V8.13.408.2025.11.13
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -433,6 +433,12 @@ arg_parser() {
|
||||
shift 2
|
||||
;;
|
||||
|
||||
--signing_ca=*)
|
||||
# shellcheck disable=SC2034
|
||||
declare -gx VAR_SIGNING_CA="${1#*=}"
|
||||
shift 1
|
||||
;;
|
||||
|
||||
--signing_key=*)
|
||||
# shellcheck disable=SC2034
|
||||
declare -gx VAR_SIGNER="true"
|
||||
|
||||
@@ -44,7 +44,7 @@ cdi() {
|
||||
tmp_entry="$(mktemp)"
|
||||
cat << EOF >| "${tmp_entry}"
|
||||
menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i {
|
||||
linux /live/vmlinuz-${VAR_KERNEL} boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
|
||||
linux /live/vmlinuz-${VAR_KERNEL} boot=live ciss_iso_label=CISS.debian.live ciss_crypt_path=/live/ciss_rootfs.crypt components ip=dhcp keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
|
||||
initrd /live/initrd.img-${VAR_KERNEL}
|
||||
}
|
||||
EOF
|
||||
|
||||
@@ -25,6 +25,12 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
|
||||
x_remove() {
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
|
||||
|
||||
declare _old_nullglob="" _old_dotglob=""
|
||||
|
||||
### Enable nullglob/dotglob, disable failglob for safe globbing.
|
||||
_old_nullglob="$(shopt -p nullglob || true)"
|
||||
_old_dotglob="$( shopt -p dotglob || true)"
|
||||
|
||||
shopt -s nullglob dotglob
|
||||
|
||||
if [[ "${VAR_SIGNER}" == "true" ]]; then
|
||||
@@ -45,7 +51,8 @@ x_remove() {
|
||||
|
||||
fi
|
||||
|
||||
shopt -u nullglob dotglob
|
||||
eval "${_old_nullglob}" 2>/dev/null || true
|
||||
eval "${_old_dotglob}" 2>/dev/null || true
|
||||
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
|
||||
|
||||
|
||||
68
lib/lib_ciss_signatures.sh
Normal file
68
lib/lib_ciss_signatures.sh
Normal file
@@ -0,0 +1,68 @@
|
||||
#!/bin/bash
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.live.builder
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
guard_sourcing || return "${ERR_GUARD_SRCE}"
|
||||
|
||||
#######################################
|
||||
# MUST be executed before 'ciss_upgrades_boot()'.
|
||||
# Module to export GPG FPRs into scripts:
|
||||
# - /etc/initramfs-tools/files/unlock_wrapper.sh
|
||||
# - /usr/lib/live/boot/0030-ciss-verify-checksums
|
||||
# - /usr/lib/live/boot/0042-ciss-post-decrypt-attest
|
||||
# Globals:
|
||||
# BASH_SOURCE
|
||||
# VAR_HANDLER_BUILD_DIR
|
||||
# VAR_SIGNING_CA
|
||||
# VAR_SIGNING_CA_FPR
|
||||
# VAR_SIGNING_KEY_FPR
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
#######################################
|
||||
ciss_signatures() {
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
|
||||
|
||||
declare -ar _ary_target=(
|
||||
"/etc/initramfs-tools/files/unlock_wrapper.sh"
|
||||
"/usr/lib/live/boot/0030-ciss-verify-checksums"
|
||||
"/usr/lib/live/boot/0042-ciss-post-decrypt-attest"
|
||||
)
|
||||
|
||||
declare _target="" target=""
|
||||
|
||||
for _target in "${_ary_target[@]}"; do
|
||||
|
||||
declare target="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/${_target}"
|
||||
|
||||
sed -i -e "s|@EXP_FPR@|${VAR_SIGNING_KEY_FPR}|g" "${target}"
|
||||
|
||||
if [[ -n "${VAR_SIGNING_CA}" ]]; then
|
||||
|
||||
sed -i -e "s|@EXP_CA_FPR@|${VAR_SIGNING_CA_FPR}|g" "${target}"
|
||||
|
||||
else
|
||||
|
||||
sed -i -e '/@EXP_CA_FPR@/d' "${target}"
|
||||
|
||||
fi
|
||||
|
||||
done
|
||||
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
|
||||
|
||||
return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f ciss_signatures
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
@@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-11-06; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
@@ -13,7 +13,10 @@
|
||||
guard_sourcing || return "${ERR_GUARD_SRCE}"
