From 5fcd2ebf428d7f07ec659faea779e6d289a6b06d6cf7313015fee96aae162527 Mon Sep 17 00:00:00 2001
From: "Marc S. Weidner" <msw@coresecret.dev>
Date: Fri, 3 Oct 2025 19:41:39 +0100
Subject: [PATCH] V8.13.032.2025.10.03

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
---
 .../trigger/t_generate_PRIVATE_trixie_1.yaml   |  2 +-
 .../workflows/generate_PRIVATE_trixie_1.yaml   | 18 ++++++++++++------
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
index ce18224..4338d20 100644
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 build:
-  counter: 1023
+  counter: 1024
   version: V8.13.032.2025.10.03
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
index 104010f..7015744 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -108,17 +108,22 @@ jobs:
 
           REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
 
-          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
-          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
+          TPL="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
+          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
 
-          if [[ ! -f "${TPL}" ]]; then
-            echo "Template not found: ${TPL}"
+          if [[ ! -f "$TPL" ]]; then
+            echo "Template not found: $TPL"
             echo "::group::Tree of config/hooks/live"
-            ls -la "${REPO_ROOT}/config/hooks/live" || true
+            ls -la "$REPO_ROOT/config/hooks/live" || true
             echo "::endgroup::"
             exit 2
           fi
 
+          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
+          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
+          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
+          export RSA_PUB="${RSA_PUB//$'\r'/}"
+
           perl -0777 -pe '
             BEGIN{
               $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
@@ -128,7 +133,7 @@ jobs:
             s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
             s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
             s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
-          ' "${TPL}" >| "{$OUT}"
+          ' "$TPL" > "$OUT"
 
           chmod 0755 "${OUT}"
           echo "Hook rendered: ${OUT}"
@@ -178,6 +183,7 @@ jobs:
 
       - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
         shell: bash
+        working-directory: ${{ github.workspace }}
         run: |
           set -euo pipefail
           chmod 0755 ciss_live_builder.sh