V9.14.002.2026.05.13

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2026-05-17 13:34:00 +01:00
parent 39aeea84a7
commit 6307bc2b7c
67 changed files with 315 additions and 176 deletions
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13

 name: 💙 Generating a PUBLIC Live ISO.

@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.768.2025.12.06"
+      placeholder: "e.g., Master V9.14.002.2026.05.13"
    validations:
      required: true

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13

 FROM debian:bookworm

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13

 name: 🔁 Render README.md to README.html.

@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.13.768.2025.12.06
+  version: V9.14.002.2026.05.13
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.13.768.2025.12.06
+  version: V9.14.002.2026.05.13
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.13.768.2025.12.06
+  version: V9.14.002.2026.05.13
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13

 name: 💙 Generating a PUBLIC Live ISO.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13

 # Gitea Workflow: Shell-Script Linting
 #
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13

 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13

 name: 🔁 Render Graphviz Diagrams.

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.768.2025.12.06"
+properties_version="V9.14.002.2026.05.13"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.768.2025.12.06
+PackageVersion: Master V9.14.002.2026.05.13
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.768.2025.12.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.002.2026.05.13-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -11,10 +11,10 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.25.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Runner-0.2.13-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.4-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.26.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Runner-1.0.3-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2026.1.1-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.11-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&logo=x&logoColor=white&logoSize=auto&label=SocialMedia&color=%23000000)](https://x.com/coresecret_eu) &nbsp;
@@ -26,11 +26,11 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 **CISS.debian.live.builder — First of its own.**<br>
-**World-class CIA: Designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
+**World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**

 Developed and maintained as a one-man, security-driven engineering effort since 2024, **CISS.debian.live.builder** is designed 
 to serve as a reference implementation for hardened, image-based Debian deployments.
@@ -175,7 +175,7 @@ installer toolchain.

 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.

-Example: `V8.13.768.2025.12.06`
+Example: `V9.14.002.2026.05.13`

 `x.y.z` represents major (x), minor (y), and patch (z) version increments.

@@ -221,7 +221,7 @@ The parameters fall into several categories.
 * The audit subsystem is configured to be always on ``audit=1`` and to tolerate heavy bursts without dropping events ``audit_backlog_limit=262144``. I treat the audit trail as an evidentiary artifact; truncation because of backlog limits is not acceptable in that model.
 * The debug surface of the kernel is reduced aggressively. ``debugfs=off`` avoids a traditional footgun that exposes kernel internals in a way that is friendly to attackers and rarely necessary in production.
 * Memory is hardened on several levels at allocation time and at free time. ``init_on_alloc=1`` and ``init_on_free=1`` provide deterministic zeroing, ``page_poison=1`` fills freed pages with a poison pattern, and ``page_alloc.shuffle=1`` shuffles the allocator so that a process can no longer rely on stable physical patterns. Together these measures raise the cost of use-after-free exploitation and other memory corruption attacks.
-* The IOMMU is not optional. I force it on ``iommu=force``, disable passthrough ``iommu.passthrough=0`` and require strict behavior ``iommu.strict=``1. Any environment that contains devices capable of DMA must have a correctly configured IOMMU, otherwise the trust model for the CPU and for the memory hierarchy collapses as soon as a hostile device is introduced.
+* The IOMMU is not optional. I force it on ``iommu=force``, disable passthrough, and require strict behavior ``iommu.strict=``1. Any environment that contains devices capable of DMA must have a correctly configured IOMMU, otherwise the trust model for the CPU and for the memory hierarchy collapses as soon as a hostile device is introduced.
 * ``kfence.sample_interval=100`` activates KFENCE with a sampling interval that is still usable in production but sensitive enough to catch a meaningful subset of memory safety bugs under real workloads.
 * Virtualization-specific knobs include ``kvm.nx_huge_pages=force``, to keep huge pages non-executable, and ``l1d_flush=on`` so that context switches flush the L1 data cache where needed.
 * ``lockdown=integrity`` places the kernel into lockdown mode with an emphasis on integrity. In this project I consider the integrity of the system more critical than the ability to introspect a running kernel from userspace.
@@ -7,14 +7,14 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. Repository Structure

 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.768.2025.12.06** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.002.2026.05.13** (as of 2025-10-11)

 ## 3.1. Top-Level Layout

@@ -15,7 +15,7 @@
 ### WHY BASH?
 # Ease of installation. No compiling or installing gems, CPAN modules, pip packages, etc. Simple to use and read. Clear syntax
 # and straightforward output interpretation. Built-in power. Pattern matching, line processing, and regular expression support
-# are available natively, no external binaries required. Cross-platform consistency. '/bin/bash' is the default shell on most
+# are available natively; no external binaries are required. Cross-platform consistency. '/bin/bash' is the default shell on most
 # Linux distributions, ensuring scripts run unmodified across systems. macOS compatibility. Since macOS Catalina (10.15), the
 # default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
 # or Cygwin on Windows systems.
@@ -10,6 +10,9 @@
 # SPDX-Security-Contact: security@coresecret.eu

 BUILD_DIR            ?=
+
+### Optional Dropbear source override; empty uses VAR_DROPBEAR_VERSION from var/global.var.sh:
+DROPBEAR_VERSION     ?=
 PROVIDER_NETCUP_IPV6 ?=
 ROOT_PASSWORD_FILE   ?=
 SSH_PORT             ?=
@@ -18,14 +18,33 @@ export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"

 ### Declare Arrays, HashMaps, and Variables.
-declare var_dropbear_version="2025.88"
+declare var_dropbear_env="/root/dropbear.env"
+[[ -r "${var_dropbear_env}" ]] || {
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
+  exit 43
+}
+
+# shellcheck disable=SC1090
+. "${var_dropbear_env}"
+declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}"
+[[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || {
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
+  exit 43
+}
+
 declare var_tar="/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
 declare var_build_dir="/root/build/dropbear-${var_dropbear_version}"
 declare var_logfile="/root/.ciss/cdlb/log/0020_dropbear_build.log"

 mkdir -p "/root/build"
+
+[[ -r "${var_tar}" ]] || {
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Missing Dropbear tarball: [%s] \e[0m\n" "${var_tar}" >&2
+  exit 43
+}
+
 cp "${var_tar}" "/root/build"
-tar xjf "/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2" -C "/root/build"
+tar xjf "${var_tar}" -C "/root/build"
 cp "/root/dropbear/localoptions.h" "${var_build_dir}"
 cd "${var_build_dir}"

@@ -13,13 +13,28 @@ set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

-### Declare Arrays, HashMaps, and Variables.
-declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
-
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"

+### Declare Arrays, HashMaps, and Variables.
+declare var_dropbear_env="/root/dropbear.env"
+[[ -r "${var_dropbear_env}" ]] || {
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
+  exit 43
+}
+
+# shellcheck disable=SC1090
+. "${var_dropbear_env}"
+declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}"
+[[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || {
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
+  exit 43
+}
+
+declare var_dropbear_build_dir="/root/build/dropbear-${var_dropbear_version}"
+declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
+
 apt-get install -y --no-install-recommends --no-install-suggests cryptsetup-initramfs dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
 apt-get purge -y dropbear 2>&1 | tee -a "${var_logfile}" || true
 apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a "${var_logfile}"
@@ -32,16 +47,18 @@ rm -f /root/dropbear.file

 mkdir -p /root/.ciss/cdlb/backup/usr/sbin
 mv /usr/sbin/dropbear /root/.ciss/cdlb/backup/usr/sbin/dropbear.trixie
-install -m 0755 -o root -g root /root/build/dropbear-2025.88/dropbear /usr/sbin/
+install -m 0755 -o root -g root "${var_dropbear_build_dir}/dropbear" /usr/sbin/

 mkdir -p /root/.ciss/cdlb/backup/usr/bin
 for var_file in dbclient dropbearconvert dropbearkey; do

  mv "/usr/bin/${var_file}" "/root/.ciss/cdlb/backup/usr/bin/${var_file}.trixie"
-  install -m 0755 -o root -g root "/root/build/dropbear-2025.88/${var_file}" /usr/bin/
+  install -m 0755 -o root -g root "${var_dropbear_build_dir}/${var_file}" /usr/bin/

 done

+rm -f "${var_dropbear_env}"
+
 mkdir -p /etc/initramfs-tools/scripts/init-bottom

 cat << 'EOF' >| /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
@@ -17,7 +17,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"

-SOPS_VER="v3.11.0"
+SOPS_VER="v3.13.0"
 ARCH="$(dpkg --print-architecture)"
 case "${ARCH}" in
  amd64)  SOPS_FILE="sops-${SOPS_VER}.linux.amd64" ;;
@@ -122,7 +122,7 @@ x509_extensions	= usr_cert		# The extensions to add to the cert
 name_opt 	= ca_default		# Subject Name options
 cert_opt 	= ca_default		# Certificate field options

