V8.13.392.2025.11.07

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml

@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 build:
-  counter: 1023
+  counter: 1024
   version: V8.13.392.2025.11.07
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_trixie_1.yaml

@@ -16,6 +16,7 @@ name: 🔐 Generating a Private Live ISO TRIXIE.
 defaults:
   run:
     shell: bash
+    working-directory: ${{ github.workspace }}
 
 permissions:
   contents: write
@@ -35,11 +36,6 @@ jobs:
     container:
       image: debian:trixie
 
-    defaults:
-      run:
-        shell: bash
-        working-directory: ${{ github.workspace }}
-
     steps:
       - name: 🕑 Waiting random time to desynchronize parallel workflows.
         run: |
@@ -138,6 +134,7 @@ jobs:
           echo "GNUPGHOME=${GNUPGHOME}"                 >> "${GITHUB_ENV}"
           echo 'allow-loopback-pinentry'                >| "${GNUPGHOME}/gpg-agent.conf"
           echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf"
+          echo "trust-model always"                     >> "${GNUPGHOME}/gpg.conf"
           gpgconf --reload gpg-agent || true
 
       - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.

.gitea/workflows/linter_char_scripts.yaml

@@ -23,6 +23,11 @@
 
 name: 🛡️ Shell Script Linting
 
+defaults:
+  run:
+    shell: bash
+    working-directory: ${{ github.workspace }}
+
 on:
   push:
     branches:
@@ -37,14 +42,17 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+      - name: 🕑 Waiting random time to desynchronize parallel workflows.
-        shell: bash
         run: |
           set -euo pipefail
           var_wait=$(( RANDOM % 33 ))
-          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
           sleep "${var_wait}"
 
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        run: |
+          set +x
+          set -euo pipefail
           rm -rf ~/.ssh && mkdir -m700 ~/.ssh
 
           ### Private Key
@@ -67,25 +75,15 @@ jobs:
           chmod 0600 ~/.ssh/config
 
       ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        shell: bash
         env:
           ### GITHUB_REF_NAME contains the branch name from the push event.
           GITHUB_REF_NAME: ${{ github.ref_name }}
         run: |
           set -euo pipefail
           git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
-          git fetch --unshallow || echo "Nothing to fetch - already full clone."
-
-      - name: 🛠️ Cleaning the workspace.
-        shell: bash
-        run: |
-          set -euo pipefail
-          git reset --hard
-          git clean -fd
 
       - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
         run: |
           set -euo pipefail
           ### GPG-Home relative to the Runner Workspace to avoid changing global files.
@@ -98,7 +96,6 @@ jobs:
           echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
 
       - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
-        shell: bash
         run: |
           set -euo pipefail
           export GNUPGHOME="$(PWD)/.gnupg"
@@ -109,22 +106,19 @@ jobs:
           git config gpg.format openpgp
 
       - name: ⚙️ Convert APT sources to HTTPS.
-        shell: bash
         run: |
           set -euo pipefail
           sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
           sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
 
-      - name: 🛠️ Install dependencies.
+      - name: 🔧 Install dependencies.
-        shell: bash
         run: |
           ### Install grep with Perl-regex support, falls noch nicht vorhanden
-          apt-get update
+          apt-get update  -qq
           apt-get upgrade -y
           apt-get install -y grep
 
       - name: 🔍 Lint shell scripts
-        shell: bash
         run: |
           # -------------------------------
           # STEP 1: Find target files.
@@ -254,7 +248,6 @@ jobs:
           fi
 
       - name: 🚧 Stash local changes (including untracked).
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -263,7 +256,6 @@ jobs:
           git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
 
       - name: 🔄 Sync with remote before commit using merge strategy.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -280,8 +272,7 @@ jobs:
           git status
           git log --oneline -n 5
 
-      - name: 🛠️ Restore stashed changes.
+      - name: 🔧 Restore stashed changes.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -290,7 +281,6 @@ jobs:
           git stash pop || echo "✔️ Nothing to pop."
 
       - name: 📦 Stage generated files.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -299,7 +289,6 @@ jobs:
           git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
 
       - name: 🔑 Commit and sign changes with CI metadata.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -335,7 +324,6 @@ jobs:
           fi
 
       - name: 🔁 Push back to repository.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |

lib/lib_gnupg.sh

@@ -54,6 +54,7 @@ init_gnupg() {
       cat << EOF >| "${GNUPGHOME}/gpg-agent.conf"
 allow-loopback-pinentry
 pinentry-program /usr/bin/pinentry-tty
+trust-model always
 EOF
 
       if ! gpgconf --launch gpg-agent 2>&1; then