[PATCH] Fix grub-mkconfig detecting .sig files as system images

[PATCH] Fix grub-mkconfig detecting .sig files as system images

[Jordan Glover]

[-- Attachment #1.1: Type: text/plain, Size: 356 bytes --]

This patch solves https://savannah.gnu.org/bugs/index.php?52002

--- a/util/grub-mkconfig_lib.in
+++ b/util/grub-mkconfig_lib.in
@@ -188,6 +188,7 @@
       *.dpkg-*) return 1 ;; # debian dpkg
       *.rpmsave|*.rpmnew) return 1 ;;
       README*|*/README*)  return 1 ;; # documentation
+      *.sig) return 1 ;; # signatures
     esac
   else
     return 1

[-- Attachment #1.2: Type: text/html, Size: 541 bytes --]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: grub-mkconfig.patch --]
[-- Type: text/x-diff; name="grub-mkconfig.patch", Size: 292 bytes --]

--- a/util/grub-mkconfig_lib.in
+++ b/util/grub-mkconfig_lib.in
@@ -188,6 +188,7 @@
       *.dpkg-*) return 1 ;; # debian dpkg
       *.rpmsave|*.rpmnew) return 1 ;;
       README*|*/README*)  return 1 ;; # documentation
+      *.sig) return 1 ;; # signatures
     esac
   else
     return 1

Re: [PATCH] Fix grub-mkconfig detecting .sig files as system images

[Jordan Glover]

[-- Attachment #1.1: Type: text/plain, Size: 1502 bytes --]

I'm re-sending this patch and i try to make it clearer this time.

When you install grub with grub-install --pubkey option and set "check_signatures" in grub.cfg,
you can sign and verify kernel images loaded by grub. Unfortunately grub-mkconfig detects
detached signatures with ".sig" extension as valid kernel images and adds them to menuentry
in grub.cfg.

It means for every signed kernel image grub adds two entries in menu and one of
them is obviously invalid. Below are two example files which will be detected as two kernel
images instead of one:

/boot/vmlinuz-4.9-x86_64
/boot/vmlinuz-4.9-x86_64.sig

My patch fixes this behavior by adding ".sig" filename extension to already exiting blacklist.

Jordan
------------------

grub-mkconfig detects detached RSA signatures for kernel images used for signature checking as valid images and adds them to grub.cfg
as separete menuentries. This patch adds .sig extension to common blacklist.

Signed-off-by: Jordan Glover <Golden_Miller83@protonmail.ch>
---
 util/grub-mkconfig_lib.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/util/grub-mkconfig_lib.in b/util/grub-mkconfig_lib.in
index 60b31ca..0f801ca 100644
--- a/util/grub-mkconfig_lib.in
+++ b/util/grub-mkconfig_lib.in
@@ -188,6 +188,7 @@ grub_file_is_not_garbage ()
       *.dpkg-*) return 1 ;; # debian dpkg
       *.rpmsave|*.rpmnew) return 1 ;;
       README*|*/README*)  return 1 ;; # documentation
+      *.sig) return 1 ;; # signatures
     esac
   else
     return 1
--
2.15.0

[-- Attachment #1.2: Type: text/html, Size: 2068 bytes --]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: grub-mkconfig-add-.sig-files-to-garbage-blacklist.patch --]
[-- Type: text/x-patch; name="grub-mkconfig-add-.sig-files-to-garbage-blacklist.patch", Size: 1001 bytes --]

From cbb9d14dd5328d29decaa2b057cba1593742b6b2 Mon Sep 17 00:00:00 2001
From: Jordan Glover <Golden_Miller83@protonmail.ch>
Date: Wed, 1 Nov 2017 19:45:52 +0100
Subject: [PATCH] grub-mkconfig: add .sig files to garbage blacklist

grub-mkconfig detects detached RSA signatures for kernel images used for signature checking as valid images and adds them to grub.cfg
as separete menuentries. This patch adds .sig extension to common blacklist.

Signed-off-by: Jordan Glover <Golden_Miller83@protonmail.ch>
---
 util/grub-mkconfig_lib.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/util/grub-mkconfig_lib.in b/util/grub-mkconfig_lib.in
index 60b31ca..0f801ca 100644
--- a/util/grub-mkconfig_lib.in
+++ b/util/grub-mkconfig_lib.in
@@ -188,6 +188,7 @@ grub_file_is_not_garbage ()
       *.dpkg-*) return 1 ;; # debian dpkg
       *.rpmsave|*.rpmnew) return 1 ;;
       README*|*/README*)  return 1 ;; # documentation
+      *.sig) return 1 ;; # signatures
     esac
   else
     return 1
-- 
2.15.0