-# Extension copying option: use with caution.
+# Extension copying option: use it with caution.
 # copy_extensions = copy

 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
@@ -232,7 +232,7 @@ basicConstraints=CA:FALSE
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment

-# PKIX recommendations harmless if included in all certificates.
+# PKIX recommendations are harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer

@@ -282,7 +282,7 @@ basicConstraints = critical,CA:true

 # DER hex encoding of an extension: beware experts only!
 # obj=DER:02:03
-# Where 'obj' is a standard or added object
+# Where 'obj' is a standard or added object.
 # You can even override a supported extension:
 # basicConstraints= critical, DER:30:03:01:01:FF

@@ -305,7 +305,7 @@ basicConstraints=CA:FALSE
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment

-# PKIX recommendations harmless if included in all certificates.
+# PKIX recommendations are harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer

@@ -418,33 +418,24 @@ ssl_conf = ssl_sect
 system_default = system_default_sect

 [system_default_sect]
-# Protocol floor / ceiling:
-# - only TLS 1.2 and 1.3.
-# - TLS 1.3 is FS by design;
-# - TLS 1.2 FS enforced via the cipher list.
 MinProtocol = TLSv1.2
 MaxProtocol = TLSv1.3

-# TLS 1.2 cipher policy:
-# - Forward secrecy only: ECDHE or DHE (no static RSA kx);
-# - AES-256 *GCM* only (no DHE (dheatattack), no AES-128, no CBC);
-# - Keep distro default SECLEVEL=2 explicitly.
-CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:ECDHE+ARIA256-GCM:ECDHE+CAMELLIA256-GCM:!kRSA:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2
+# TLS 1.2: FS only, AEAD only, no AES128, no static RSA negotiation, no DHE negotiation.
+CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:!AES128:!kRSA:!DHE:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2

-# TLS 1.3 cipher policy: AES-256 and ChaCha20-Poly1305 only:
+# TLS 1.3: only AES-256-GCM and ChaCha20-Poly1305.
 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

-# Prefer strong, widely supported ECDHE groups (first = most preferred):
+# Preferred ECDHE groups.
 Groups = X448:P-521:P-384

-SignatureAlgorithms = rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
-
-# Operational flags:
-# -SessionTicket  : disable TLS session tickets (TLS 1.2 + 1.3)
-# ServerPreference: honor server cipher order (TLS 1.2)
-# NoRenegotiation : disallow TLS 1.2 renegotiation
+# Flags: Tickets off, servers order, renegotiation off.
 Options = -SessionTicket,ServerPreference,NoRenegotiation

+# Permitted signature algorithms.
+SignatureAlgorithms = ecdsa_secp521r1_sha512:ecdsa_secp384r1_sha384:ed448:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF

@@ -0,0 +1,19 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2026-05-16; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,6 +11,8 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

+# ToDo: Unify --integrity hmac-sha512 mode for standalone and runner mode.
+
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

 __umask=$(umask)
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13

 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13

 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13

 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-declare -gr VERSION="Master V8.13.768.2025.12.06"
+declare -gr VERSION="Master V9.14.002.2026.05.13"

 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh

 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.768.2025.12.06 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V9.14.002.2026.05.13 at: 10:18:37.9542
@@ -22,7 +22,7 @@ esac

 run_dropbear() {
    ### CISS.debian.live.builder
-    ### Remove old flags for dropbear version 2025.88-2.
+    ### Remove old flags from the Debian dropbear-initramfs wrapper.
    ### Only accepts flags from '/etc/dropbear/dropbear.conf'.

    #local flags="Fs"
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. DNSSEC Status

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. Haveged Audit on Netcup RS 2000 G11

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. Lynis Audit:

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. SSH Audit by ssh-audit.com

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. TLS Audit:
 ````text
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. Hardened Kernel Boot Parameters

@@ -7,11 +7,20 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. Changelog

+## V9.14.002.2026.05.13
+* **Added**: [9935_hardening_ssl.chroot](../config/hooks/live/9935_hardening_ssl.chroot)
+* **Added**: [dropbear-2026.91.tar.bz2](../upgrades/dropbear/dropbear-2026.91.tar.bz2)
+* **Added**: [dropbear-2026.91.tar.bz2.asc](../upgrades/dropbear/dropbear-2026.91.tar.bz2.asc)
+* **Added**: Dropbear Version Argument ``--dropbear-version=*`` and ``--dropbear-version <STRING>``
+* **Changed**: [SHA512SUM.asc](../upgrades/dropbear/SHA512SUM.asc)
+* **Changed**: ``dropbear 2025.88`` to ``dropbear 2026.91``
+* **Changed**: ``sops 3.11.0`` to ``sops 3.13.0``
+
 ## V8.13.768.2025.12.06
 * **Global**: Stable Release

@@ -119,13 +128,13 @@ include_toc: true
 * **Updated**: [AUDIT_LYNIS.md](AUDIT_LYNIS.md) + updated: Lynis Version 3.1.6

 ## V8.13.400.2025.11.08
-* **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) - GPG key handling
-* **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) - Unified naming scheme
-* **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) - Unified naming scheme
-* **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) - Unified naming scheme, added verbosity output
-* **Changed**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) - added verbosity output
-* **Changed**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) - bugfixes
-* **Changed**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) - moved ``update-initramfs`` to:
+* **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) : GPG key handling
+* **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) : Unified naming scheme
+* **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) : Unified naming scheme
+* **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) : Unified naming scheme, added verbosity output
+* **Changed**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) : added verbosity output
+* **Changed**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) : bugfixes
+* **Changed**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) : moved ``update-initramfs`` to:
 * **Changed**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot)

 ## V8.13.392.2025.11.07
@@ -221,7 +230,7 @@ include_toc: true
 * **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) changed var injection
 * **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) changed var injection
 * **Updated**: [lib_hardening_ultra.sh](../lib/lib_hardening_ultra.sh) changed var injection
-* **Removed**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - yq
+* **Removed**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) : yq

 ## V8.13.280.2025.10.23
 * **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot) + 10-ciss-noise-floor.rules
@@ -244,8 +253,8 @@ include_toc: true
 * **Added**: [.zshenv](../config/includes.chroot/root/.zshenv)
 * **Updated**: [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot)
 * **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) updated ignoreip
-* **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) + rsyslog
-* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - haveged, + jitterentropy-rngd
+* **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) added: rsyslog
+* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) removed: haveged, added: jitterentropy-rngd

 ## V8.13.192.2025.10.18
 * **Added**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. Centurion Net - Developer Branch Overview

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. Coding Style

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. Contributing / participating

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. Credits

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. Download the latest PUBLIC CISS.debian.live.ISO

@@ -7,15 +7,15 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2.1. Usage
 ````text
                        CDLB(1)                        CISS.debian.live.builder                        CDLB(1)

 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V8.13.768.2025.12.06
+Master V9.14.002.2026.05.13
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.

 (c) Marc S. Weidner, 2018 - 2025
@@ -65,6 +65,12 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
      - https://dns02.eddns.de/
      - https://dns03.eddns.eu/
      
+  --dropbear-version <STRING>
+    Selects the bundled Dropbear source tarball version used for the hardened initramfs build.
+    The matching file MUST exist as:
+    <./upgrades/dropbear/dropbear-<STRING>.tar.bz2>
+    If omitted defaults to VAR_DROPBEAR_VERSION from <./var/global.var.sh>.
+
  --jump-host <IP | IP | ... >
    Provide up to 10 IPs for '/etc/host.allow' whitelisting of SSH access. Could be either IPv4 and / or IPv6
    addresses and / or CCDIR notation. If provided, than it MUST be a <SPACE> separated list.
@@ -146,7 +152,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/

-                        V8.13.768.2025.12.06                        2025-11-06                         CDLB(1)
+                        V9.14.002.2026.05.13                        2025-11-06                         CDLB(1)
 ````

 # 3. Booting
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)

@@ -220,7 +220,7 @@ cryptsetup luksFormat \
  * Root FS (for 0042): `/etc/ciss/keys/<FPR>.gpg`
 * **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay`

-# 13. Diagram: CISS Live ISO Build, Boot and Run Time Trust Chain & Verification Paths
+# 13. Diagram: CISS Live ISO Build, Boot, and Run Time Trust Chain & Verification Paths
 ```mermaid
 flowchart TD

@@ -261,7 +261,7 @@ I -- FAIL --> X;

 # 14. Closing Remarks

-This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases make the state transparent and deterministic.
+This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot, and active attacks **both before and after decryption**. The dual-verification phases make the state transparent and deterministic.

 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. Resources

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. ``30-ciss-hardening.conf``

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. ``90-ciss-local.hardened``

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. ``ciss_live_builder.sh``

@@ -21,7 +21,9 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   VAR_AGE_KEY
 #   VAR_ARCHITECTURE
 #   VAR_BUILD_LOG
+#   VAR_DROPBEAR_VERSION
 #   VAR_EARLY_DEBUG
+#   VAR_GITEA_RUNNER
 #   VAR_HANDLER_AUTOBUILD
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_HANDLER_CDI
@@ -38,6 +40,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   VAR_REIONICE_CLASS
 #   VAR_REIONICE_PRIORITY
 #   VAR_SIGNER
+#   VAR_SIGNING_CA
 #   VAR_SIGNING_KEY
 #   VAR_SIGNING_KEY_FPR
 #   VAR_SIGNING_KEY_PASS
@@ -51,6 +54,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   0: on success
 #   ERR_ARG_MSMTCH: on failure
 #   ERR_CONTROL_CT: on failure
+#   ERR_DROPBEAR_V: on failure
 #   ERR_MISS_PWD_F: on failure
 #   ERR_MISS_PWD_P: on failure
 #   ERR_NOTABSPATH: on failure
@@ -205,6 +209,32 @@ arg_parser() {
          shift 1
          ;;

+        --dropbear-version)
+          if [[ -n "${2-}" && "${2}" =~ ^[0-9]{4}\.[0-9]+$ ]]; then
+            # shellcheck disable=SC2034
+            declare -gx VAR_DROPBEAR_VERSION="${2}"
+            shift 2
+          else
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            printf "\e[91m❌ ERROR: --dropbear-version MUST match '<YYYY>.<NUMBER>'.\e[0m\n" >&2
+            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            exit "${ERR_DROPBEAR_V}"
+          fi
+          ;;
+
+        --dropbear-version=*)
+          if [[ "${1#*=}" =~ ^[0-9]{4}\.[0-9]+$ ]]; then
+            # shellcheck disable=SC2034
+            declare -gx VAR_DROPBEAR_VERSION="${1#*=}"
+            shift 1
+          else
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            printf "\e[91m❌ ERROR: --dropbear-version MUST match '<YYYY>.<NUMBER>'.\e[0m\n" >&2
+            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            exit "${ERR_DROPBEAR_V}"
+          fi
+          ;;
+
        --jump-host)
          if [[ -n "${2-}" && "${2}" != -* ]]; then
            declare -i count=0
@@ -72,8 +72,8 @@ lb_config_write_trixie() {
    --initramfs-compression gzip \
    --initsystem systemd \
    --iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20250505 - Debian-Installer: trixie" \
-    --iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
-    --iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
+    --iso-preparer '(C) 2018-2026, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
+    --iso-publisher '(P) 2018-2026, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
    --iso-volume 'CISS.debian.live' \
    --linux-flavours "${VAR_KERNEL}" \
    --linux-packages linux-image \
@@ -108,11 +108,9 @@ lb_config_write_trixie() {

  sleep 1

-
  sed -i 's/^LB_CHECKSUMS=.*/LB_CHECKSUMS="sha512 sha384 sha256"/' ./config/binary
  sed -i 's/^LB_DM_VERITY=.*/LB_DM_VERITY="false"/'                ./config/binary

-
  ### https://wiki.debian.org/ReproducibleInstalls/LiveImages
  ### https://reproducible-builds.org/docs/system-images/
  ### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes
@@ -18,6 +18,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   BASH_SOURCE
 #   VAR_AGE
 #   VAR_AGE_KEY
+#   VAR_DROPBEAR_VERSION
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_SSHFP
 #   VAR_TMP_SECRET
@@ -31,13 +32,32 @@ init_primordial() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"

  ### Prepare CISS dropbear integration ----------------------------------------------------------------------------------------
-  declare var_dropbear_version="2025.88"
+  declare var_dropbear_version="${VAR_DROPBEAR_VERSION}"
+  declare var_dropbear_tar="${VAR_WORKDIR}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
+
+  if [[ ! "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]]; then
+
+    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
+    return "${ERR_DROPBEAR_V}"
+
+  fi
+
+  if [[ ! -r "${var_dropbear_tar}" ]]; then
+
+    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Dropbear tarball not found: [%s] \e[0m\n" "${var_dropbear_tar}" >&2
+    return "${ERR_DROPBEAR_V}"
+
+  fi

  install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/initramfs-tools/files"
  install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/build"
  install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear"

