diff --git a/ciss_live_builder.sh b/ciss_live_builder.sh
index f740720..0f3bde5 100644
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -132,6 +132,7 @@ declare -gx VAR_SETUP="true"
   source_guard "./lib/lib_check_provider.sh"
   source_guard "./lib/lib_check_stats.sh"
   source_guard "./lib/lib_check_var.sh"
+  source_guard "./lib/lib_ciss_upgrades.sh"
   source_guard "./lib/lib_clean_screen.sh"
   source_guard "./lib/lib_clean_up.sh"
   source_guard "./lib/lib_copy_integrity.sh"
@@ -140,7 +141,6 @@ declare -gx VAR_SETUP="true"
   source_guard "./lib/lib_hardening_ultra.sh"
   source_guard "./lib/lib_helper_ip.sh"
   source_guard "./lib/lib_lb_build_start.sh"
-  source_guard "./lib/lib_lb_ciss_upgrades.sh"
   source_guard "./lib/lib_lb_config_start.sh"
   source_guard "./lib/lib_lb_config_write.sh"
   source_guard "./lib/lib_lb_config_write_trixie.sh"
@@ -219,7 +219,7 @@ fi
 
 check_hooks
 hardening_ssh
-lb_ciss_upgrade
+ciss_upgrades
 lb_config_start
 
 if [[ "${VAR_SUITE}" == "bookworm" ]]; then
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index d582dd6..150546e 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -14,7 +14,7 @@ include_toc: true
 
 ## V8.13.294.2025.10.28
 * **Added**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) + mksquashfs-excludes
-* **Added**: [lib_lb_ciss_upgrades.sh](../lib/lib_lb_ciss_upgrades.sh) + modifies '/usr/lib/live/build/...' scripts
+* **Added**: [lib_lb_ciss_upgrades.sh](../lib/lib_ciss_upgrades.sh) + modifies '/usr/lib/live/build/...' scripts
 * **Added**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) + modifies binary_rootfs script
 * **Updated**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) + --sshfp
 * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + update_initramfs=all COMPRESSLEVEL=10
diff --git a/lib/lib_lb_ciss_upgrades.sh b/lib/lib_ciss_upgrades.sh
similarity index 98%
rename from lib/lib_lb_ciss_upgrades.sh
rename to lib/lib_ciss_upgrades.sh
index 9fd5bbd..b5ab26e 100644
--- a/lib/lib_lb_ciss_upgrades.sh
+++ b/lib/lib_ciss_upgrades.sh
@@ -23,7 +23,7 @@ guard_sourcing
 # Returns:
 #   0: on success
 #######################################
-lb_ciss_upgrade() {
+ciss_upgrades() {
   printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
 
   if [[ ! -e /usr/lib/live/build/binary_rootfs.original ]]; then
diff --git a/lib/lib_lb_config_write_trixie.sh b/lib/lib_lb_config_write_trixie.sh
index 4174448..0fd20bc 100644
--- a/lib/lib_lb_config_write_trixie.sh
+++ b/lib/lib_lb_config_write_trixie.sh
@@ -124,12 +124,6 @@ debootstrap
 debootstrap/*
 root/.wget-hsts
 tmp/*
-usr/lib/firmware/amd-ucode/*
-usr/lib/firmware/intel-ucode/*
-var/cache/apt/pkgcache.bin
-var/cache/apt/srcpkgcache.bin
-var/lib/apt/lists/*
-var/lib/initramfs-tools/*-amd64
 EOF
   chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
 
diff --git a/scripts/0100_centurion_dns.sh b/scripts/0100_centurion_dns.sh
index e91c928..1aefdeb 100644
--- a/scripts/0100_centurion_dns.sh
+++ b/scripts/0100_centurion_dns.sh
@@ -12,7 +12,6 @@
 set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cat << 'EOF' >| "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/custom-resolv.conf
 # dns01.eddns.eu:
@@ -36,7 +35,7 @@ cat << 'EOF' >| "${HANDLER_BUILD_DIR}"/config/includes.binary/hooks/live-bottom/
 # SPDX-Security-Contact: security@coresecret.eu
 
 ### No bash in the installer environment, only BusyBox.
-### Live-Boot: override resolv.conf after network is up
+### Live-Boot: override resolv.conf after the network is up
 
 if [ -f /etc/custom-resolv.conf ]; then
   cp /etc/custom-resolv.conf /etc/resolv.conf
diff --git a/.archive/zzzz_ciss_pgp_signer.hook.binary b/scripts/usr/lib/live/build/binary_checksums.sh
similarity index 75%
rename from .archive/zzzz_ciss_pgp_signer.hook.binary
rename to scripts/usr/lib/live/build/binary_checksums.sh
index 7366846..c7f7f81 100644
--- a/.archive/zzzz_ciss_pgp_signer.hook.binary
+++ b/scripts/usr/lib/live/build/binary_checksums.sh
@@ -1,19 +1,32 @@
-#!/bin/bash
+#!/bin/sh
+# bashsupport disable=BP5007
+
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2006-2015 Daniel Baumann <mail@daniel-baumann.ch>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: GPL-3.0-or-later
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-set -Ceuo pipefail
+## Modified Version of the original file:
+
+## live-build(7) - System Build Scripts
+## Copyright (C) 2016-2020 The Debian Live team
+## Copyright (C) 2006-2015 Daniel Baumann <mail@daniel-baumann.ch>
+##
+## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING.
+## This is free software, and you are welcome to redistribute it
+## under certain conditions; see COPYING for details.
+
+set -e
 
