grub.cfg: Fix rpm grub.cfg permission and verification issues

Fix the rpm verificaton issues (see NOTE below) introduced in 2.06-83 [1].
On the other hand, 2.06-85 [2] introduced a change on grub2-mkconfig where
it prevents overwritting `${EFI_HOME}/grub.cfg` with side effects on the
`%posttrans` scriptlet, where it tries to recreate it in case this
file does not exist but due to [2] the `${EFI}/grub.cfg` file is never
created. Fix the `%posttrans` code with the logic but applied to
${GRUB_HOME}/grub.cfg. On the same scriplet, make sure
${EFI_HOME}/grub.cfg is present before grepping into it. The changes also
fix the issue reported on RHEL-45870 where now /boot/grub2/grub.cfg
conf file has the right permission (-rw-------).

NOTE: With 2.06-83 release, the grub.cfg configuration files regressed on
file's mode (M) verification

    [root@localhost ~]# rpm -Va
    S.5....T.  c /etc/ssh/sshd_config
    .M.......  c /boot/efi/EFI/redhat/grub.cfg
    .M.......  c /boot/grub2/grub.cfg

The following change fixes the issues above as seen in log

    [root@localhost ~]# rpm -Va
    S.5....T.  c /etc/ssh/sshd_config

[1] https://pkgs.devel.redhat.com/cgit/rpms/grub2/commit/?h=rhel-9-main&id=694ab652e3443719e3876e3d183e59b2f9e055fd
[2] https://pkgs.devel.redhat.com/cgit/rpms/grub2/commit/?h=rhel-9-main&id=0185426fb4d693307cda0c7740e9dcf9907cc146

Resolves: #RHEL-45870
Signed-off-by: Leo Sandoval <lsandova@redhat.com>

grub.macros

@@ -589,7 +589,8 @@ install -d -m 0700 ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig	\
 touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub		\
 ln -sf ../default/grub						\\\
 	${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub		\
-touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg			\
+touch grub.cfg							\
+install -m 0600 grub.cfg ${RPM_BUILD_ROOT}/boot/%{name}/	\
 ln -s ../boot/%{name}/grub.cfg					\\\
 	${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}.cfg		\
 %{nil}
@@ -634,7 +635,7 @@ ln -s ../boot/%{name}/grub.cfg					\\\
 %attr(0700,root,root)/boot/%{name}/fonts			\
 %dir %attr(0700,root,root)/boot/loader/entries			\
 %ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg	\
-%ghost %config(noreplace) %verify(not mtime) %attr(0600,root,root)%{efi_esp_dir}/grub.cfg	\
+%ghost %config(noreplace) %verify(not mtime) %attr(0700,root,root)%{efi_esp_dir}/grub.cfg	\
 %config(noreplace) %verify(not size mode md5 mtime) /boot/%{name}/grubenv	\
 %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \
 %{expand:%if 0%{?without_efi_modules}				\

grub2.spec

@@ -335,20 +335,23 @@ if ! mountpoint -q ${ESP_PATH}; then
     exit 0 # no ESP mounted, nothing to do
 fi
 
-if test ! -f ${EFI_HOME}/grub.cfg; then
+if test ! -f ${GRUB_HOME}/grub.cfg; then
-    # there's no config in ESP, create one
+    # there's no config in GRUB home, create one
-    grub2-mkconfig -o ${EFI_HOME}/grub.cfg
+    grub2-mkconfig -o ${GRUB_HOME}/grub.cfg
-    cp -a ${EFI_HOME}/grub.cfg ${EFI_HOME}/grub.cfg.rpmsave
 fi
 
+# make sure grub.cfg is present before grepping it
+if test -f ${EFI_HOME}/grub.cfg; then
     # need to move grub.cfg to correct dir for major version upgrade
     if ! grep -q "configfile" ${EFI_HOME}/grub.cfg; then
         cp -a ${EFI_HOME}/grub.cfg ${GRUB_HOME}/
+        chmod 0600 ${GRUB_HOME}/grub.cfg
     fi
 
     if grep -q "configfile" ${EFI_HOME}/grub.cfg && grep -q "root-dev-only" ${EFI_HOME}/grub.cfg; then
         exit 0 # already unified, nothing to do
     fi
+fi
 
 # create a stub grub2 config in EFI
 BOOT_UUID=$(%{name}-probe --target=fs_uuid ${GRUB_HOME})
@@ -537,6 +540,10 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 %endif
 
 %changelog
+* Wed Jul 31 2024 Leo Sandoval <lsandova@redhat.com> - 2.06-88
+- grub.cfg: Fix rpm grub.cfg verification issues
+- Resolves: #RHEL-45870
+
 * Wed Jul 31 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 2.06-87
 - grub2-mkconfig: Simplify os_name detection
 - Resolves: #RHEL-32099