-  install    -m 0444 "${VAR_WORKDIR}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2" \
+  printf 'DROPBEAR_VERSION="%s"\n' "${var_dropbear_version}" \
+    >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear.env"
+  chmod 0444 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear.env"
+
+  install    -m 0444 "${var_dropbear_tar}" \
    "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
  install    -m 0444 "${VAR_WORKDIR}/upgrades/dropbear/localoptions.h" \
    "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/localoptions.h"
@@ -39,17 +39,17 @@ usage() {
  # shellcheck disable=SC2155
  declare var_header=$(center "CDLB(1)                        CISS.debian.live.builder                        CDLB(1)" "${var_cols}")
  # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.13.768.2025.12.06                        2025-12-05                         CDLB(1)" "${var_cols}")
+  declare var_footer=$(center "V9.14.002.2026.05.13                        2026-05-13                         CDLB(1)" "${var_cols}")

  {
    echo -e "\e[1;97m${var_header}\e[0m"
    echo
    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.13.768.2025.12.06\e[0m"
+    echo -e "\e[92mMaster V9.14.002.2026.05.13\e[0m"
    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
    echo
-    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
-    echo -e "\e[97m(p) Centurion Press, 2024 - 2025 \e[0m"
+    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m"
+    echo -e "\e[97m(p) Centurion Press, 2024 - 2026 \e[0m"
    echo
    echo -e "\e[97m${0} <option>, where <option> is one or more of: \e[0m"
    echo
@@ -69,18 +69,18 @@ usage() {
    echo "    Where the Debian Live Build Image should be generated. RECOMMENDED path: </opt/cdlb>"
    echo "    MUST be provided."
    echo
-    echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m"
+    echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon> \e[0m"
    echo "    A string reflecting the Grub Boot Screen Splash you want to use. If omitted defaults to:"
    echo "    <./.archive/background/club.png>"
    echo
-    echo -e "\e[97m  --cdi\e[0m"
+    echo -e "\e[97m  --cdi \e[0m"
    echo "    This option creates a boot menu entry that starts the forthcoming 'CISS.debian.installer', which is executed"
    echo "    once the system has successfully booted up."
    echo
-    echo -e "\e[97m  --contact, -c\e[0m"
+    echo -e "\e[97m  --contact, -c \e[0m"
    echo "    Show author contact information."
    echo
-    echo -e "\e[97m  --control <STRING>\e[0m"
+    echo -e "\e[97m  --control <STRING> \e[0m"
    echo "    A string, that reflects the version of your Live ISO Image."
    echo "    MUST be provided."
    echo
@@ -95,6 +95,12 @@ usage() {
    echo "      - https://dns02.eddns.de/"
    echo "      - https://dns03.eddns.eu/"
    echo
+    echo -e "\e[97m  --dropbear-version <STRING> \e[0m"
+    echo "    Selects the bundled Dropbear source tarball version used for the hardened initramfs build."
+    echo "    The matching file MUST exist as:"
+    echo "    <./upgrades/dropbear/dropbear-<STRING>.tar.bz2>"
+    echo "    If omitted defaults to VAR_DROPBEAR_VERSION from <./var/global.var.sh>."
+    echo
    echo -e "\e[97m  --jump-host <IP | IP | ... > \e[0m"
    echo "    Provide up to 10 IPs for '/etc/host.allow' whitelisting of SSH access. Could be either IPv4 and / or IPv6 "
    echo "    addresses and / or CCDIR notation. If provided, than it MUST be a <SPACE> separated list."
@@ -110,7 +116,7 @@ usage() {
    echo "    File MUST be placed in:"
    echo "    </dev/shm/cdlb_secrets>"
    echo
-    echo -e "\e[97m  --log-statistics-only\e[0m"
+    echo -e "\e[97m  --log-statistics-only \e[0m"
    echo "    Provides statistic only after successful building a CISS.debian.live-ISO. While enabling '--log-statistics-only'"
    echo "    the argument '--build-directory' MUST be provided."
    echo
@@ -170,13 +176,13 @@ usage() {
    echo -e "\e[97m  --version, -v \e[0m"
    echo "    Show version of ${0}."
    echo
-    echo -e "\e[93m💡 Notes:\e[0m"
-    echo -e "\e[93m🔵 You MUST be 'root' to run this script.\e[0m"
+    echo -e "\e[93m💡 Notes: \e[0m"
+    echo -e "\e[93m🔵 You MUST be 'root' to run this script. \e[0m"
    echo
    echo -e "\e[95m💷 Please consider donating to my work at: \e[0m"
    echo -e "\e[95m🌐 https://coresecret.eu/spenden/ \e[0m"
    echo
-    echo -e "\e[1;97m${var_footer}\e[0m"
+    echo -e "\e[1;97m${var_footer} \e[0m"
  } | less -R

  return 0
@@ -27,6 +27,7 @@ TIMESTAMP            ?= $(shell date -u +%Y-%m-%dT%H-%M-%S)
 ARCH                 ?= amd64
 AUTOBUILD            ?= 6.16.3+deb13-amd64
 CONTROL              ?= $(TIMESTAMP)
+DROPBEAR_VERSION     ?= 2026.91

