From b2cb9b49974086e600b44ef166a3b30cec2f8873 Mon Sep 17 00:00:00 2001
From: Thierry Laurion <insurgo@riseup.net>
Date: Tue, 24 Oct 2023 13:14:39 -0400
Subject: [PATCH] .ash_history: add history command for manual detached signed
 integrity validation

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
---
 initrd/.ash_history | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/initrd/.ash_history b/initrd/.ash_history
index 99690053..d3dab524 100644
--- a/initrd/.ash_history
+++ b/initrd/.ash_history
@@ -1,3 +1,7 @@
+#mount /boot in read-only by default
+mount /boot
+#verify detached signature of /boot content
+find /boot/kexec*.txt | gpg --verify /boot/kexec.sig -
 #remove invalid kexec_* signed files
 mount /dev/sda1 /boot && mount -o remount,rw /boot && rm /boot/kexec* && mount -o remount,ro /boot
 #Generate keys from GPG smartcard: