Fix shellcheck warnings

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

image/secure-boot/aws/create_uefivars.sh

@@ -1,9 +1,11 @@
 #!/usr/bin/env bash
+
 set -euo pipefail
+shopt -s inherit_errexit
 
 TMPDIR=$(mktemp -d /tmp/uefivars-XXXXXXXXXXXXXX)
-git clone https://github.com/awslabs/python-uefivars ${TMPDIR}
+git clone https://github.com/awslabs/python-uefivars "${TMPDIR}"
 
-"${TMPDIR}/uefivars.py" -i none -o aws -O "$1" -P ${PKI}/PK.esl -K ${PKI}/KEK.esl --db ${PKI}/db.esl
+"${TMPDIR}/uefivars.py" -i none -o aws -O "$1" -P "${PKI}"/PK.esl -K "${PKI}"/KEK.esl --db "${PKI}"/db.esl
 
 rm -rf "${TMPDIR}"

image/secure-boot/azure/delete.sh

@@ -1,7 +1,10 @@
 #!/usr/bin/env bash
-set -euo pipefail
 
-if [ -z "${CONFIG_FILE-}" ] && [ -f "${CONFIG_FILE-}" ]; then
+set -euo pipefail
+shopt -s inherit_errexit
+
+if [[ -z "${CONFIG_FILE-}" ]] && [[ -f "${CONFIG_FILE-}" ]]; then
+    # shellcheck source=/dev/null
     . "${CONFIG_FILE}"
 fi
 POSITIONAL_ARGS=()
@@ -13,7 +16,7 @@ while [[ $# -gt 0 ]]; do
       shift # past argument
       shift # past value
       ;;
-    -*|--*)
+    -*)
       echo "Unknown option $1"
       exit 1
       ;;
@@ -32,7 +35,7 @@ NIC_INFO=$(az network nic show --ids "${NIC}" -o json)
 PUBIP=$(echo "${NIC_INFO}" | jq -r '.ipConfigurations[0].publicIpAddress.id')
 NSG=$(echo "${NIC_INFO}" | jq -r '.networkSecurityGroup.id')
 SUBNET=$(echo "${NIC_INFO}" | jq -r '.ipConfigurations[0].subnet.id')
-VNET=$(echo $SUBNET | sed 's#/subnets/.*##')
+VNET=${SUBNET//\/subnets\/.*/}
 DISK=$(echo "${AZ_VM_INFO}" | jq -r '.storageProfile.osDisk.managedDisk.id')
 
 

image/secure-boot/azure/extract_vmgs.sh

@@ -1,7 +1,10 @@
 #!/usr/bin/env bash
-set -euo pipefail
 
-if [ -z "${CONFIG_FILE-}" ] && [ -f "${CONFIG_FILE-}" ]; then
+set -euo pipefail
+shopt -s inherit_errexit
+
+if [[ -z "${CONFIG_FILE-}" ]] && [[ -f "${CONFIG_FILE-}" ]]; then
+    # shellcheck source=/dev/null
     . "${CONFIG_FILE}"
 fi
 AZURE_SUBSCRIPTION=$(az account show --query id -o tsv)
@@ -14,7 +17,7 @@ while [[ $# -gt 0 ]]; do
       shift # past argument
       shift # past value
       ;;
-    -*|--*)
+    -*)
       echo "Unknown option $1"
       exit 1
       ;;

image/secure-boot/azure/launch.sh

@@ -1,7 +1,10 @@
 #!/usr/bin/env bash
-set -euo pipefail
 
-if [ -z "${CONFIG_FILE-}" ] && [ -f "${CONFIG_FILE-}" ]; then
+set -euo pipefail
+shopt -s inherit_errexit
+
+if [[ -z "${CONFIG_FILE-}" ]] && [[ -f "${CONFIG_FILE-}" ]]; then
+    # shellcheck source=/dev/null
     . "${CONFIG_FILE}"
 fi
 POSITIONAL_ARGS=()
@@ -31,7 +34,7 @@ while [[ $# -gt 0 ]]; do
       shift # past argument
       shift # past value
       ;;
-    -*|--*)
+    -*)
       echo "Unknown option $1"
       exit 1
       ;;
@@ -54,10 +57,10 @@ else
 fi
 
