V8.13.440.2025.11.19

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-23 10:40:07 +00:00
parent 8852295c83
commit 4c3a242069
11 changed files with 99 additions and 22 deletions
--- a/config/includes.chroot/etc/ciss/hashes/.keep
+++ b/config/includes.chroot/etc/ciss/hashes/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-23; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
--- a/config/includes.chroot/etc/ciss/signatures/.keep
+++ b/config/includes.chroot/etc/ciss/signatures/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-23; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
--- a/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
+++ b/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
@@ -28,7 +28,9 @@ esac


 ### Ensure directory structure in initramfs ------------------------------------------------------------------------------------
+install -d -m 0755  "${DESTDIR}/etc/ciss/hashes"
 install -d -m 0755  "${DESTDIR}/etc/ciss/keys"
+install -d -m 0755  "${DESTDIR}/etc/ciss/signatures"
 install -d -m 0755  "${DESTDIR}/etc/initramfs-tools/conf.d"
 install -d -m 0755  "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
 install -d -m 0755  "${DESTDIR}/usr/bin"
@@ -56,7 +58,7 @@ for dir in bin usr/bin; do
 done


-### Install GPG signing keys ---------------------------------------------------------------------------------------------------
+### Install GPG keys -----------------------------------------------------------------------------------------------------------
 src_dir="/etc/ciss/keys"
 dst_dir="${DESTDIR}/etc/ciss/keys"
 key=""
@@ -77,6 +79,51 @@ if [ -d "${src_dir}" ]; then

 fi

+
+### Install GPG signatures -----------------------------------------------------------------------------------------------------
+src_dir="/etc/ciss/signatures"
+dst_dir="${DESTDIR}/etc/ciss/signatures"
+sig=""
+
+if [ -d "${src_dir}" ]; then
+
+  install -d -m 0755 "${dst_dir}"
+
+  for sig in "${src_dir}"/*.sig; do
+
+    [ -e "${sig}" ] || continue
+
+    install -m 0444 "${sig}" "${dst_dir}/"
+
+    printf '\e[92mSuccessfully executed: [install -m 0444 %s %s]\n\e[0m' "${sig}" "${dst_dir}"
+
+  done
+
+fi
+
+
+### Install SHA hashes ---------------------------------------------------------------------------------------------------------
+src_dir="/etc/ciss/hashes"
+dst_dir="${DESTDIR}/etc/ciss/hashes"
+hash=""
+
+if [ -d "${src_dir}" ]; then
+
+  install -d -m 0755 "${dst_dir}"
+
+  for hash in "${src_dir}"/*sha*sum.txt; do
+
+    [ -e "${hash}" ] || continue
+
+    install -m 0444 "${hash}" "${dst_dir}/"
+
+    printf '\e[92mSuccessfully executed: [install -m 0444 %s %s]\n\e[0m' "${hash}" "${dst_dir}"
+
+  done
+
+fi
+
+
 ### Install Dropbear configuration ---------------------------------------------------------------------------------------------
 install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/dropbear.conf %s/etc/dropbear/dropbear.conf] \n\e[0m" "${DESTDIR}"
@@ -95,6 +142,10 @@ printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files
 install -m 0444 /etc/banner "${DESTDIR}/etc/dropbear/banner"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/banner %s/etc/dropbear/banner] \n\e[0m" "${DESTDIR}"

+### Install Dropbear Banner ----------------------------------------------------------------------------------------------------
+install -m 0444 /etc/banner "${DESTDIR}/etc/dropbear/banner"
+printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/banner %s/etc/dropbear/banner] \n\e[0m" "${DESTDIR}"
+
 ### EOS

 printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh] \n\e[0m"
--- a/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs
+++ b/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs
@@ -23,7 +23,7 @@ set -eu

 sleep 3

-printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] ... \n\e[0m"
+printf "\e[95m[INFO] Starting            : [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] \n\e[0m"

 ### Declare variables ----------------------------------------------------------------------------------------------------------
 OVERLAY_BASE="/run/live/overlay"
--- a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
+++ b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
@@ -21,7 +21,7 @@ _SAVED_SET_OPTS="$(set +o)"

 set -eu

-printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0024-ciss-crypt-squash] ... \n\e[0m"
+printf "\e[95m[INFO] Starting            : [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m"

