V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m52s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m52s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -89,6 +89,9 @@ setup_dropbear() {
|
||||
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/hooks/dropbear.sh" \
|
||||
"${TARGET}/includes/initramfs-tools/hooks/"
|
||||
|
||||
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock-wrapper.sh" \
|
||||
"${TARGET}/includes/initramfs-tools/files/"
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
@@ -119,7 +122,7 @@ write_dropbear_conf() {
|
||||
# -K: Keepalive interval in seconds
|
||||
# -p: Specify port (and optionally address)
|
||||
# -w: Disable root login (SHOULD NOT be implemented for initramfs)
|
||||
DROPBEAR_OPTIONS="-b /etc/dropbear/initramfs/banner -E -I 300 -K 60 -p ${user_ssh_port:-2222}"
|
||||
DROPBEAR_OPTIONS="-b /etc/dropbear/initramfs/banner -c /usr/local/bin/unlock_wrapper.sh -E -I 300 -K 60 -p ${user_ssh_port:-2222}"
|
||||
|
||||
#
|
||||
# On local (non-NFS) mounts, interfaces matching this pattern are
|
||||
|
||||
@@ -9,7 +9,7 @@
|
||||
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
|
||||
# SPDX-PackageName: CISS.debian.installer
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
# SPDX-Comment: coresecret.sh to be executed after dropbear SSH login
|
||||
# SPDX-Comment: unlock_wrapper.sh to be executed after dropbear SSH login as forced command
|
||||
|
||||
set -C -e -u -o pipefail
|
||||
IFS=$(printf ' \n\t')
|
||||
@@ -373,4 +373,4 @@ elif [[ -n ${DEVICES_LUKS[*]} ]] && [[ -n ${DEVICES_NUKE[*]} ]]; then
|
||||
fi
|
||||
|
||||
fi
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
78
includes/initramfs-tools/files/unlock_wrapper_signer.sh
Normal file
78
includes/initramfs-tools/files/unlock_wrapper_signer.sh
Normal file
@@ -0,0 +1,78 @@
|
||||
#!/bin/bash
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.installer
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
# SPDX-Comment: unlock_wrapper_signer.sh for signing unlock_wrapper.sh
|
||||
|
||||
set -Ceuo pipefail
|
||||
|
||||
### Paths
|
||||
declare -r SCRIPT="/etc/initramfs-tools/files/unlock_wrapper.sh"
|
||||
declare -r KEYFILE="/root/.ciss/keys/dummy_0x12345678_SECRET.asc"
|
||||
declare -r GNUPGHOME="/root/.ciss/gnupg"
|
||||
|
||||
### Output Files
|
||||
declare -r HASH384="${SCRIPT}.sha384"
|
||||
declare -r HASH512="${SCRIPT}.sha512"
|
||||
declare -r SIG384="${HASH384}.sig"
|
||||
declare -r SIG512="${HASH512}.sig"
|
||||
|
||||
### Ensure GNUPGHOME exists with secure permissions
|
||||
mkdir -p "${GNUPGHOME}"
|
||||
chmod 0700 "${GNUPGHOME}"
|
||||
|
||||
### Import private key only if not already present
|
||||
if ! gpg --homedir "${GNUPGHOME}" --list-secret-keys | grep -q "sec"; then
|
||||
printf "\e[0;92m✅ Importing private key ... \e[0m\n"
|
||||
gpg --homedir "${GNUPGHOME}" --import "${KEYFILE}"
|
||||
else
|
||||
printf "\e[0;92m✅ Private key already present in keyring. \e[0m\n"
|
||||
fi
|
||||
|
||||
### Extract fingerprint of the first secret key
|
||||
# shellcheck disable=SC2155
|
||||
declare -r FPR=$(gpg --homedir "$GNUPGHOME" --list-secret-keys --with-colons | awk -F: '/^fpr:/ { print $10; exit }')
|
||||
|
||||
if [[ -z "${FPR}" ]]; then
|
||||
printf "\e[0;91m✘ Error: Could not extract fingerprint from keyring. \e[0m\n" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
printf "\e[0;92m✅ Using GPG key fingerprint: [%s] \e[0m\n" "${FPR}"