 ### Including common functions.
-if [[ -e "${LIVE_BUILD}/scripts/build.sh" ]]; then
+# shellcheck disable=SC2292
+if [ -e "${LIVE_BUILD}/scripts/build.sh" ]; then
   . "${LIVE_BUILD}/scripts/build.sh"
 else
   . /usr/lib/live/build.sh
@@ -28,11 +41,13 @@ USAGE="${PROGRAM} [--force]"
 ### Processing arguments and configuration files.
 Init_config_data "${@}"
 
-if [[ "${LB_CHECKSUMS}" = "none" ]]; then
+# shellcheck disable=SC2292
+if [ "${LB_CHECKSUMS}" = "none" ]; then
 	exit 0
 fi
 
-if [[ "${LB_INITRAMFS}" = "dracut-live" ]]; then
+# shellcheck disable=SC2292
+if [ "${LB_INITRAMFS}" = "dracut-live" ]; then
 	### The checksums will be generated by binary_iso.
 	exit 0
 fi
@@ -55,7 +70,8 @@ for CHECKSUM in ${LB_CHECKSUMS}; do
 	Echo_message "Begin creating binary ${CHECKSUMS} ..."
 
 	### Remove old checksums.
-	if [[ -f "binary/${CHECKSUMS}" ]]; then
+  # shellcheck disable=SC2292
+	if [ -f "binary/${CHECKSUMS}" ]; then
 
 		rm -f "binary/${CHECKSUMS}"
 
@@ -63,6 +79,7 @@ for CHECKSUM in ${LB_CHECKSUMS}; do
 
 	### Calculating checksums.
 	cd binary
+  # shellcheck disable=SC2312
 	find . -type f \
 		\! -path './isolinux/isolinux.bin' \
 		\! -path './boot/boot.bin' \
@@ -98,6 +115,7 @@ done
 
 ### File list.
 cd binary
+# shellcheck disable=SC2312
 find . | sed -e 's|^.||g' | grep "^/" | LC_ALL=C sort > ../"${LB_IMAGE_NAME}-${LB_ARCHITECTURE}.contents"
 cd "${OLDPWD}"
 
diff --git a/scripts/usr/lib/live/build/binary_rootfs.sh b/scripts/usr/lib/live/build/binary_rootfs.sh
index 2371dbb..65b04cd 100644
--- a/scripts/usr/lib/live/build/binary_rootfs.sh
+++ b/scripts/usr/lib/live/build/binary_rootfs.sh
@@ -1,4 +1,6 @@
 #!/bin/sh
+# bashsupport disable=BP5007
+
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
@@ -22,7 +24,8 @@
 
 set -e
 
-# Including common functions
+# Including common functions.
+# shellcheck disable=SC2292
 if [ -e "${LIVE_BUILD}/scripts/build.sh" ]; then
   . "${LIVE_BUILD}/scripts/build.sh"
 else
@@ -74,6 +77,7 @@ esac
 # Creating directory
 mkdir -p "binary/${INITFS}"
 
+# shellcheck disable=SC2292
 if In_list "rootfs" "${LB_CACHE_STAGES}" && [ -d cache/binary_rootfs ]
 then
 	# Removing old chroot
@@ -100,6 +104,7 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		Install_packages
 
 		# Remove old image
+    # shellcheck disable=SC2292
 		if [ -f "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" ]
 		then
 			rm -f "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}"
@@ -135,6 +140,7 @@ case "${LB_CHROOT_FILESYSTEM}" in
 					FAKE_MTAB=true
 				fi
 				BLOCK_SIZE=1024
+        # shellcheck disable=SC2292
 				if [ "${LB_DM_VERITY}" = "true" ]
 				then
 					# Module dm-verity needs a block size of at least 4k
@@ -162,6 +168,7 @@ case "${LB_CHROOT_FILESYSTEM}" in
 				# Removing depends
 				Remove_packages
 
+        # shellcheck disable=SC2292
 				if [ -e chroot/chroot.cache ]
 				then
 					Remove_lockfile
@@ -208,11 +215,13 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		Install_packages
 
