grub.cfg: Fix rpm grub.cfg permission and verification issues

Fix the rpm verificaton issues. On the other hand, 2.06-121 [1]
introduced a change on grub2-mkconfig where it prevents overwritting
`${EFI_HOME}/grub.cfg` with side effects on the `%posttrans`
scriptlet, where it tries to recreate it in case this file does not
exist but due to [1] the `${EFI}/grub.cfg` file would never be
created. Fix the `%posttrans` code with the logic but applied to
${GRUB_HOME}/grub.cfg. On the same scriplet, make sure
${EFI_HOME}/grub.cfg is present before grepping into it.

[1] https://pkgs.devel.redhat.com/cgit/rpms/grub2/commit/?h=rhel-10-main&id=9c6e5cf6c8e597efbf6a10399371789fddafac12

Resolves: #RHEL-56918
Signed-off-by: Leo Sandoval <lsandova@redhat.com>

grub.macros

@@ -671,7 +671,8 @@ install -d -m 0700 ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig	\
 touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub		\
 ln -sf ../default/grub						\\\
 	${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub		\
-touch ${RPM_BUILD_ROOT}/boot/grub2/grub.cfg			\
+touch grub.cfg							\
+install -m 0600 grub.cfg ${RPM_BUILD_ROOT}/boot/grub2/	        \
 ln -s ../boot/grub2/grub.cfg					\\\
 	${RPM_BUILD_ROOT}%{_sysconfdir}/grub2.cfg		\
 %{nil}
@@ -680,7 +681,7 @@ ln -s ../boot/grub2/grub.cfg					\\\
 %{expand:%%files %{1}}						\
 %defattr(-,root,root,-)						\
 %config(noreplace) %{_sysconfdir}/grub2.cfg			\
-%ghost %config(noreplace) %attr(0700,root,root)/boot/grub2/grub.cfg	\
+%ghost %config(noreplace) %attr(0600,root,root)/boot/grub2/grub.cfg	\
 %dir %attr(0700,root,root)/boot/loader/entries			\
 %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/grub2-%{1}.conf \
 %ifarch ppc64le							\
@@ -715,7 +716,7 @@ ln -s ../boot/grub2/grub.cfg					\\\
 %endif								\
 %attr(0700,root,root)/boot/grub2/fonts			\
 %dir %attr(0700,root,root)/boot/loader/entries			\
-%ghost %config(noreplace) %attr(0700,root,root)/boot/grub2/grub.cfg	\
+%ghost %config(noreplace) %attr(0600,root,root)/boot/grub2/grub.cfg	\
 %ghost %config(noreplace) %verify(not mtime) %attr(0700,root,root)%{efi_esp_dir}/grub.cfg	\
 %config(noreplace) %verify(not size mode md5 mtime) /boot/grub2/grubenv	\
 %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/grub2-%{1}.conf \

grub2.spec

@@ -17,7 +17,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.06
-Release:	127%{?dist}
+Release:	128%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPL-3.0-or-later
 URL:		http://www.gnu.org/software/grub/
@@ -373,13 +373,22 @@ if ! mountpoint -q ${ESP_PATH}; then
     exit 0 # no ESP mounted, nothing to do
 fi
 
-if test ! -f ${EFI_HOME}/grub.cfg; then
+if test ! -f ${GRUB_HOME}/grub.cfg; then
-    # there's no config in ESP, create one
+    # there's no config in GRUB_HOME, create one
-    grub2-mkconfig -o ${EFI_HOME}/grub.cfg
+    grub2-mkconfig -o ${GRUB_HOME}/grub.cfg
+else
+    # otherwise just check mode is correct, if not, fix it
+    GRUB_CFG_MODE=$(stat --format="%a" ${GRUB_HOME}/grub.cfg)
+    if ! test "${GRUB_CFG_MODE}" = "600"; then
+        chmod 0600 ${GRUB_HOME}/grub.cfg
+    fi
 fi
 
-if ((grep -q "configfile" ${EFI_HOME}/grub.cfg || grep -q "source" ${EFI_HOME}/grub.cfg) && ! grep -q "# It is automatically generated by grub2-mkconfig using templates" ${EFI_HOME}/grub.cfg); then
+# make sure ${EFI_HOME}/grub.cfg is present before grepping it
-    exit 0 #Already unified
+if test -f ${EFI_HOME}/grub.cfg; then
+    if ((grep -q "configfile" ${EFI_HOME}/grub.cfg || grep -q "source" ${EFI_HOME}/grub.cfg) && ! grep -q "# It is automatically generated by grub2-mkconfig using templates" ${EFI_HOME}/grub.cfg); then
+        exit 0 #Already unified
+    fi
 fi
 
 # create a stub grub2 config in EFI
@@ -573,6 +582,10 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 %endif
 
 %changelog
+* Mon Sep 2 2024 Leo Sandoval <lsandova@redhat.com> - 2.06-128
+- grub.cfg: Fix rpm grub.cfg verification issues
+- Resolves: #RHEL-56918
+
 * Fri Aug 30 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-127
 - Sync with rhel9 for critical patches
 - Resolves: #RHEL-56733