V9.14.026.2026.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/hooks/live/zzzz_ciss_crypt_squash.hook.binary

@@ -65,6 +65,59 @@ preallocate() {
 # shellcheck disable=SC2034
 readonly -f preallocate
 
+#######################################
+# Validate that the rootfs attestation artifacts exist in the final ISO payload tree.
+# Globals:
+#   None
+# Arguments:
+#   1: Rootfs attestation manifest path
+# Returns:
+#   0: on success
+#   42: on failure
+#######################################
+require_rootfs_attestation_artifacts() {
+  declare manifest="${1}"
+  declare signature="${manifest}.sig"
+  declare artifact=""
+
+  for artifact in "${manifest}" "${signature}"; do
+
+    if [[ ! -e "${artifact}" ]]; then
+
+      printf "\e[91m❌ Required rootfs attestation artifact missing: [%s]. \e[0m\n" "${artifact}" >&2
+      return 42
+
+    fi
+
+    if [[ -L "${artifact}" || ! -f "${artifact}" ]]; then
+
+      printf "\e[91m❌ Required rootfs attestation artifact is not a regular file: [%s]. \e[0m\n" "${artifact}" >&2
+      return 42
+
+    fi
+
+    if [[ ! -s "${artifact}" ]]; then
+
+      printf "\e[91m❌ Required rootfs attestation artifact is empty: [%s]. \e[0m\n" "${artifact}" >&2
+      return 42
+
+    fi
+
+    if [[ ! -r "${artifact}" ]]; then
+
+      printf "\e[91m❌ Required rootfs attestation artifact is not readable: [%s]. \e[0m\n" "${artifact}" >&2
+      return 42
+
+    fi
+
+  done
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f require_rootfs_attestation_artifacts
+
 #######################################
 # Create and sign the rootfs attestation manifest for the exact SquashFS payload copied into the LUKS mapper.
 # Globals:
@@ -142,9 +195,12 @@ EOF
 # shellcheck disable=SC2034
 readonly -f create_attestation
 
-declare    LUKSFS="${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt"
-declare    ROOTFS="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs"
-declare    ROOTFS_ATTESTATION="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs.sha512sum.txt"
+declare    LIVE_PAYLOAD_DIR="${VAR_HANDLER_BUILD_DIR}/binary/live"
+declare    ROOTFS_ATTESTATION_NAME="filesystem.squashfs.sha512sum.txt"
+declare    ROOTFS_ATTESTATION_REL="live/${ROOTFS_ATTESTATION_NAME}"
+declare    LUKSFS="${LIVE_PAYLOAD_DIR}/ciss_rootfs.crypt"
+declare    ROOTFS="${LIVE_PAYLOAD_DIR}/filesystem.squashfs"
+declare    ROOTFS_ATTESTATION="${VAR_HANDLER_BUILD_DIR}/binary/${ROOTFS_ATTESTATION_REL}"
 declare    DM_LAB="crypt_liveiso"
 declare    DEVMAP="/dev/mapper/${DM_LAB}"
 declare    LUKS_KEY_FILE="${VAR_TMP_SECRET}/${VAR_LUKS_KEY:-luks.txt}"
@@ -162,8 +218,10 @@ declare -i VAR_ROOTFS_SIZE="$(stat -c%s -- "${ROOTFS}")"
 printf "\e[95m🧪 Attestation of filesystem.squashfs ... \e[0m\n"
 
 create_attestation "${ROOTFS}" "${ROOTFS_ATTESTATION}"
+require_rootfs_attestation_artifacts "${ROOTFS_ATTESTATION}"
 
-printf "\e[92m✅ Attestation of filesystem.squashfs successful. \e[0m\n"
+printf "\e[92m✅ Attestation of filesystem.squashfs successful: ISO paths [/%s] and [/%s.sig]. \e[0m\n" \
+  "${ROOTFS_ATTESTATION_REL}" "${ROOTFS_ATTESTATION_REL}"
 
 ### Safety margin:
 #   - LUKS2-Header and Metadata
@@ -250,6 +308,8 @@ shred -fzu -n 5 -- "${LUKS_KEY_FILE}"
 
 rm -f -- "${ROOTFS}"
 
+require_rootfs_attestation_artifacts "${ROOTFS_ATTESTATION}"
+
 umask "${__umask}"
 __umask=""