 		# Remove old jffs2 image
+    # shellcheck disable=SC2292
 		if [ -f "binary/${INITFS}/filesystem.jffs2" ]
 		then
 			rm -f "binary/${INITFS}/filesystem.jffs2"
 		fi
 
+    # shellcheck disable=SC2292
 		if [ -n "${LB_JFFS2_ERASEBLOCK}" ]
 		then
 			JFFS2_OPTIONS="--eraseblock=${LB_JFFS2_ERASEBLOCK}"
@@ -228,6 +237,7 @@ case "${LB_CHROOT_FILESYSTEM}" in
 				# Removing depends
 				Remove_packages
 
+        # shellcheck disable=SC2292
 				if [ -e chroot/chroot.cache ]
 				then
 					Remove_lockfile
@@ -256,6 +266,7 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		;;
 
 	plain)
+    # shellcheck disable=SC2292
 		if [ -d "binary/${INITFS}/filesystem.dir" ]
 		then
 			rm -rf "binary/${INITFS}/filesystem.dir"
@@ -263,6 +274,7 @@ case "${LB_CHROOT_FILESYSTEM}" in
 
 		case "${LB_BUILD_WITH_CHROOT}" in
 			true)
+        # shellcheck disable=SC2292
 				if [ -e chroot/chroot.cache ]
 				then
 					# Different from the other LB_CHROOT_FILESYSTEM values:
@@ -298,6 +310,7 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		Echo_message "This may take a while."
 
 		# Remove old squashfs image
+    # shellcheck disable=SC2292
 		if [ -f "binary/${INITFS}/filesystem.squashfs" ]
 		then
 			rm -f "binary/${INITFS}/filesystem.squashfs"
@@ -309,16 +322,19 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		# Do not display the progress bar if:
 		# - Run with --quiet, or
 		# - stdin is not a terminal (e.g., in CI, cron, etc.)
+    # shellcheck disable=SC2292
 		if [ "${_QUIET}" = "true" ] || [ ! -t 0 ]
 		then
 			MKSQUASHFS_OPTIONS="-no-progress ${MKSQUASHFS_OPTIONS}"
 		fi
 
+    # shellcheck disable=SC2292
 		if [ "${_VERBOSE}" = "true" ]
 		then
 			MKSQUASHFS_OPTIONS="-info ${MKSQUASHFS_OPTIONS}"
 		fi
 
+    # shellcheck disable=SC2292
 		if [ -f config/rootfs/squashfs.sort ]
 		then
 			MKSQUASHFS_OPTIONS="-sort squashfs.sort ${MKSQUASHFS_OPTIONS}"
@@ -335,6 +351,7 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		fi
 
 		# Set squashfs compression type or default to xz
+    # shellcheck disable=SC2292
 		if [ -n "${LB_CHROOT_SQUASHFS_COMPRESSION_TYPE}" ]
 		then
 			MKSQUASHFS_OPTIONS="-comp ${LB_CHROOT_SQUASHFS_COMPRESSION_TYPE} ${MKSQUASHFS_OPTIONS}"
@@ -342,6 +359,7 @@ case "${LB_CHROOT_FILESYSTEM}" in
 			MKSQUASHFS_OPTIONS="-comp xz ${MKSQUASHFS_OPTIONS}"
 		fi
 
+    # shellcheck disable=SC2292
 		if [ -n "${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL}" ]
 		then
 			MKSQUASHFS_OPTIONS="-Xcompression-level ${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL} ${MKSQUASHFS_OPTIONS}"
@@ -349,6 +367,7 @@ case "${LB_CHROOT_FILESYSTEM}" in
 
 		case "${LB_BUILD_WITH_CHROOT}" in
 			true)
+        # shellcheck disable=SC2292
 				if [ -e config/rootfs/excludes ]
 				then
 
@@ -384,6 +403,7 @@ case "${LB_CHROOT_FILESYSTEM}" in
 				# Removing depends
 				Remove_packages
 
+        # shellcheck disable=SC2292
 				if [ -e chroot/chroot.cache ]
 				then
 					Remove_lockfile
@@ -403,6 +423,7 @@ case "${LB_CHROOT_FILESYSTEM}" in
 				;;
 
 			false)
+        # shellcheck disable=SC2292
 				if [ -e config/rootfs/excludes ]
 				then
 					MKSQUASHFS_OPTIONS="-wildcards -ef config/rootfs/excludes ${MKSQUASHFS_OPTIONS}"
@@ -419,6 +440,7 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		;;
 
 	none)
+    # shellcheck disable=SC2292
 		if [ -d binary ]
 		then
 			rm -rf binary
@@ -444,6 +466,7 @@ then
 
 	mkdir -p cache/binary_rootfs
 
+  # shellcheck disable=SC2292
 	if [ "${LB_CHROOT_FILESYSTEM}" != "none" ]
 	then
 		cp -a binary/"${INITFS}"/filesystem.* cache/binary_rootfs