|
||||
|
||||
### Hashing (only the hash value, no filename)
|
||||
printf "\e[0;95m🔢 Generating Hashes ... \e[0m\n"
|
||||
|
||||
if sha384sum "${SCRIPT}" | awk '{print $1}' >| "${HASH384}"; then
|
||||
printf "\e[0;92m✅ Hash: [%s] of Script: [%s] created. \e[0m\n" "${HASH384}" "${SCRIPT}"
|
||||
fi
|
||||
|
||||
if sha512sum "${SCRIPT}" | awk '{print $1}' >| "${HASH512}"; then
|
||||
printf "\e[0;92m✅ Hash: [%s] of Script: [%s] created. \e[0m\n" "${HASH512}" "${SCRIPT}"
|
||||
fi
|
||||
|
||||
printf "\e[0;92m🔢 Generating Hashes done. \e[0m\n"
|
||||
|
||||
### Signing Hashes
|
||||
printf "\e[0;95m✍️ Signing hashes ... \e[0m\n"
|
||||
|
||||
if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${SIG384}" --detach-sign "${HASH384}"; then
|
||||
printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH384}" "${SIG384}"
|
||||
fi
|
||||
|
||||
if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${SIG512}" --detach-sign "${HASH512}"; then
|
||||
printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH512}" "${SIG512}"
|
||||
fi
|
||||
|
||||
printf "\e[0;92m✍️ Signing hashes done. \e[0m\n"
|
||||
|
||||
exit 0
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
@@ -30,3 +30,5 @@ export PS1='$( STATUS=$?; \
|
||||
printf "\001\e[0;31m\002\u@\H\001\e[0m\002:\001\e[0;95m\002\w\001\e[0m\002>>\001\e[0;91m\002%d\001\e[0m\002|~#> " "${STATUS}"; \
|
||||
fi; ) '
|
||||
EOF
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
|
||||
@@ -47,13 +47,15 @@ for dir in bin usr/bin; do
|
||||
ln -sf busybox "${DESTDIR}/${dir}/sleep"
|
||||
done
|
||||
|
||||
install -m 0555 /etc/initramfs-tools/files/coresecret.sh "${DESTDIR}/usr/local/bin/coresecret.sh"
|
||||
install -m 0444 /etc/initramfs-tools/files/coresecret.sh.sha384 "${DESTDIR}/usr/local/bin/coresecret.sh.sha384"
|
||||
install -m 0444 /etc/initramfs-tools/files/coresecret.sh.sha512 "${DESTDIR}/usr/local/bin/coresecret.sh.sha512"
|
||||
install -m 0444 /etc/initramfs-tools/files/coresecret.sh.sha384.sig "${DESTDIR}/usr/local/bin/coresecret.sh.sha384.sig"
|
||||
install -m 0444 /etc/initramfs-tools/files/coresecret.sh.sha512.sig "${DESTDIR}/usr/local/bin/coresecret.sh.sha512.sig"
|
||||
install -m 0555 /etc/initramfs-tools/files/unlock-wrapper.sh "${DESTDIR}/usr/local/bin/unlock-wrapper.sh"
|
||||
install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha384 "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha384"
|
||||
install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha512 "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha512"
|
||||
install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha384.sig "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha384.sig"
|
||||
install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha512.sig "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha512.sig"
|
||||
|
||||
cp -a /root/.ciss/keys/pubring.gpg "${DESTDIR}/etc/keys/"
|
||||
chmod 0444 "${DESTDIR}/etc/keys/pubring.gpg"
|
||||
|
||||
cp -a /etc/dropbear/initramfs/banner "${DESTDIR}/etc/dropbear/initramfs/banner"
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
|
||||
@@ -10,6 +10,6 @@
|
||||
# SPDX-PackageName: CISS.debian.installer
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
export PATH=/usr/bin:/bin:/sbin:/usr/sbin:$PATH
|
||||
export PATH="/usr/local/bin:/usr/bin:/bin:/sbin:/usr/sbin:$PATH"
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
|
||||
Reference in New Issue
Block a user