|
||||
|
||||
#######################################
|
||||
# Integrates primordial SSH identity- and / or ssh_host-files.
|
||||
# Integrates and generates sha512sum and GPG signatures on CISS specific LIVE boot artifacts:
|
||||
# - /.ciss/attestation/VAR_SIGNING_KEY_FPR.*
|
||||
# - /etc/initramfs-tools/files/unlock_wrapper.sh
|
||||
# - /usr/lib/live/boot/0030-ciss-verify-checksums
|
||||
# Globals:
|
||||
# BASH_SOURCE
|
||||
# VAR_HANDLER_BUILD_DIR
|
||||
@@ -28,25 +31,30 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
|
||||
ciss_upgrades_boot() {
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
|
||||
|
||||
### Updates '/usr/lib/live/boot/0030-verify-checksums'.
|
||||
if [[ ! -f "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" ]]; then
|
||||
declare -ar _ary_target=(
|
||||
"/.ciss/attestation/${VAR_SIGNING_KEY_FPR}.gpg"
|
||||
"/etc/initramfs-tools/files/unlock_wrapper.sh"
|
||||
"/usr/lib/live/boot/0030-ciss-verify-checksums"
|
||||
)
|
||||
|
||||
install -d -m 0755 -o root -g root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot"
|
||||
declare _target="" target=""
|
||||
|
||||
install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/lib/live/boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
|
||||
for _target in "${_ary_target[@]}"; do
|
||||
|
||||
fi
|
||||
declare target="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/${_target}"
|
||||
|
||||
declare var_sha="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512sum.txt"
|
||||
declare var_sig="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512sum.txt.sig"
|
||||
declare var_fil="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
|
||||
declare var_prefix="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
|
||||
declare var_sha="${target}sha512sum.txt"
|
||||
declare var_sig="${var_sig}.sig"
|
||||
declare var_fil="${target}"
|
||||
declare var_prefix="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
|
||||
|
||||
# shellcheck disable=SC2312
|
||||
sha512sum "${var_fil}" | sed "s|${var_prefix}||" >| "${var_sha}"
|
||||
# shellcheck disable=SC2312
|
||||
sha512sum "${var_fil}" | sed "s|${var_prefix}||" >| "${var_sha}"
|
||||
|
||||
gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
|
||||
--detach-sign --output "${var_sig}" "${var_sha}"
|
||||
gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
|
||||
--detach-sign --output "${var_sig}" "${var_sha}"
|
||||
|
||||
done
|
||||
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
|
||||
|
||||
|
||||
@@ -21,6 +21,8 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
|
||||
# VAR_EARLY_DEBUG
|
||||
# VAR_HANDLER_BUILD_DIR
|
||||
# VAR_SIGNER
|
||||
# VAR_SIGNING_CA
|
||||
# VAR_SIGNING_CA_FPR
|
||||
# VAR_SIGNING_KEY
|
||||
# VAR_SIGNING_KEY_FPR
|
||||
# VAR_SIGNING_KEY_PASS
|
||||
@@ -43,7 +45,7 @@ init_gnupg() {
|
||||
umask 0077
|
||||
|
||||
### Avoid collision with Gitea runner workflows.
|
||||
if [[ ! "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
|
||||
if [[ "${VAR_CDLB_INSIDE_RUNNER}" != "true" ]]; then
|
||||
|
||||
printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔐 VAR_CDLB_INSIDE_RUNNER: [%s] \e[0m\n" "${VAR_CDLB_INSIDE_RUNNER}"
|
||||
|
||||
@@ -92,14 +94,34 @@ EOF
|
||||
|
||||
fi
|
||||
|
||||
### Optionally, import offline GPG CA public keys.
|
||||
if [[ -n "${VAR_SIGNING_CA}" ]]; then
|
||||
|
||||
# shellcheck disable=SC2155
|
||||
declare -gx VAR_SIGNING_CA_FPR="$(
|
||||
gpg --batch --with-colons --import-options show-only --import "${VAR_TMP_SECRET}/${VAR_SIGNING_CA}" \
|
||||
| awk -F: '$1=="pub"{seen_pub=1; next} seen_pub && $1=="fpr"{print $10; exit}'
|
||||
)"
|
||||
|
||||
if ! gpg --batch --import "${VAR_TMP_SECRET}/${VAR_SIGNING_CA}"; then
|
||||
|
||||
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed to import CA public key. \e[0m\n"
|
||||
return "${ERR_GPG__AGENT}"
|
||||
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"
|
||||
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_SIGNING_CA}"
