Yes, I took the same approach with this that Heads already takes with /boot. Because this is using sha256sum against a signature file, just like with /boot, it only checks whether existing files have been tampered with (so will help with things like rootkits that replace system binaries with trojaned versions), so you will have to factor that into your security models.
1 Like