From 45f73f0d3376aeb1433aa372aa1426f560f3edecccb941d66615be99741b00a1 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Thu, 4 Dec 2025 23:32:27 +0100 Subject: [PATCH] V8.13.536.2025.12.04 Signed-off-by: Marc S. Weidner --- .gitea/workflows/generate_PRIVATE_trixie_1.yaml | 5 +++++ README.md | 11 ++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml index 316f173..5dfe5b7 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml @@ -183,6 +183,7 @@ jobs: install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt + install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_ca.asc install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt @@ -196,6 +197,7 @@ jobs: echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}" >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub echo "${{ secrets.CISS_PHYS_AGE }}" >| /dev/shm/cdlb_secrets/keys.txt echo "${{ secrets.CISS_PHYS_LUKS }}" >| /dev/shm/cdlb_secrets/luks.txt + echo "${{ secrets.PGP_CISS_CA_PUBLIC_KEY }}" >| /dev/shm/cdlb_secrets/signing_ca.asc echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}" >| /dev/shm/cdlb_secrets/signing_key.asc echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}" >| /dev/shm/cdlb_secrets/signing_key_pass.txt @@ -205,16 +207,19 @@ jobs: chmod 0700 ciss_live_builder.sh timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'. + chmod 0400 /dev/shm/cdlb_secrets/* ./ciss_live_builder.sh \ --architecture amd64 \ --autobuild=6.17.8+deb13-amd64 \ --build-directory /opt/cdlb \ --cdi \ + --change-splash hexagon \ --control "${timestamp}" \ --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \ --key_age=keys.txt \ --key_luks=luks.txt \ --root-password-file /dev/shm/cdlb_secrets/password.txt \ + --signing_ca=signing_ca.asc \ --signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \ --signing_key_pass=signing_key_pass.txt \ --signing_key=signing_key.asc \ diff --git a/README.md b/README.md index a7f4441..fec527f 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ include_toc: true **Build**: V8.13.536.2025.12.04
**CISS.debian.live.builder — First of its own.**
-**World-class CIA designed, handcrafted and powered by Centurion Intelligence Consulting Agency.** +**World-class CIA: Designed, handcrafted and powered by Centurion Intelligence Consulting Agency.** Developed and maintained as a one-man, security-driven engineering effort since 2024, **CISS.debian.live.builder** is designed to serve as a reference implementation for hardened, image-based Debian deployments. @@ -58,6 +58,15 @@ validation is enforced in a fail-closed manner: zones with invalid or broken sig silently downgraded. Multicast name resolution via ``mDNS`` and ``LLMNR`` is disabled globally to avoid unintended name leakage and spoofing surfaces. +Internally, the builder employs a dedicated secret-handling pipeline backed by a tmpfs-only secrets directory +(`/dev/shm/cdlb_secrets`). Sensitive material such as root passwords, SSH keys, and signing keys never appears on the command +line, is guarded by strict `0400 root:root` permissions, and any symlink inside the secret path is treated as a hard failure +that aborts the run. Critical code paths temporarily disable Bash xtrace so that credentials never leak into debug logs, and +transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed. GNUPG homes used for signing are +wiped, unencrypted chroot artifacts and includes are removed after `lb build`, and the final artifact is reduced to the +encrypted SquashFS inside the LUKS2 container. At runtime, LUKS passphrases in the live ISO and installer are transported via +named pipes inside the initramfs instead of process arguments, further minimizing exposure in process listings. + Check out more leading world-class services powered by Centurion Intelligence Consulting Agency: * [CenturionDNS Resolver](https://eddns.eu/) * [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt)