From 4614d65d7cff9ce8aedf458f749f5e84b849ec7620da562210c059828b150cef Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Tue, 28 Oct 2025 17:15:07 +0100 Subject: [PATCH] V8.13.294.2025.10.28 Signed-off-by: Marc S. Weidner --- scripts/0010_dhcp_supersede.sh | 32 +++++++------- scripts/live-boot/0030-verify-checksums | 55 +++++++++++++++++++------ 2 files changed, 59 insertions(+), 28 deletions(-) diff --git a/scripts/0010_dhcp_supersede.sh b/scripts/0010_dhcp_supersede.sh index 90474f3..7f80c67 100644 --- a/scripts/0010_dhcp_supersede.sh +++ b/scripts/0010_dhcp_supersede.sh @@ -43,34 +43,34 @@ cat << 'EOF' >> "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcpcd.con # SPDX-Security-Contact: security@coresecret.eu ### No Global APIPA-Fallback. -noipv4ll +#noipv4ll ### A ServerID is required by RFC2131. -require dhcp_server_identifier +#require dhcp_server_identifier ### Respect the network MTU. This is applied to DHCP routes. -option interface_mtu +#option interface_mtu ### A list of options to request from the DHCP server. -option host_name -option domain_name -option domain_search -option rapid_commit - -### Most distributions have NTP support. -option ntp_servers - -### Ask server to update both A and PTR via FQDN (RFC 4702 semantics). -fqdn both - -###----------------------------------------------------------------------------------------------------------------------------- -### Global defaults for all interfaces. #option host_name #option domain_name #option domain_search +#option rapid_commit + +### Most distributions have NTP support. +#option ntp_servers ### Ask server to update both A and PTR via FQDN (RFC 4702 semantics). #fqdn both + +###----------------------------------------------------------------------------------------------------------------------------- +### Global defaults for all interfaces. +option host_name +option domain_name +option domain_search + +### Ask server to update both A and PTR via FQDN (RFC 4702 semantics). +fqdn both ###----------------------------------------------------------------------------------------------------------------------------- ### Enforce static DNS and prevent dhcpcd from writing 'resolv.conf'. diff --git a/scripts/live-boot/0030-verify-checksums b/scripts/live-boot/0030-verify-checksums index 42e19a0..266bc90 100644 --- a/scripts/live-boot/0030-verify-checksums +++ b/scripts/live-boot/0030-verify-checksums @@ -1,20 +1,23 @@ #!/bin/sh +# bashsupport disable=BP5007 + # SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE -# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Changed the version of https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums' +### Modified Version of the original file: +### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums' ### In case of successful verification of one of the offered checksums, proceed with booting, else panic. ####################################### -# Live build ISO with the modified checksum verification script for continuing the boot process. +# Modified checksum verification script for continuing the boot process. # Globals: # LIVE_BOOT_CMDLINE # LIVE_VERIFY_CHECKSUMS @@ -27,30 +30,40 @@ # _RETURN # _TTY # Arguments: -# $1: ${_PARAMETER} +# 1: ${_PARAMETER} # Returns: # 0 : Successful Verification ####################################### Verify_checksums() { for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do + case "${_PARAMETER}" in + live-boot.verify-checksums=* | verify-checksums=*) + LIVE_VERIFY_CHECKSUMS="true" LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}" ;; live-boot.verify-checksums | verify-checksums) + LIVE_VERIFY_CHECKSUMS="true" ;; + esac + done case "${LIVE_VERIFY_CHECKSUMS}" in - true) ;; + + true) + : + ;; *) return 0 ;; + esac _MOUNTPOINT="${1}" @@ -63,42 +76,60 @@ Verify_checksums() { # shellcheck disable=SC2164 cd "${_MOUNTPOINT}" + # shellcheck disable=SC2001 for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do + # shellcheck disable=SC2060 _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt" for _CHECKSUM in ${_CHECKSUMS}; do + + # shellcheck disable=SC2292 if [ -e "${_CHECKSUM}" ]; then - echo "Found ${_CHECKSUM}..." > "${_TTY}" + + #echo "Found ${_CHECKSUM}..." > "${_TTY}" + log_begin_msg "Found ${_CHECKSUM}..." if [ -e "/bin/${_DIGEST}sum" ]; then - echo "Checking ${_CHECKSUM}..." > "${_TTY}" + + #echo "Checking ${_CHECKSUM}..." > "${_TTY}" + log_begin_msg "Checking ${_CHECKSUM}..." # Verify checksums + # shellcheck disable=SC2312 grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}" _RETURN="${?}" # Stop after the first verification # break 2 + else - echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}" + + #echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}" + log_begin_msg "Not found /bin/${_DIGEST}sum...." + fi + fi + done + done log_end_msg case "${_RETURN}" in + 0) - log_success_msg "Verification sha512 sha384 sha256 successful, continuing booting in 10 seconds." - sleep 10 + log_success_msg "Verification of ${_CHECKSUMS[*]} successful; continuing booting in 08 seconds." + sleep 8 return 0 ;; *) - panic "Verification failed, $(basename ${_TTY}) for more information." + panic "Verification failed, $(basename "${_TTY}") for more information." ;; + esac } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh