msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 46s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-09-02 16:48:32 +02:00
parent 7a395f0c4c
commit c5cc96ec44
4 changed files with 13 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.preseed/partitioning.yaml
View File

@@ -85,7 +85,7 @@ recipe:
end: "3GiB" end: "3GiB"
bootable: false bootable: false
encryption: encryption:
enable: true enable: false
ephemeral: false # MUST be "false" for "/boot" ephemeral: false # MUST be "false" for "/boot"
integrity: false # MUST be "false" for "/boot" integrity: false # MUST be "false" for "/boot"
cipher: "aes-xts-plain64" cipher: "aes-xts-plain64"

2
func/cdi_4200_boot/4210_generate_crypttab.sh
View File

@@ -110,7 +110,7 @@ EOF
;; ;;
*) *)
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard" write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=decrypt_keyctl,tries=1"
;; ;;
esac esac

13
includes/target/etc/initramfs-tools/files/unlock_wrapper.sh
View File

@@ -11,7 +11,7 @@
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: unlock_wrapper.sh to be executed as '/etc/crypttab' keyscript and as dropbear SSH forced command. # SPDX-Comment: unlock_wrapper.sh to be executed as '/etc/crypttab' keyscript and as dropbear SSH forced command.
set -Ceuo pipefail #set -Ceuo pipefail
####################################### #######################################
# Variable declaration # Variable declaration
@@ -258,6 +258,7 @@ read_passphrase() {
for METHOD in "${METHODS[@]}"; do for METHOD in "${METHODS[@]}"; do
# shellcheck disable=SC2312
if mkpasswd -m "${METHOD}" -S "${SALT}" "${PASSPHRASE}" 2>/dev/null | grep -qF -- "${NUKE_HASH}"; then if mkpasswd -m "${METHOD}" -S "${SALT}" "${PASSPHRASE}" 2>/dev/null | grep -qF -- "${NUKE_HASH}"; then
nuke nuke
@@ -349,16 +350,18 @@ verify_script() {
color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]" color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]"
gpgv --keyring /etc/keys/pubring.gpg "${sigfile}" "${hashfile}" || { if ! gpgv --keyring /etc/keys/pubring.gpg "${sigfile}" "${hashfile}"; then
color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]" color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
color_echo "${RED}" "✘ System Power Off in 3 seconds ...." color_echo "${RED}" "✘ System Power Off in 3 seconds ...."
# TODO: DEBUGGER # TODO: DEBUGGER
#power_off 3 #power_off 3
} else
color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful." color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful."
fi
color_echo "${MAG}" "🔢 Recomputing Hash: [${item}]" color_echo "${MAG}" "🔢 Recomputing Hash: [${item}]"
# shellcheck disable=SC2312
computed=$(${cmd} "${dir}/${script}" | awk '{print $1}') computed=$(${cmd} "${dir}/${script}" | awk '{print $1}')
expected=$(cat "${hashfile}") expected=$(cat "${hashfile}")
@@ -394,10 +397,10 @@ main() {
color_echo "${RED}" "Coresecret Connection established." color_echo "${RED}" "Coresecret Connection established."
color_echo "${RED}" "Starting Time: ${CURRENTDATE}" color_echo "${RED}" "Starting Time: ${CURRENTDATE}"
color_echo "${MAG}" "Integrity self-check ..." #color_echo "${MAG}" "Integrity self-check ..."
printf "%b" "${NL}" printf "%b" "${NL}"
verify_script #verify_script
### Read newline-separated output into an array. ### Read newline-separated output into an array.
color_echo "${MAG}" "Scanning for LUKS devices ..." color_echo "${MAG}" "Scanning for LUKS devices ..."

2
includes/target/etc/initramfs-tools/hooks/custom-initramfs.sh
View File

@@ -64,6 +64,8 @@ printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha384sum /usr/bin] \n\
### Include GPG ### Include GPG
copy_exec /usr/bin/gpg /usr/bin copy_exec /usr/bin/gpg /usr/bin
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpg /usr/bin] \n\e[0m" printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpg /usr/bin] \n\e[0m"
copy_exec /usr/bin/gpgv /usr/bin
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpgv /usr/bin] \n\e[0m"
### Include Whois ### Include Whois
copy_exec /usr/bin/whois /usr/bin copy_exec /usr/bin/whois /usr/bin