|
||||
|
||||
### Export public key for verification inside ISO / chroot.
|
||||
install -d -m 0755 -o root -g root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys"
|
||||
install -d -m 0755 -o root -g root "${VAR_HANDLER_BUILD_DIR}/config/includes.binary"
|
||||
gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_KEY_FPR}.gpg"
|
||||
gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/unlock_wrapper_pubring.gpg"
|
||||
gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.gpg"
|
||||
gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/${VAR_SIGNING_KEY_FPR}.gpg"
|
||||
[[ -n "${VAR_SIGNING_CA}" ]] && gpg --batch --yes --export "${VAR_SIGNING_CA_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_CA_FPR}.gpg"
|
||||
[[ -n "${VAR_SIGNING_CA}" ]] && gpg --batch --yes --export "${VAR_SIGNING_CA_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/${VAR_SIGNING_CA_FPR}.gpg"
|
||||
|
||||
umask "${__umask}"
|
||||
__umask=""
|
||||
|
||||
@@ -45,7 +45,7 @@ lb_config_write_trixie() {
|
||||
--binary-filesystem fat32 \
|
||||
--binary-image iso-hybrid \
|
||||
--bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
|
||||
--bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
|
||||
--bootappend-live "boot=live ciss_iso_label=CISS.debian.live ciss_crypt_path=/live/ciss_rootfs.crypt components ip=dhcp keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
|
||||
--bootloaders grub-efi \
|
||||
--cache true \
|
||||
--checksums sha512 sha384 sha256 \
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
guard_sourcing || return "${ERR_GUARD_SRCE}"
|
||||
|
||||
#######################################
|
||||
# Integrate primordial SSH identity files.
|
||||
# Integrates CISS dropbear and SOPS Age Key and CISS and PhysNet primordial SSH identity files.
|
||||
# Globals:
|
||||
# BASH_SOURCE
|
||||
# VAR_AGE
|
||||
@@ -30,8 +30,8 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
|
||||
init_primordial() {
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
|
||||
|
||||
### Prepare CISS dropbear integration ----------------------------------------------------------------------------------------
|
||||
declare var_dropbear_version="2025.88"
|
||||
declare var_unlock_wrapper="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh"
|
||||
|
||||
install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/initramfs-tools/files"
|
||||
install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/build"
|
||||
@@ -44,15 +44,6 @@ init_primordial() {
|
||||
install -m 0444 "${VAR_WORKDIR}/config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
|
||||
"${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear.file"
|
||||
|
||||
# shellcheck disable=SC2312
|
||||
sha512sum "${VAR_WORKDIR}/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh" | awk '{print $1}' \
|
||||
>| "${var_unlock_wrapper}.sha512sum.txt"
|
||||
|
||||
gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
|
||||
--detach-sign --output "${var_unlock_wrapper}.sha512sum.txt.sig" "${var_unlock_wrapper}.sha512sum.txt"
|
||||
|
||||
gpgv --keyring "${VAR_VERIFY_KEYRING}" "${var_unlock_wrapper}.sha512sum.txt.sig" "${var_unlock_wrapper}.sha512sum.txt"
|
||||
|
||||
### Check for SOPS AGE key integration ---------------------------------------------------------------------------------------
|
||||
if [[ "${VAR_AGE,,}" == "true" ]]; then
|
||||
|
||||
|
||||
@@ -39,13 +39,13 @@ usage() {
|
||||
# shellcheck disable=SC2155
|
||||
declare var_header=$(center "CDLB(1) CISS.debian.live.builder CDLB(1)" "${var_cols}")
|
||||
# shellcheck disable=SC2155
|
||||
declare var_footer=$(center "V8.13.404.2025.11.10 2025-11-06 CDLB(1)" "${var_cols}")
|
||||
declare var_footer=$(center "V8.13.408.2025.11.13 2025-11-06 CDLB(1)" "${var_cols}")
|
||||
|
||||
{
|
||||
echo -e "\e[1;97m${var_header}\e[0m"
|
||||
echo
|
||||
echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
|
||||
echo -e "\e[92mMaster V8.13.404.2025.11.10\e[0m"
|
||||
echo -e "\e[92mMaster V8.13.408.2025.11.13\e[0m"
|
||||
echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
|
||||
echo
|
||||
echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
|
||||
@@ -141,10 +141,11 @@ usage() {
|
||||
echo " MUST be placed in:"
|
||||
echo " </dev/shm/cdlb_secrets/password.txt>"
|
||||
echo
|
||||
echo -e "\e[97m --signing_key=* and --signing_key_fpr=*; if desired then additionally --signing_key_pass=* \e[0m"
|
||||
echo -e "\e[97m --signing_key=* and --signing_key_fpr=*. Optional: --signing_key_pass=* --signing_ca=* \e[0m"
|
||||
echo " The GPG private keyring that should be used for signing artifacts such as checksum hashes and scripts is"
|
||||
echo " specified via '--signing_key=*'. If the keyring is protected, then provide the passphrase in its own file."
|
||||
echo " Specify the fingerprint of the key to use via '--signing_key_fpr=*'."
|
||||
echo " Optionally import an offline GPG CA signing public key via: '--signing_ca=*'."
|
||||
echo " Change '*' to your desired files / fingerprint. Files MUST be placed in:"
|
||||
echo " </dev/shm/cdlb_secrets>"
|
||||
echo
|
||||
|
||||
Reference in New Issue
Block a user