbin/openrc-run
+
+description="Check integrity of files in /boot"
+
+depend()
+{
+	need localmount
+	before xdm
+}
+
+start()
+{
+	ebegin "Checking integrity of files in /boot"
+
+	# See if hashboot is accessible
+	which hashboot > /dev/null || return 255
+
+	hashboot check
+	if [ $? -gt 0 ] && [ $? -le 3 ]
+	then
+		echo -n "Recover files? [y/N] "
+		read -r yesno
+		if [ "${yesno}" == "y" ]
+		then
+			hashboot recover
+		fi
+
+		echo "Dropping to shell. Type exit to continue."
+		sh
+		return 3
+	elif [ $? != 0 ]
+	then
+		return $?
+	fi
+	
+	eend 0
+}

initscript.sysv

@@ -0,0 +1,58 @@
+#!/bin/bash
+
+### BEGIN INIT INFO
+# Provides:          hashboot
+# Required-Start:    $mountall
+# Required-Stop:     
+# Default-Start:     S
+# Default-Stop:      
+# Short-Description: Check integrity of files in /boot
+### END INIT INFO
+
+#PATH=/sbin:/bin:/usr/bin:/usr
+
+# See if hashboot is accessible
+test -x $(which hashboot) || exit 255
+
+case "$1" in
+	start)
+		log_daemon_msg "Checking integrity of files in /boot"
+
+		hashboot check
+		if [ $? -gt 0 ] && [ $? -le 3 ]
+		then
+			log_end_msg 4
+			
+			echo -n "Recover files? [y/N] "
+			read -r yesno
+			if [ "${yesno}" == "y" ]
+			then
+				hashboot recover
+			fi
+
+			echo "Dropping to shell. Type exit to continue."
+			sh
+			exit 3
+		elif [ $? != 0 ]
+		then
+			log_end_msg $?
+			exit $?
+		fi
+		
+		log_end_msg 0
+		;;
+	stop)
+		# No-op
+
+		;;
+	restart|reload|force-reload|status)
+		echo "Error: argument '$1' not supported" >&2
+		exit 1
+		;;
+	*)
+		echo "Usage: /etc/init.d/hashboot {start|stop}"
+		exit 1
+		;;
+esac
+
+exit 0