 #######################################
 # Ask for a passphrase on /dev/console, mask input with '*'.
--- a/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl
+++ b/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl
@@ -21,7 +21,7 @@ _SAVED_SET_OPTS="$(set +o)"

 set -eu

-printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] ... \n\e[0m"
+printf "\e[95m[INFO] Starting            : [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m"

 echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true
 echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true
--- a/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums
+++ b/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums
@@ -29,7 +29,7 @@
 #   0 : Successful verification
 #######################################
 Verify_checksums() {
-  printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0030-ciss-verify-checksums] ... \n\e[0m"
+  printf "\e[95m[INFO] Starting            : [/usr/lib/live/boot/0030-ciss-verify-checksums] \n\e[0m"

  ### Declare variables --------------------------------------------------------------------------------------------------------

@@ -48,6 +48,7 @@ Verify_checksums() {
  #######################################
  log_in() { printf '\e[95m[INFO]  %s \n\e[0m' "$*"; }

+
  #######################################
  # Helper for colored text output on stdout.
  # Globals:
@@ -162,7 +163,7 @@ Verify_checksums() {
    CDLB_SCRIPT_FILE="${CDLB_SCRIPT_SELF##*/}"
    CDLB_SCRIPT_PATH="${CDLB_SCRIPT_SELF%/*}"
    CDLB_SCRIPT_FULL="${CDLB_SCRIPT_PATH%/}/${CDLB_SCRIPT_FILE}"
-    CDLB_HASHFILE="${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt"
+    CDLB_HASHFILE="/etc/ciss/hashes/${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt"
    CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"

    _STATUS="$(/usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 --verify "${CDLB_SIG_FILE}" "${CDLB_SCRIPT_FULL}" 2>/dev/null)"
--- a/config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest
+++ b/config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest
@@ -21,7 +21,7 @@ _SAVED_SET_OPTS="$(set +o)"

 set -eu

-printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0042-ciss-post-decrypt-attest] ... \n\e[0m"
+printf "\e[95m[INFO] Starting            : [/usr/lib/live/boot/0042-ciss-post-decrypt-attest] \n\e[0m"

 ### Declare variables ----------------------------------------------------------------------------------------------------------

--- a/config/includes.chroot/usr/lib/live/boot/9990-main.sh
+++ b/config/includes.chroot/usr/lib/live/boot/9990-main.sh
@@ -20,11 +20,11 @@

 # set -e

-printf "\e[95m[INFO] Sourcing: [/usr/lib/live/boot/9990-main.sh] ... \n\e[0m"
+printf "\e[95m[INFO] Sourcing            : [/usr/lib/live/boot/9990-main.sh] \n\e[0m"

 Live ()
 {
-  printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/9990-main.sh] ... \n\e[0m"
+  printf "\e[95m[INFO] Starting            : [/usr/lib/live/boot/9990-main.sh] \n\e[0m"

  if [ -x /scripts/local-top/cryptroot ]
  then
@@ -56,12 +56,12 @@ Live ()
  # Needed here too because some things (*cough* udev *cough*)
  # change the timeout

-  printf "\e[93m[DEBUG] live(): Before do_netmount() pp. \e[0m\n" >&2
+  printf "\e[93m[DEBUG] live(): Before do_netmount() pp. \e[0m\n"
  if [ -n "${NETBOOT}" ] || [ -n "${FETCH}" ] || [ -n "${HTTPFS}" ] || [ -n "${FTPFS}" ]
  then
    if do_netmount
    then
-      printf "\e[93m[DEBUG] live(): [livefs_root=%s] \e[0m\n" "${mountpoint?}" >&2
+      printf "\e[93m[DEBUG] live(): [livefs_root=%s] \e[0m\n" "${mountpoint?}"
      livefs_root="${mountpoint?}"
    else
      panic "Unable to find a live file system on the network"
@@ -69,15 +69,15 @@ Live ()
  else
    if [ -n "${ISCSI_PORTAL}" ]
    then
-      printf "\e[93m[DEBUG] live(): [do_iscsi && livefs_root=%s] \e[0m\n" "${mountpoint?}" >&2
+      printf "\e[93m[DEBUG] live(): [do_iscsi && livefs_root=%s] \e[0m\n" "${mountpoint?}"
      do_iscsi && livefs_root="${mountpoint}"
    elif [ -n "${PLAIN_ROOT}" ] && [ -n "${ROOT}" ]
    then
      # Do a local boot from hd
-      printf "\e[93m[DEBUG] live(): Do a local boot from hd [livefs_root=%s] \e[0m\n" "${ROOT?}" >&2
+      printf "\e[93m[DEBUG] live(): Do a local boot from hd [livefs_root=%s] \e[0m\n" "${ROOT?}"
      livefs_root=${ROOT}
    else
-      printf "\e[93m[DEBUG] live(): [Setup_Memdisk] \e[0m\n" >&2
+      printf "\e[93m[DEBUG] live(): [Setup_Memdisk] \e[0m\n"
      Setup_Memdisk

