V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-09-02 16:48:32 +02:00
parent 7a395f0c4c
commit c5cc96ec44
4 changed files with 13 additions and 8 deletions
--- a/includes/target/etc/initramfs-tools/files/unlock_wrapper.sh
+++ b/includes/target/etc/initramfs-tools/files/unlock_wrapper.sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 # SPDX-Comment: unlock_wrapper.sh to be executed as '/etc/crypttab' keyscript and as dropbear SSH forced command.

-set -Ceuo pipefail
+#set -Ceuo pipefail

 #######################################
 # Variable declaration
@@ -258,6 +258,7 @@ read_passphrase() {

      for METHOD in "${METHODS[@]}"; do

+        # shellcheck disable=SC2312
        if mkpasswd -m "${METHOD}" -S "${SALT}" "${PASSPHRASE}" 2>/dev/null | grep -qF -- "${NUKE_HASH}"; then

          nuke
@@ -349,16 +350,18 @@ verify_script() {

    color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]"

-    gpgv --keyring /etc/keys/pubring.gpg "${sigfile}" "${hashfile}" || {
+    if ! gpgv --keyring /etc/keys/pubring.gpg "${sigfile}" "${hashfile}"; then
      color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
      color_echo "${RED}" "✘ System Power Off in 3 seconds ...."
      # TODO: DEBUGGER
      #power_off 3
-    }
-    color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful."
+    else
+      color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful."
+    fi

    color_echo "${MAG}" "🔢 Recomputing Hash: [${item}]"

+    # shellcheck disable=SC2312
    computed=$(${cmd} "${dir}/${script}" | awk '{print $1}')
    expected=$(cat "${hashfile}")

@@ -394,10 +397,10 @@ main() {

  color_echo "${RED}" "Coresecret Connection established."
  color_echo "${RED}" "Starting Time: ${CURRENTDATE}"
-  color_echo "${MAG}" "Integrity self-check ..."
+  #color_echo "${MAG}" "Integrity self-check ..."
  printf "%b" "${NL}"

-  verify_script
+  #verify_script

  ### Read newline-separated output into an array.
  color_echo "${MAG}" "Scanning for LUKS devices ..."
--- a/includes/target/etc/initramfs-tools/hooks/custom-initramfs.sh
+++ b/includes/target/etc/initramfs-tools/hooks/custom-initramfs.sh
@@ -64,6 +64,8 @@ printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha384sum /usr/bin] \n\
 ### Include GPG
 copy_exec /usr/bin/gpg /usr/bin
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpg /usr/bin] \n\e[0m"
+copy_exec /usr/bin/gpgv /usr/bin
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpgv /usr/bin] \n\e[0m"

 ### Include Whois
 copy_exec /usr/bin/whois /usr/bin