V9.14.002.2026.05.13

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

lib/lib_arg_parser.sh

@@ -21,7 +21,9 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   VAR_AGE_KEY
 #   VAR_ARCHITECTURE
 #   VAR_BUILD_LOG
+#   VAR_DROPBEAR_VERSION
 #   VAR_EARLY_DEBUG
+#   VAR_GITEA_RUNNER
 #   VAR_HANDLER_AUTOBUILD
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_HANDLER_CDI
@@ -38,6 +40,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   VAR_REIONICE_CLASS
 #   VAR_REIONICE_PRIORITY
 #   VAR_SIGNER
+#   VAR_SIGNING_CA
 #   VAR_SIGNING_KEY
 #   VAR_SIGNING_KEY_FPR
 #   VAR_SIGNING_KEY_PASS
@@ -51,6 +54,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   0: on success
 #   ERR_ARG_MSMTCH: on failure
 #   ERR_CONTROL_CT: on failure
+#   ERR_DROPBEAR_V: on failure
 #   ERR_MISS_PWD_F: on failure
 #   ERR_MISS_PWD_P: on failure
 #   ERR_NOTABSPATH: on failure
@@ -205,6 +209,32 @@ arg_parser() {
           shift 1
           ;;
 
+        --dropbear-version)
+          if [[ -n "${2-}" && "${2}" =~ ^[0-9]{4}\.[0-9]+$ ]]; then
+            # shellcheck disable=SC2034
+            declare -gx VAR_DROPBEAR_VERSION="${2}"
+            shift 2
+          else
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            printf "\e[91m❌ ERROR: --dropbear-version MUST match '<YYYY>.<NUMBER>'.\e[0m\n" >&2
+            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            exit "${ERR_DROPBEAR_V}"
+          fi
+          ;;
+
+        --dropbear-version=*)
+          if [[ "${1#*=}" =~ ^[0-9]{4}\.[0-9]+$ ]]; then
+            # shellcheck disable=SC2034
+            declare -gx VAR_DROPBEAR_VERSION="${1#*=}"
+            shift 1
+          else
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            printf "\e[91m❌ ERROR: --dropbear-version MUST match '<YYYY>.<NUMBER>'.\e[0m\n" >&2
+            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            exit "${ERR_DROPBEAR_V}"
+          fi
+          ;;
+
         --jump-host)
           if [[ -n "${2-}" && "${2}" != -* ]]; then
             declare -i count=0

lib/lib_lb_config_write_trixie.sh

@@ -72,8 +72,8 @@ lb_config_write_trixie() {
     --initramfs-compression gzip \
     --initsystem systemd \
     --iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20250505 - Debian-Installer: trixie" \
-    --iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
-    --iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
+    --iso-preparer '(C) 2018-2026, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
+    --iso-publisher '(P) 2018-2026, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
     --iso-volume 'CISS.debian.live' \
     --linux-flavours "${VAR_KERNEL}" \
     --linux-packages linux-image \
@@ -108,11 +108,9 @@ lb_config_write_trixie() {
 
   sleep 1
 
-
   sed -i 's/^LB_CHECKSUMS=.*/LB_CHECKSUMS="sha512 sha384 sha256"/' ./config/binary
   sed -i 's/^LB_DM_VERITY=.*/LB_DM_VERITY="false"/'                ./config/binary
 
-
   ### https://wiki.debian.org/ReproducibleInstalls/LiveImages
   ### https://reproducible-builds.org/docs/system-images/
   ### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes

lib/lib_primordial.sh

@@ -18,6 +18,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   BASH_SOURCE
 #   VAR_AGE
 #   VAR_AGE_KEY
+#   VAR_DROPBEAR_VERSION
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_SSHFP
 #   VAR_TMP_SECRET
@@ -31,13 +32,32 @@ init_primordial() {
   printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
 
   ### Prepare CISS dropbear integration ----------------------------------------------------------------------------------------
-  declare var_dropbear_version="2025.88"
+  declare var_dropbear_version="${VAR_DROPBEAR_VERSION}"
+  declare var_dropbear_tar="${VAR_WORKDIR}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
+
+  if [[ ! "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]]; then
+
+    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
+    return "${ERR_DROPBEAR_V}"
+
+  fi
+
+  if [[ ! -r "${var_dropbear_tar}" ]]; then
+
+    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Dropbear tarball not found: [%s] \e[0m\n" "${var_dropbear_tar}" >&2
+    return "${ERR_DROPBEAR_V}"
+
+  fi
 
   install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/initramfs-tools/files"
   install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/build"
   install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear"
 
