msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.408.2025.11.13
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m8s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m31s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-13 06:26:44 +01:00
parent a362db3d78
commit 5f370c2cdb
83 changed files with 1422 additions and 877 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
scripts/usr/lib/live/boot/0030-verify-checksums → scripts/usr/lib/live/boot/0030-ciss-verify-checksums
View File

@@ -4,7 +4,7 @@
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -15,7 +15,7 @@
# SPDX-Security-Contact: security@coresecret.eu
### Modified Version of the original file:
### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums'
### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
#######################################
@@ -29,7 +29,11 @@
# 0 : Successful verification
#######################################
Verify_checksums() {
printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-verify-checksums] ... \n\e[0m"
printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-ciss-verify-checksums] ... \n\e[0m"
### Will be replaced at build time:
export CDLB_EXP_FPR="@EXP_FPR@"
export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
### Declare variables --------------------------------------------------------------------------------------------------------
_MOUNTPOINT="${1}"
@@ -71,19 +75,6 @@ Verify_checksums() {
done
### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
if [ -e "${_MP}/0030-verify-checksums.gpg" ]; then
_KEYFILE="${_MP}/0030-verify-checksums.gpg"
break
fi
done
### Check if the function should be skipped ----------------------------------------------------------------------------------
case "${LIVE_VERIFY_CHECKSUMS}" in
@@ -97,13 +88,33 @@ Verify_checksums() {
esac
### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
if [ -e "${_MP}/${CDLB_EXP_FPR}.gpg" ]; then
_KEYFILE="${_MP}/${CDLB_EXP_FPR}.gpg"
if [ -e "${_MP}/${CDLB_EXP_FPR}.gpg" ]; then
_CA_KEYFILE="${_MP}/${CDLB_EXP_CA_FPR}.gpg"
fi
break
fi
done
# shellcheck disable=SC2164
cd "${_MOUNTPOINT}"
### CDLB verification of script integrity itself -----------------------------------------------------------------------------
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
log_begin_msg "Verifying integrity of: [0030-verify-checksums]"
log_begin_msg "Verifying integrity of: [0030-ciss-verify-checksums]"
printf "\n"
_CAND=""
@@ -112,7 +123,7 @@ Verify_checksums() {
CDLB_CMD="/usr/bin/sha512sum"
CDLB_SHA="sha512"
for _CAND in /scripts/live-bottom/0030-verify-checksums /usr/lib/live/boot/0030-verify-checksums; do
for _CAND in /scripts/live-bottom/0030-ciss-verify-checksums /usr/lib/live/boot/0030-ciss-verify-checksums; do
[ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; }
@@ -124,9 +135,25 @@ Verify_checksums() {
CDLB_HASHFILE="${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt"
CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
_STATUS="$(/usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 --verify "${CDLB_SIG_FILE}" "${CDLB_SCRIPT_FULL}" 2>/dev/null)"
printf "\e[95m[INFO] Verifying integrity of: [%s] ... \n\e[0m" "${CDLB_SCRIPT_FULL}"
_CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
### Compare against pinned and expected fingerprint.
if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then
printf "\e[92m[INFO] Signer fingerprint match: got [%s] expected: [%s] \n\e[0m" "${_CDLB_SIG_FILE_FPR}" "${CDLB_EXP_FPR}"
else
printf "\e[91m[FATAL] Signer fingerprint mismatch: got [%s] expected: [%s] \n\e[0m" "${_CDLB_SIG_FILE_FPR}" "${CDLB_EXP_FPR}"
sleep 16
panic "[FATAL] Signer fingerprint mismatch: got [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
fi
### Script self-integrity and authenticity checks --------------------------------------------------------------------------
### Assumption: initramfs itself is not altered.
printf "\e[95m[INFO] Verifying signature of: [%s] ... \n\e[0m" "${CDLB_SIG_FILE}"
if ! /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then

4
scripts/usr/lib/live/build/binary_checksums.sh
View File

@@ -1,9 +1,10 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck disable=SC2249
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2006-2015 Daniel Baumann <mail@daniel-baumann.ch>
@@ -85,6 +86,7 @@ for CHECKSUM in ${LB_CHECKSUMS}; do
\! -path './isolinux/isolinux.bin' \
\! -path './boot/boot.bin' \
\! -path './boot/grub/stage2_eltorito' \
\! -path './live/filesystem.squashfs' \
\! -path './*SUMS' \
\! -path './*sum.txt' \
\! -path './*sum.README' \

1
scripts/usr/lib/live/build/binary_rootfs.sh
View File

@@ -1,5 +1,6 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck disable=SC2249
# shellcheck shell=sh
# SPDX-Version: 3.0

14
scripts/usr/local/sbin/9999_cdi_starter.sh
View File

@@ -17,8 +17,8 @@ declare -grx VAR_SEMAPHORE="/root/cdi.ciss" # Semaphore to appear.
declare -girx VAR_TIMEOUT=3600 # Semaphore timer in seconds.
install -d -m 0755 /run/lock
exec 9> /run/lock/9999-cdi-starter.lock
flock -n 9 || { echo "9999-cdi-starter already running. Exiting."; exit 0; }
exec 9> /run/lock/9999_cdi_starter.lock
flock -n 9 || { echo "9999_cdi_starter already running. Exiting."; exit 0; }
#######################################
# Call into the CISS.debian.installer once the semaphore file is present.
@@ -44,6 +44,7 @@ cdi() {
if [[ "${rc}" -eq 0 ]]; then
### In autoinstall mode this command should never be reached due to the reboot command inside ciss_debian_installer.sh.
logger -t cdi-watcher "cdi(): ciss_debian_installer.sh completed SUCCESSFULLY [${rc}]."
exit 0
@@ -71,7 +72,7 @@ net_wait() {
### Declare Arrays, HashMaps, and Variables.
declare -i i=1
for i in {1..30}; do
for i in {1..60}; do
getent hosts git.coresecret.dev >/dev/null && break
sleep 1
@@ -126,16 +127,18 @@ main() {
# shellcheck disable=SC2312
exec > >(tee -a "${var_log}") 2>&1
printf "CISS.debian.installer Master V8.13.404.2025.11.10 is up! \n" >> "${var_log}"
printf "CISS.debian.installer Master V8.13.408.2025.11.13 is up! \n" >> "${var_log}"
### Sleep a moment to settle boot artifacts.
sleep 8
### Harden Kernel parameters.
printf "Command: [sysp] to be executed ... \n" >> "${var_log}"
sysp
printf "Command: [sysp] executed.\n" >> "${var_log}"
### Wait for network connectivity.
printf "Command: [net_wait] to be executed ... \n" >> "${var_log}"
net_wait
printf "Command: [net_wait] executed.\n" >> "${var_log}"
@@ -148,7 +151,6 @@ main() {
git clone "${var_repo_url}" "${var_repo_dir}"
chmod 0700 "${var_repo_dir}/ciss_debian_installer.sh"
cd "${var_repo_dir}"
printf "Command: [git clone %s %s] executed.\n" "${var_repo_url}" "${var_repo_dir}" >> "${var_log}"
### Poll up to VAR_TIMEOUT seconds for the semaphore to appear and be mode 0600.
@@ -181,7 +183,7 @@ main() {
### Timeout reached without acceptable semaphore.
logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
printf "CISS.debian.installer Master V8.13.404.2025.11.10: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
printf "CISS.debian.installer Master V8.13.408.2025.11.13: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
exit 0
}