      # If the live media location is given via command line and access to it
@@ -130,7 +130,7 @@ Live ()
    panic "Unable to find a medium containing a live file system"
  fi

-  printf "\e[93m[DEBUG] live(): Before [Verify_checksums %s] \e[0m\n" "${livefs_root}" >&2
+  printf "\e[93m[DEBUG] live(): Before [Verify_checksums %s] \e[0m\n" "${livefs_root}"
  Verify_checksums "${livefs_root}"

  # shellcheck disable=SC2244
@@ -166,16 +166,16 @@ Live ()
    fi
  fi

-  printf "\e[93m[DBG] Live(): before overlay, live_dest=%s \e[0m\n" "${live_dest:-<none>}" >&2
-  printf "\e[93m[DBG] Live(): MODULETORAMFILE=%s PLAIN_ROOT=%s \e[0m\n" "${MODULETORAMFILE}" "${PLAIN_ROOT}" >&2
+  printf "\e[93m[DBG] Live(): before overlay, live_dest=%s \e[0m\n" "${live_dest:-<none>}"
+  printf "\e[93m[DBG] Live(): MODULETORAMFILE=%s PLAIN_ROOT=%s \e[0m\n" "${MODULETORAMFILE}" "${PLAIN_ROOT}"
  if [ -n "${MODULETORAMFILE}" ] || [ -n "${PLAIN_ROOT}" ]
  then
-    printf "\e[93m[DBG] Live(): setup_unionfs livefs_root=%s rootmnt=%s \e[0m\n" "${livefs_root}" "${rootmnt?}" >&2
+    printf "\e[93m[DBG] Live(): setup_unionfs livefs_root=%s rootmnt=%s \e[0m\n" "${livefs_root}" "${rootmnt?}"
    setup_unionfs "${livefs_root}" "${rootmnt?}"
  else
    mac="$(get_mac)"
    mac="$(echo "${mac}" | sed 's/-//g')"
-    printf "\e[93m[DBG] Live(): mount_images_in_directory livefs_root=%s rootmnt=%s mac=%s \e[0m\n" "${livefs_root}" "${rootmnt}" "${mac}" >&2
+    printf "\e[93m[DBG] Live(): mount_images_in_directory livefs_root=%s rootmnt=%s mac=%s \e[0m\n" "${livefs_root}" "${rootmnt}" "${mac}"
    mount_images_in_directory "${livefs_root}" "${rootmnt}" "${mac}"
  fi

--- a/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh
+++ b/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh
@@ -20,11 +20,11 @@

 #set -e

-printf "\e[95m[INFO] Sourcing: [/usr/lib/live/boot/9990-overlay.sh] ... \n\e[0m"
+printf "\e[95m[INFO] Sourcing            : [/usr/lib/live/boot/9990-overlay.sh] \n\e[0m"

 setup_unionfs ()
 {
-  printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/9990-overlay.sh] ... \n\e[0m"
+  printf "\e[95m[INFO] Starting            : [/usr/lib/live/boot/9990-overlay.sh] \n\e[0m"

  image_directory="${1}"
  rootmnt="${2}"
--- a/lib/lib_ciss_upgrades_boot.sh
+++ b/lib/lib_ciss_upgrades_boot.sh
@@ -58,6 +58,11 @@ ciss_upgrades_boot() {

  done

+  mv "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums.sha512sum.txt" \
+    "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/hashes/0030-ciss-verify-checksums.sha512sum.txt"
+  mv "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums.sha512sum.txt.sig" \
+    "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/signatures/0030-ciss-verify-checksums.sha512sum.txt.sig"
+
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

  return 0