-  install    -m 0444 "${VAR_WORKDIR}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2" \
+  printf 'DROPBEAR_VERSION="%s"\n' "${var_dropbear_version}" \
+    >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear.env"
+  chmod 0444 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear.env"
+
+  install    -m 0444 "${var_dropbear_tar}" \
     "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
   install    -m 0444 "${VAR_WORKDIR}/upgrades/dropbear/localoptions.h" \
     "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/localoptions.h"

lib/lib_usage.sh

@@ -39,17 +39,17 @@ usage() {
   # shellcheck disable=SC2155
   declare var_header=$(center "CDLB(1)                        CISS.debian.live.builder                        CDLB(1)" "${var_cols}")
   # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.13.768.2025.12.06                        2025-12-05                         CDLB(1)" "${var_cols}")
+  declare var_footer=$(center "V9.14.002.2026.05.13                        2026-05-13                         CDLB(1)" "${var_cols}")
 
   {
     echo -e "\e[1;97m${var_header}\e[0m"
     echo
     echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.13.768.2025.12.06\e[0m"
+    echo -e "\e[92mMaster V9.14.002.2026.05.13\e[0m"
     echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
     echo
-    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
-    echo -e "\e[97m(p) Centurion Press, 2024 - 2025 \e[0m"
+    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m"
+    echo -e "\e[97m(p) Centurion Press, 2024 - 2026 \e[0m"
     echo
     echo -e "\e[97m${0} <option>, where <option> is one or more of: \e[0m"
     echo
@@ -69,18 +69,18 @@ usage() {
     echo "    Where the Debian Live Build Image should be generated. RECOMMENDED path: </opt/cdlb>"
     echo "    MUST be provided."
     echo
-    echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m"
+    echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon> \e[0m"
     echo "    A string reflecting the Grub Boot Screen Splash you want to use. If omitted defaults to:"
     echo "    <./.archive/background/club.png>"
     echo
-    echo -e "\e[97m  --cdi\e[0m"
+    echo -e "\e[97m  --cdi \e[0m"
     echo "    This option creates a boot menu entry that starts the forthcoming 'CISS.debian.installer', which is executed"
     echo "    once the system has successfully booted up."
     echo
-    echo -e "\e[97m  --contact, -c\e[0m"
+    echo -e "\e[97m  --contact, -c \e[0m"
     echo "    Show author contact information."
     echo
-    echo -e "\e[97m  --control <STRING>\e[0m"
+    echo -e "\e[97m  --control <STRING> \e[0m"
     echo "    A string, that reflects the version of your Live ISO Image."
     echo "    MUST be provided."
     echo
@@ -95,6 +95,12 @@ usage() {
     echo "      - https://dns02.eddns.de/"
     echo "      - https://dns03.eddns.eu/"
     echo
+    echo -e "\e[97m  --dropbear-version <STRING> \e[0m"
+    echo "    Selects the bundled Dropbear source tarball version used for the hardened initramfs build."
+    echo "    The matching file MUST exist as:"
+    echo "    <./upgrades/dropbear/dropbear-<STRING>.tar.bz2>"
+    echo "    If omitted defaults to VAR_DROPBEAR_VERSION from <./var/global.var.sh>."
+    echo
     echo -e "\e[97m  --jump-host <IP | IP | ... > \e[0m"
     echo "    Provide up to 10 IPs for '/etc/host.allow' whitelisting of SSH access. Could be either IPv4 and / or IPv6 "
     echo "    addresses and / or CCDIR notation. If provided, than it MUST be a <SPACE> separated list."
@@ -110,7 +116,7 @@ usage() {
     echo "    File MUST be placed in:"
     echo "    </dev/shm/cdlb_secrets>"
     echo
-    echo -e "\e[97m  --log-statistics-only\e[0m"
+    echo -e "\e[97m  --log-statistics-only \e[0m"
     echo "    Provides statistic only after successful building a CISS.debian.live-ISO. While enabling '--log-statistics-only'"
     echo "    the argument '--build-directory' MUST be provided."
     echo
@@ -170,13 +176,13 @@ usage() {
     echo -e "\e[97m  --version, -v \e[0m"
     echo "    Show version of ${0}."
     echo
-    echo -e "\e[93m💡 Notes:\e[0m"
-    echo -e "\e[93m🔵 You MUST be 'root' to run this script.\e[0m"
+    echo -e "\e[93m💡 Notes: \e[0m"
+    echo -e "\e[93m🔵 You MUST be 'root' to run this script. \e[0m"
     echo
     echo -e "\e[95m💷 Please consider donating to my work at: \e[0m"
     echo -e "\e[95m🌐 https://coresecret.eu/spenden/ \e[0m"
     echo
-    echo -e "\e[1;97m${var_footer}\e[0m"
+    echo -e "\e[1;97m${var_footer} \e[0m"
   } | less -R
 
   return 0