# Revision history:
#
+# 0.10.2 -- Improved Secure Boot detection in Linux, fixed --usedefault in OS X,
+# and fixed bug that could cause mountesp to be installed as a FILE
+# called /usr/local/bin in OS X.
# 0.10.1 -- Improve extraction of default kernel options from /proc/cmdline.
# Add support for AMD64 (aka AARCH64, aa64) platform. Added
# warning when --alldrivers used without --usedefault.
<key>ProductName</key>
<string>rEFInd</string>
<key>ProductVersion</key>
- <string>0.10.0</string>
+ <string>0.10.2</string>
</dict>
</plist>
ENDOFHERE
} # SetupMacHfs()
CheckForSIP() {
- if [[ -x "/usr/bin/csrutil" ]] ; then
+ if [[ -x "/usr/bin/csrutil" && -z "$TargetPart" ]] ; then
local OKToInstall=`/usr/bin/csrutil status | \
grep "Protection status: disabled\|enabled (Apple Internal)\|NVRAM Protections: disabled"`
if [[ -z "$OKToInstall" ]] ; then
# Sets Problems=1 if problems found during the installation.
InstallOnOSX() {
echo "Installing rEFInd on OS X...."
- if [[ "$InstallToEspOnMac" == "1" ]] ; then
+ if [[ "$InstallToEspOnMac" == "1" && -z "$TargetPart" ]] ; then
MountOSXESP
elif [[ "$TargetDir" == "/EFI/BOOT" || "$OwnHfs" == '1' ]] ; then
MountDefaultTarget
DetermineTargetDir
CheckForSIP
CopyRefindFiles
- cp "$ThisDir/mountesp" /usr/local/bin &> /dev/null
- if [[ $InstallToEspOnMac == "1" ]] ; then
+ mkdir -p /usr/local/bin &> /dev/null
+ cp "$ThisDir/mountesp" /usr/local/bin/ &> /dev/null
+ if [[ $InstallToEspOnMac == "1" && -z "$TargetPart" ]] ; then
bless --mount "$InstallDir" --setBoot --file "$InstallDir/$TargetDir/$Refind" --shortform
elif [[ "$TargetDir" != "/EFI/BOOT" ]] ; then
bless --setBoot --folder "$InstallDir/$TargetDir" --file "$InstallDir/$TargetDir/$Refind"
# If we're NOT in Secure Boot mode but the user HAS specified the --shim
# or --localkeys option, warn the user and offer to abort.
CheckSecureBoot() {
- local IsSecureBoot
- if [[ -f /sys/firmware/efi/vars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c/data ]] ; then
+ IsSecureBoot="0"
+ if [[ -f /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c ]] ; then
+ IsSecureBoot=`od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c | awk '{print substr($0,length,1)}'`
+ elif [[ -f /sys/firmware/efi/vars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c/data ]] ; then
IsSecureBoot=`od -An -t u1 /sys/firmware/efi/vars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c/data | tr -d '[[:space:]]'`
- else
- IsSecureBoot="0"
fi
if [[ $IsSecureBoot == "1" && "$TargetDir" != '/EFI/BOOT' && "$ShimSource" == "none" ]] ; then
echo ""
# Sign a single binary. Requires parameters:
# $1 = source file
# $2 = destination file
-# Also assumes that the SBSign, PESign, UseSBSign, UsePESign, and various key variables are set
-# appropriately.
+# Also assumes that the SBSign and various key variables are set appropriately.
# Aborts script on error
SignOneBinary() {
- $SBSign --key "$PrivateKey" --cert "$CertKey" --output "$2" "$1"
- if [[ $? != 0 ]] ; then
+ $SBSign --key "$PrivateKey" --cert "$CertKey" --output "$2" "$1" 2>&1 >/dev/null | \
+ grep -v "data remaining.*gaps between PE/COFF sections"
+ if [[ "${PIPESTATUS[0]}" != 0 ]] ; then
echo "Problem signing the binary $1! Aborting!"
exit 1
fi