-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
signing-bootstrap
executable file
·78 lines (62 loc) · 2.92 KB
/
signing-bootstrap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#!/bin/sh
#
# Copyright (c) 2024 null2264.
# SPDX-License-Identifier: Unlicense
#
# Automation script to generate signing keys in order to enable Secure Boot for
# Hackintosh
#
# Requirements:
# - unzip (Some distro doesn't have this package by default)
# - efitools
# - sbsigntools
# - wget (Some distro doesn't have this package by default)
. ./signing-common # import execute
is_command_exists() {
execute command -v $1 | wc -l || exit 1
}
[ $(is_command_exists cert-to-efi-sig-list) -gt 0 ] ||\
[ $(is_command_exists sbsign) -gt 0 ] ||\
[ $(is_command_exists unzip) -gt 0 ] ||\
[ $(is_command_exists wget) -gt 0 ] || {
echo "Please install 'sbsigntool' and 'efitools' before running this script";
exit 1;
}
test -d ./efikeys && {
printf "efikeys/ directory already exists, running this script again may overwrite your existing key, run anyway? [y/N] ";
read INPUT
case $INPUT in
"y"* ) ;;
"Y"* ) ;;
* )
exit 1
;;
esac;
}
mkdir -p ./efikeys
cd ./efikeys
openssl req -new -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes -subj "/CN=NAME PK Platform Key/" -keyout PK.key -out PK.pem || exit 1
openssl req -new -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes -subj "/CN=NAME KEK Exchange Key/" -keyout KEK.key -out KEK.pem || exit 1
openssl req -new -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes -subj "/CN=NAME ISK Image Signing Key/" -keyout ISK.key -out ISK.pem || exit 1
chmod 0600 *.key || exit 1
wget --user-agent=\"Mozilla\" https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt -O MicWinProPCA2011_2011-10-19.crt
wget --user-agent=\"Mozilla\" https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt -O MicCorUEFCA2011_2011-06-27.crt
openssl x509 -in MicWinProPCA2011_2011-10-19.crt -inform DER -out MicWinProPCA2011_2011-10-19.pem -outform PEM
openssl x509 -in MicCorUEFCA2011_2011-06-27.crt -inform DER -out MicCorUEFCA2011_2011-06-27.pem -outform PEM
execute cert-to-efi-sig-list -g $(uuidgen) PK.pem PK.esl
execute cert-to-efi-sig-list -g $(uuidgen) KEK.pem KEK.esl
execute cert-to-efi-sig-list -g $(uuidgen) ISK.pem ISK.esl
execute cert-to-efi-sig-list -g $(uuidgen) MicWinProPCA2011_2011-10-19.pem MicWinProPCA2011_2011-10-19.esl
execute cert-to-efi-sig-list -g $(uuidgen) MicCorUEFCA2011_2011-06-27.pem MicCorUEFCA2011_2011-06-27.esl
cat ISK.esl MicWinProPCA2011_2011-10-19.esl MicCorUEFCA2011_2011-06-27.esl > db.esl
execute sign-efi-sig-list -k PK.key -c PK.pem PK PK.esl PK.auth
execute sign-efi-sig-list -k PK.key -c PK.pem KEK KEK.esl KEK.auth
execute sign-efi-sig-list -k KEK.key -c KEK.pem db db.esl db.auth
# -- Finishing
cp ISK.key ../
cp ISK.pem ../
cd ../
execute cp /usr/share/efitools/efi/KeyTool.efi ./ || execute eval "cp /usr/lib/efitools/**/KeyTool.efi ./" # Goddammit Ubuntu
./sign ./KeyTool.efi
rm -f ./KeyTool.efi
echo 'Certificate has been created, you can use `sign` script to sign *.efi files or use `download-signed-opencore [oc version]` to download signed OpenCore files'