 create_vm_from_disk () {
-    AZURE_DISK_REFERENCE=$(az disk show --resource-group ${AZURE_RESOURCE_GROUP_NAME} --name ${AZURE_DISK_NAME} --query id -o tsv)
+    AZURE_DISK_REFERENCE=$(az disk show --resource-group "${AZURE_RESOURCE_GROUP_NAME}" --name "${AZURE_DISK_NAME}" --query id -o tsv)
     az vm create --name "${AZURE_VM_NAME}" \
         --resource-group "${AZURE_RESOURCE_GROUP_NAME}" \
-        -l ${AZURE_REGION} \
+        -l "${AZURE_REGION}" \
         --size "${VMSIZE}" \
         --public-ip-sku Standard \
         --os-type Linux \
@@ -79,7 +82,7 @@ create_vm_from_sig () {
         --query id -o tsv)
     az vm create --name "${AZURE_VM_NAME}" \
         --resource-group "${AZURE_RESOURCE_GROUP_NAME}" \
-        -l ${AZURE_REGION} \
+        -l "${AZURE_REGION}" \
         --size "${VMSIZE}" \
         --public-ip-sku Standard \
         --image "${AZURE_IMAGE_REFERENCE}" \
@@ -91,7 +94,7 @@ create_vm_from_sig () {
         --no-wait
 }
 
-if [ "$CREATE_FROM_GALLERY" = "YES" ]; then
+if [[ "${CREATE_FROM_GALLERY}" = "YES" ]]; then
     create_vm_from_sig
 else
     create_vm_from_disk

image/secure-boot/generate_nvram_vars.sh

@@ -3,6 +3,9 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-only
 
+set -euo pipefail
+shopt -s inherit_errexit
+
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 BASE_DIR=$(realpath "${SCRIPT_DIR}/..")
 
@@ -14,7 +17,7 @@ fi
 libvirt_nvram_gen () {
     local image_path="${1}"
     if test -f "${BASE_DIR}/image.nvram.template"; then
-        echo "NVRAM template already generated: $(realpath "--relative-to=$(pwd)" ${BASE_DIR}/image.nvram.template)"
+        echo "NVRAM template already generated: $(realpath "--relative-to=$(pwd)" "${BASE_DIR}"/image.nvram.template)"
         return
     fi
     if ! test -f "${image_path}"; then
@@ -36,7 +39,7 @@ libvirt_nvram_gen () {
 
     # generate nvram file using libvirt
     virt-install --name constell-nvram-gen \
-        --connect ${LIBVIRT_SOCK} \
+        --connect "${LIBVIRT_SOCK}" \
         --nonetworks \
         --description 'Constellation' \
         --ram 1024 \
@@ -80,13 +83,13 @@ libvirt_nvram_gen () {
     echo -e '    Reboot and continue this script.'
     echo -e ''
     echo -e 'Press ENTER to continue after you followed one of the guides from above.'
-    read
+    read -r
     sudo cp "${BASE_DIR}/image.nvram" "${BASE_DIR}/image.nvram.template"
     virsh --connect "${LIBVIRT_SOCK}" destroy --domain constell-nvram-gen
     virsh --connect "${LIBVIRT_SOCK}" undefine --nvram constell-nvram-gen
     rm -f "${BASE_DIR}/image.nvram"
 
-    echo "NVRAM template generated: $(realpath "--relative-to=$(pwd)" ${BASE_DIR}/image.nvram.template)"
+    echo "NVRAM template generated: $(realpath "--relative-to=$(pwd)" "${BASE_DIR}"/image.nvram.template)"
 }
 
-libvirt_nvram_gen $1
+libvirt_nvram_gen "$1"

image/secure-boot/genkeys.sh

@@ -9,27 +9,30 @@
 # Release images are signed using a different set of keys.
 # Set PKI to an empty folder and PKI_SET to "dev".
 
