msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.408.2025.11.13
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m8s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m31s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-13 06:26:44 +01:00
parent a362db3d78
commit 5f370c2cdb
83 changed files with 1422 additions and 877 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
scripts/usr/lib/live/boot/0030-verify-checksums → scripts/usr/lib/live/boot/0030-ciss-verify-checksums
View File

@@ -4,7 +4,7 @@
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -15,7 +15,7 @@
# SPDX-Security-Contact: security@coresecret.eu
### Modified Version of the original file:
### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums'
### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
#######################################
@@ -29,7 +29,11 @@
# 0 : Successful verification
#######################################
Verify_checksums() {
printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-verify-checksums] ... \n\e[0m"
printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-ciss-verify-checksums] ... \n\e[0m"
### Will be replaced at build time:
export CDLB_EXP_FPR="@EXP_FPR@"
export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
### Declare variables --------------------------------------------------------------------------------------------------------
_MOUNTPOINT="${1}"
@@ -71,19 +75,6 @@ Verify_checksums() {
done
### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
if [ -e "${_MP}/0030-verify-checksums.gpg" ]; then
_KEYFILE="${_MP}/0030-verify-checksums.gpg"
break
fi
done
### Check if the function should be skipped ----------------------------------------------------------------------------------
case "${LIVE_VERIFY_CHECKSUMS}" in
@@ -97,13 +88,33 @@ Verify_checksums() {
esac
### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
if [ -e "${_MP}/${CDLB_EXP_FPR}.gpg" ]; then
_KEYFILE="${_MP}/${CDLB_EXP_FPR}.gpg"
if [ -e "${_MP}/${CDLB_EXP_FPR}.gpg" ]; then
_CA_KEYFILE="${_MP}/${CDLB_EXP_CA_FPR}.gpg"
fi
break
fi
done
# shellcheck disable=SC2164
cd "${_MOUNTPOINT}"
### CDLB verification of script integrity itself -----------------------------------------------------------------------------
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
log_begin_msg "Verifying integrity of: [0030-verify-checksums]"
log_begin_msg "Verifying integrity of: [0030-ciss-verify-checksums]"
printf "\n"
_CAND=""
@@ -112,7 +123,7 @@ Verify_checksums() {
CDLB_CMD="/usr/bin/sha512sum"
CDLB_SHA="sha512"
for _CAND in /scripts/live-bottom/0030-verify-checksums /usr/lib/live/boot/0030-verify-checksums; do
for _CAND in /scripts/live-bottom/0030-ciss-verify-checksums /usr/lib/live/boot/0030-ciss-verify-checksums; do
[ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; }
@@ -124,9 +135,25 @@ Verify_checksums() {
CDLB_HASHFILE="${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt"
CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
_STATUS="$(/usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 --verify "${CDLB_SIG_FILE}" "${CDLB_SCRIPT_FULL}" 2>/dev/null)"
printf "\e[95m[INFO] Verifying integrity of: [%s] ... \n\e[0m" "${CDLB_SCRIPT_FULL}"
_CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
### Compare against pinned and expected fingerprint.
if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then
printf "\e[92m[INFO] Signer fingerprint match: got [%s] expected: [%s] \n\e[0m" "${_CDLB_SIG_FILE_FPR}" "${CDLB_EXP_FPR}"
else
printf "\e[91m[FATAL] Signer fingerprint mismatch: got [%s] expected: [%s] \n\e[0m" "${_CDLB_SIG_FILE_FPR}" "${CDLB_EXP_FPR}"
sleep 16
panic "[FATAL] Signer fingerprint mismatch: got [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
fi
### Script self-integrity and authenticity checks --------------------------------------------------------------------------
### Assumption: initramfs itself is not altered.
printf "\e[95m[INFO] Verifying signature of: [%s] ... \n\e[0m" "${CDLB_SIG_FILE}"
if ! /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then