V8.13.536.2025.12.04
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -183,6 +183,7 @@ jobs:
|
||||
install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
|
||||
install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
|
||||
install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
|
||||
install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_ca.asc
|
||||
install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
|
||||
install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
|
||||
|
||||
@@ -196,6 +197,7 @@ jobs:
|
||||
echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}" >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
|
||||
echo "${{ secrets.CISS_PHYS_AGE }}" >| /dev/shm/cdlb_secrets/keys.txt
|
||||
echo "${{ secrets.CISS_PHYS_LUKS }}" >| /dev/shm/cdlb_secrets/luks.txt
|
||||
echo "${{ secrets.PGP_CISS_CA_PUBLIC_KEY }}" >| /dev/shm/cdlb_secrets/signing_ca.asc
|
||||
echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}" >| /dev/shm/cdlb_secrets/signing_key.asc
|
||||
echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}" >| /dev/shm/cdlb_secrets/signing_key_pass.txt
|
||||
|
||||
@@ -205,16 +207,19 @@ jobs:
|
||||
chmod 0700 ciss_live_builder.sh
|
||||
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
|
||||
### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
|
||||
chmod 0400 /dev/shm/cdlb_secrets/*
|
||||
./ciss_live_builder.sh \
|
||||
--architecture amd64 \
|
||||
--autobuild=6.17.8+deb13-amd64 \
|
||||
--build-directory /opt/cdlb \
|
||||
--cdi \
|
||||
--change-splash hexagon \
|
||||
--control "${timestamp}" \
|
||||
--jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
|
||||
--key_age=keys.txt \
|
||||
--key_luks=luks.txt \
|
||||
--root-password-file /dev/shm/cdlb_secrets/password.txt \
|
||||
--signing_ca=signing_ca.asc \
|
||||
--signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
|
||||
--signing_key_pass=signing_key_pass.txt \
|
||||
--signing_key=signing_key.asc \
|
||||
|
||||
11
README.md
11
README.md
@@ -30,7 +30,7 @@ include_toc: true
|
||||
**Build**: V8.13.536.2025.12.04<br>
|
||||
|
||||
**CISS.debian.live.builder — First of its own.**<br>
|
||||
**World-class CIA designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
|
||||
**World-class CIA: Designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
|
||||
|
||||
Developed and maintained as a one-man, security-driven engineering effort since 2024, **CISS.debian.live.builder** is designed
|
||||
to serve as a reference implementation for hardened, image-based Debian deployments.
|
||||
@@ -58,6 +58,15 @@ validation is enforced in a fail-closed manner: zones with invalid or broken sig
|
||||
silently downgraded. Multicast name resolution via ``mDNS`` and ``LLMNR`` is disabled globally to avoid unintended name leakage
|
||||
and spoofing surfaces.
|
||||
|
||||
Internally, the builder employs a dedicated secret-handling pipeline backed by a tmpfs-only secrets directory
|
||||
(`/dev/shm/cdlb_secrets`). Sensitive material such as root passwords, SSH keys, and signing keys never appears on the command
|
||||
line, is guarded by strict `0400 root:root` permissions, and any symlink inside the secret path is treated as a hard failure
|
||||
that aborts the run. Critical code paths temporarily disable Bash xtrace so that credentials never leak into debug logs, and
|
||||
transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed. GNUPG homes used for signing are
|
||||
wiped, unencrypted chroot artifacts and includes are removed after `lb build`, and the final artifact is reduced to the
|
||||
encrypted SquashFS inside the LUKS2 container. At runtime, LUKS passphrases in the live ISO and installer are transported via
|
||||
named pipes inside the initramfs instead of process arguments, further minimizing exposure in process listings.
|
||||
|
||||
Check out more leading world-class services powered by Centurion Intelligence Consulting Agency:
|
||||
* [CenturionDNS Resolver](https://eddns.eu/)
|
||||
* [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt)
|
||||
|
||||
Reference in New Issue
Block a user