From 1068aa2004f8443c91ea2e7376b1189ee32ce04c31611fae7af7be74ee307553 Mon Sep 17 00:00:00 2001
From: "Marc S. Weidner" <msw@coresecret.dev>
Date: Fri, 7 Nov 2025 19:30:16 +0100
Subject: [PATCH] V8.13.392.2025.11.07

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
---
 .../workflows/generate_PRIVATE_trixie_1.yaml  |  2 +-
 ciss_live_builder.sh                          |  6 +++
 lib/lib_lb_config_write_trixie.sh             |  2 +-
 var/error.var.sh                              | 47 +++++++++++++++++++
 var/global.var.sh                             | 20 +++++++-
 5 files changed, 74 insertions(+), 3 deletions(-)
 create mode 100644 var/error.var.sh

diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
index 7f4d1b0..52ec78c 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -150,7 +150,7 @@ jobs:
 
       - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
         run: |
-          #set +x
+          set +x
           set -euo pipefail
           git config user.name "Marc S. Weidner BOT"
           git config user.email "msw+bot@coresecret.dev"
diff --git a/ciss_live_builder.sh b/ciss_live_builder.sh
index 131d38b..6b32477 100644
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -110,7 +110,13 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${
 declare -grx VAR_SETUP="true"
 
 ### SECURING SECRETS ARTIFACTS.
+test ! -L "${VAR_TMP_SECRET}" || {
+  . ./var/global.var.sh
+  printf "\e[91m❌ Refusing symlink: '%s'! Bye... \e[0m\n" "${VAR_TMP_SECRET}" >&2
+  exit "${ERR_SECRETSSYM}"
+}
 find "${VAR_TMP_SECRET}" -type f -exec chmod 0400 {} +
+find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
 
 ### SOURCING VARIABLES.
 [[ "${VAR_SETUP}" == true ]] && {
diff --git a/lib/lib_lb_config_write_trixie.sh b/lib/lib_lb_config_write_trixie.sh
index c31bd7a..895716b 100644
--- a/lib/lib_lb_config_write_trixie.sh
+++ b/lib/lib_lb_config_write_trixie.sh
@@ -79,7 +79,7 @@ lb_config_write_trixie() {
     --linux-packages linux-image \
     --loadlin true \
     --memtest memtest86+ \
-    --mirror-binary 'https://deb/debian.org/debian/' \
+    --mirror-binary 'https://deb.debian.org/debian/' \
     --mirror-binary-security 'https://security.debian.org/' \
     --mirror-bootstrap 'https://deb.debian.org/debian/' \
     --mirror-chroot 'https://deb.debian.org/debian/' \
diff --git a/var/error.var.sh b/var/error.var.sh
new file mode 100644
index 0000000..6a6c78e
--- /dev/null
+++ b/var/error.var.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+# shellcheck disable=SC2034
+
+### Definition of error codes.
+declare -gir ERR_UNCRITICAL=127
+declare -gir ERR_NOT_USER_0=128 # Not running as root
+declare -gir ERR_FLOCK_WRTG=129 # Cannot open lockfile for writing
+declare -gir ERR_FLOCK_COLL=130 # The Script is already running
+declare -gir ERR_GUARD_SRCE=131 # Module tried to load twice.
+declare -gir ERR_GPG__AGENT=132 # GNUPG agent error.
+declare -gir ERR_SPLASH_PNG=200 # --change-splash MUST be 'club' or 'hexagon'
+declare -gir ERR_CONTROL_CT=201 # --control MUST be an integer between '1' and '65535'
+declare -gir ERR_RENICE_PRI=202 # --renice-priority MUST an integer between '-19' and '19'
+declare -gir ERR_REIONICE_P=203 # --reionice-priority no values provided.
+declare -gir ERR_REIO_P_VAL=204 # --reionice-priority PRIORITY MUST be an integer between '0' and '7'
+declare -gir ERR_REIO_C_VAL=205 # --reionice-priority CLASS MUST be an integer between '1' and '3'
+declare -gir ERR_MISS_PWD_P=206 # --root-password-file missing password file path argument
+declare -gir ERR_MISS_PWD_F=207 # --root-password-file password file does not exist
+declare -gir ERR_OWNS_PWD_F=208 # --root-password-file failed to set owner root:root on the PWD file
+declare -gir ERR_RGHT_PWD_F=209 # --root-password-file failed to set permissions 0400 on the PWD file
+declare -gir ERR_PASS_LENGH=210 # --root-password-file password MUST be between 20 and 64 characters
+declare -gir ERR_PASS_PLICY=211 # --root-password-file password MUST NOT contain double quotes
+declare -gir ERR__SSH__PORT=212 # --ssh-port MUST be an integer between '1' and '65535'
+declare -gir ERR_ARG_MSMTCH=213 # Wrong Number of optional Arguments provided
+declare -gir ERR_NOTABSPATH=252 # Not an absolute path
+declare -gir ERR_INVLD_CHAR=253 # Invalid Character
+declare -gir ERR_UNBOUNDVAR=254 # Unbound Variable
+declare -gir ERR_UNSPPTBASH=255 # Unsupported Bash
+
+### Definition of error trap vars
+declare -g ERRCODE="" # = $?                   = $1 = ERRCODE
+declare -g ERRSCRT="" # = ${BASH_SOURCE[0]}    = $2 = ERRSCRT
+declare -g ERRLINE="" # = ${LINENO}            = $3 = ERRLINE
+declare -g ERRFUNC="" # = ${FUNCNAME[0]:-main} = $4 = ERRFUNC
+declare -g ERRCMMD="" # = ${$BASH_COMMAND}     = $5 = ERRCMMD
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/var/global.var.sh b/var/global.var.sh
index 39ecb67..d4ca8fe 100644
--- a/var/global.var.sh
+++ b/var/global.var.sh
@@ -11,7 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 # shellcheck disable=SC2155,SC2034
 
