From e900d2027a8fb0db6d24cdf292852bf0287f40d1 Mon Sep 17 00:00:00 2001
From: builder <builder@ldlvsblddeb01.l3dat.com>
Date: Wed, 1 Feb 2023 20:12:45 -0600
Subject: [PATCH] Check Signature PIN and toggle forcesig if not forced

---
 initrd/bin/oem-factory-reset | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset
index 5d18b2075..1634993d4 100755
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@@ -87,6 +87,19 @@ gpg_key_reset()
     if lsusb | grep -q "20a0:4109" &&  [ -x /bin/hotp_verification ] ; then
         /bin/hotp_verification regenerate ${ADMIN_PIN_DEF}
     fi
+    # Toggle forced sig (good security practice, forcing PIN request for each signature request)
+    if gpg --card-status | grep "Signature PIN" | grep -q "not forced"; then
+        {
+            echo admin
+            echo forcesig
+            echo ${ADMIN_PIN_DEF}
+        } | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \
+            > /tmp/gpg_card_edit_output 2>/dev/null
+        if [ $? -ne 0 ]; then
+            ERROR=`cat /tmp/gpg_card_edit_output`
+            whiptail_error_die "GPG Key forcesig toggle on failed!\n\n$ERROR"
+        fi
+    fi
     # Set RSA key length
     {
         echo admin