+set -euo pipefail
+shopt -s inherit_errexit
+
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 TEMPLATES=${SCRIPT_DIR}/templates
 BASE_DIR=$(realpath "${SCRIPT_DIR}/..")
-if [ -z "${PKI}" ]; then
+if [[ -z "${PKI}" ]]; then
     PKI=${BASE_DIR}/pki
 fi
-if [ -z "${PKI_SET}" ]; then
+if [[ -z "${PKI_SET}" ]]; then
     PKI_SET=dev
 fi
 
 gen_pki () {
     # Only use for non-production images.
     # Use real PKI for production images instead.
-    count=$(ls -1 ${PKI}/*.{key,crt,cer,esl,auth} 2>/dev/null | wc -l)
-    if [ $count != 0 ]
+    count=$(find "${PKI}" -maxdepth 1 \( -name '*.key' -o -name '*.crt' -o -name '*.cer' -o -name '*.esl' -o -name '*.auth' \) 2>/dev/null | wc -l)
+    if [[ "${count}" != 0 ]]
     then
-        echo PKI files $(ls -1 $(realpath "--relative-to=$(pwd)" ${PKI})/*.{key,crt,cer,esl,auth}) already exist
+        echo PKI files "$(ls -1 "$(realpath "--relative-to=$(pwd)" "${PKI}")"/*.{key,crt,cer,esl,auth})" already exist
         return
     fi
     mkdir -p "${PKI}"
-    pushd "${PKI}"
+    pushd "${PKI}" || exit 1
 
     uuid=$(systemd-id128 new --uuid)
     for key in PK KEK db; do
@@ -60,7 +63,7 @@ gen_pki () {
     sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
     sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
 
-    popd
+    popd || exit 1
 }
 
 # gen_pki generates a PKI for testing purposes only.

image/secure-boot/signed-shim.sh

@@ -3,9 +3,11 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-only
 
-set -euo pipefail
 # This script is used to add a signed shim to the image.raw file EFI partition after running `mkosi build`.
 
+set -euo pipefail
+shopt -s inherit_errexit
+
 if (( $# != 1 ))
 then
     echo "Usage: $0 <image.raw>"
@@ -16,8 +18,6 @@ fi
 SOURCE=https://kojipkgs.fedoraproject.org/packages/shim/15.6/2/x86_64/shim-x64-15.6-2.x86_64.rpm
 # EXPECTED_SHA512 is the SHA512 checksum of the signed shim RPM
 EXPECTED_SHA512=971978bddee95a6a134ef05c4d88cf5df41926e631de863b74ef772307f3e106c82c8f6889c18280d47187986abd774d8671c5be4b85b1b0bb3d1858b65d02cf
-SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-BASE_DIR=$(realpath "${SCRIPT_DIR}/..")
 TMPDIR=$(mktemp -d)
 
 pushd "${TMPDIR}"
@@ -26,7 +26,7 @@ curl -sL -o shim.rpm "${SOURCE}"
 echo "Checking SHA512 checksum of signed shim..."
 sha512sum -c <<< "${EXPECTED_SHA512}  shim.rpm"
 rpm2cpio shim.rpm | cpio -idmv
-echo $TMPDIR
+echo "${TMPDIR}"
 
 popd
 
@@ -45,5 +45,5 @@ cp "${MOUNTPOINT}/EFI/systemd/systemd-bootx64.efi" "${MOUNTPOINT}/EFI/BOOT/grubx
 rm -f "${MOUNTPOINT}"/*/*/{linux,initrd}
 
 umount "${MOUNTPOINT}"
-rm -rf ${MOUNTPOINT}
+rm -rf "${MOUNTPOINT}"
 rm -rf "${TMPDIR}"