-guard_sourcing || return "${ERR_GUARD_SRCE}"
+if declare -F guard_sourcing >/dev/null 2>&1; then
+
+  guard_sourcing || return "${ERR_GUARD_SRCE}"
+
+fi
 
 ### Definition of MUST set global variables.
 declare -gr VAR_KERNEL_INF="$(mktemp)"
@@ -55,6 +59,19 @@ declare -gx VAR_SIGNING_KEY_PASS=""
 declare -gx VAR_SIGNING_KEY_PASSFILE=""
 declare -gx VAR_SIGNING_KEY=""
 
+### Definition of color variables.
+declare -grx BLA='\e[90m' # Beautiful black for the techno fans.
+declare -grx RED='\e[91m' # Bright red.
+declare -grx GRE='\e[92m' # Vibrant green.
+declare -grx YEL='\e[93m' # Fancy yellow
+declare -grx BLU='\e[94m' # Organic blue.
+declare -grx MAG='\e[95m' # Super gay magenta.
+declare -grx CYA='\e[96m' # Lovely cyan.
+declare -grx WHI='\e[97m' # Fantastic color mix.
+declare -grx RES='\e[0m'  # Forget everything.
+declare -grx TAB='\t'     # Insert a fresh tabulator.
+declare -grx NL='\n'      # Print a crystal clear new line.
+
 ### Definition of error codes.
 declare -gir ERR_UNCRITICAL=127
 declare -gir ERR_NOT_USER_0=128 # Not running as root
@@ -76,6 +93,7 @@ declare -gir ERR_PASS_LENGH=210 # --root-password-file password MUST be between
 declare -gir ERR_PASS_PLICY=211 # --root-password-file password MUST NOT contain double quotes
 declare -gir ERR__SSH__PORT=212 # --ssh-port MUST be an integer between '1' and '65535'
 declare -gir ERR_ARG_MSMTCH=213 # Wrong Number of optional Arguments provided
+declare -gir ERR_SECRETSSYM=251 # VAR_TMP_SECRET is a symlink.
 declare -gir ERR_NOTABSPATH=252 # Not an absolute path
 declare -gir ERR_INVLD_CHAR=253 # Invalid Character
 declare -gir ERR_UNBOUNDVAR=254 # Unbound Variable