 ### Nice/ionice settings:
 RENICE               ?= -19
@@ -53,6 +54,7 @@ define COMPOSE_AND
 	cmd+=( --ssh-pubkey '$(SSH_PUBKEY)' )
 	### Optional flags:
 	[[ -n '$(AUTOBUILD)'            ]] && cmd+=( --autobuild=$(AUTOBUILD) )
+	[[ -n '$(DROPBEAR_VERSION)'     ]] && cmd+=( --dropbear-version '$(DROPBEAR_VERSION)' )
 	[[ -n '$(FLAG_CDI)'             ]] && cmd+=( --cdi )
 	[[ -n '$(FLAG_DEBUG)'           ]] && cmd+=( --debug )
 	[[ -n '$(FLAG_DHCP_CENTURION)'  ]] && cmd+=( --dhcp-centurion )
@@ -130,7 +130,7 @@ main() {
  touch "${var_log}"


-  printf "CISS.debian.installer Master V8.13.768.2025.12.06 is up! \n" >> "${var_log}"
+  printf "CISS.debian.installer Master V9.14.002.2026.05.13 is up! \n" >> "${var_log}"

  ### Sleep a moment to settle boot artifacts.
  sleep 8
@@ -209,7 +209,7 @@ main() {

  ### Timeout reached without acceptable semaphore.
  logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.installer Master V8.13.768.2025.12.06: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.installer Master V9.14.002.2026.05.13: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"

  exit 0
 }
@@ -1,24 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512

-eb16a13aa44732cab4db009bd55903e45f8756598683377bfe55185fbf0e3265  CHANGES
-738b7f358547f0c64c3e1a56bbc5ef98d34d9ec6adf9ccdf01dc0bf2caa2bc8d  dropbear-2025.87.tar.bz2
-af24198895f604c2e114abe29a2f0c3fe30831e6db26e0f93fd5f78e734b61be  dropbear-2025.87.tar.bz2.asc
-783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4  dropbear-2025.88.tar.bz2
-fe40fd8f40a7c5498025cc2058eaecbcd9e649a833d6cdecdab35f1156f4d411  dropbear-2025.88.tar.bz2.asc
+16be820347723271b0fea6049ffeed6d6680d7429c65406d8af37776393a0250  dropbear-2026.90.tar.bz2
+594ac6bd51f361890f6bd829bfe1ce92d241e5f8662d595c13a789e31563f5f7  dropbear-2026.90.tar.bz2.asc
+defa924475abf6bc1e74abc00173e46bfdc804bd47caafa14f5a4ef0cc76da34  dropbear-2026.91.tar.bz2
+26888fbc9cca8ae8026ea754d711edeb5fdbde0a31f897164695bf59035693fb  dropbear-2026.91.tar.bz2.asc
 -----BEGIN PGP SIGNATURE-----

-iQIzBAEBCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmgbUOIACgkQRJMUlPKc
-Z3OS6w//bPQkIfs5ErkEBNRJDkYCDGekydYur0e2KtA2FX+vgPYI289FM4tXaD5f
-hlBBT5oBQ740ekTLWMMnKcJV3Ut0QYnaXwiH2dHKtT4OEgRQIYqFlbAimpNPMZOL
-IiBv+v9g71XJ3MrFyJSUo00mryIIIeuVQEWl8zxzsG8sf5usOUDwiJNWPul3fOJL
-Ur+vTmCr7XYuq9kFG4YdJNLPLwDZ68e2u1fEpxpsnBmYFx5VS/WvD+qyuUfkR81h
-HmcDgQJUJgx6Taq0OQJa4KnE4+HWjMd6V6JsDTsfYp4CjASO6HP2bON4zJWyphqL
-cyrHAxiADtfU3RO59+XQ6AhTzhtGpZRgHLqetv40DjGN2lOGOdRk3TbE3/dbDl4W
-f9zaPFGXyTA49iiVMMz2GVWlydpjs9HKsIKwwO7vU/EIi4S/USNJRI9wKUji3qKH
-HO09YNoO0XuWzIpeGwfqbeaQ+SCPRPAMQMM0a2Mt10VzympY6w2kHAVbMV48kJ2i
-AMtkgsxLUFdptDSdGKc/KHkbWRR22YCSSUXr1lxCA3fuCUWkS/2pAGzfbd+sd9BS
-QkAiGVCWeFQML61aaoNxMT2+MbS80zrOWm8fjXblg3wCU6F3+TTmmDUNKI3NFi8z
-4TVeAM0oGqeI+PX4hP7pyBy06dGiWiYEAGMiyno6vRXWJrwTVzI=
-=/DnI
+iQIzBAEBCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmoAZXsACgkQRJMUlPKc
+Z3NxYA//TmgdzpN6Jh8zNCL3cjK9J3IgJWIxgtPnoPDb0GxMt5rSME9uAQLggVut
+310OAJ9CCfVYyCECm9ZpgbaeXPHP02Xx6sccpU7bU3nMa1W+Pu0dea3ToFWGFv5i
+52INS0UGP+R58JJzGlxlwm1oRNXoG3tfJHR7FHof5G0a60jdcxqjW2JfkN4x28kR
+RLXCqCWfJOjVMIVVQLsVmjZQlBkXLuykg2rbocqBu2dNH4nOuekDWFUpLXoGm2Zd
+OhdFmWGIJfLFybPersLBGSO6LJFhzi5KoloeesaCQ26X2ld8R+cu6rKae2f0zDQi
+O63yQIg7Oxr4XUnthziZdYA4karVrUdx97I39xTP9ioYxnEWHSdWk2iwKWsLhrPd
+X9TEcsmTMia0RSNqarNlsnXiloWFIRKuxlEBO1SMHG45Fr5mXsPxFLc81acQlGtl
+Kvwl3O5vxaa8Qd46EtLJXsNQW09tW0j1yM3JyAoLZs69/N8iB5lk74nYT+jZhI0b
+9/+tfHLRoa+ccJdNfCdfWzCTZpFxG0D6ah6SJY8CgMMvITBT5OfYTR4tvSbt1Sa4
+y65YOPB4QabxuaUC6p0JQ57STUX6D8NtvJwpoZUDb6XDovpXsVb3T0di9eKKYQSv
+/TsSRvf57OiCL9u/C5bIV2g0N5pkN9Bsddye0wUqfEdYH/NwXBs=
+=OTzQ
 -----END PGP SIGNATURE-----
@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmgbTlUACgkQRJMUlPKc
-Z3PY2xAAkSmMipofQkVDE8owIY1VrXGICpFFby7oIzog1oiWrTWlqjGPBwxrLEAa
-W5qXPez0mu9CMs0eGgqHnpUCOR2OJKXzlllSwWcO2Q9Ioi+fSYB//A/+FRK5Jyvf
-P3H6Iq4N4vCbOGS0zHwmlAhTMh1ezKuqnjCrP9z6gvOj6hiiI0DtX2YtYfXml4o8
-Xgvv+w3uReC/Pf7Z7Zia18tWlLIC1DoVC18CmLmnnyqE032Cn8HsE/scboTehgJd
-SKfpztf8/9IjAJpkoeuh3VEXeq5gUjdaW13cBvaPBg798+GsnY7ot7g2PLgnpc7w
-Y1Npg2QZebKE2KHSEGhvIfHeGC6uSEekQnNbck6/ge8ytRzvfzxtTFCMWlGVdgd4
-dFLNajFRt1VOYXMgm7w725cndXYjpvi7zNgGI/kuOQG92hGR8ZaQYYHUTI+B9sr1
-Fit8VmaOsLN7ES8UcNlWeRPHAlvkhdfjltcCSVBziJWGW5rYsuT03X/gbjSiflA5
-kwB/5A2Bf5DHtORbdtx9kfd5yqsnWaLczEKRjyikJqDUXW6CcclbEiucWIgR75cS
-Ee9cf8ILKn/Dr6z+h60y0VQ+1gUcVDnK9yxoqywS5/QoUFXltzu032ZmhyDdgfex
-93NbacgaVtges8t0S0s7PgfzpUSLgNte6aHOYwl5mDAh0zLGpoo=
-=uS3y
-----END PGP SIGNATURE-----
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmn22d8ACgkQRJMUlPKc
+Z3Ndlg//Vj21j/hlAIPD0AOAgYYLvudvR2bA1gJBHrlAQB4FQSWWgW+C0xdHks7X
+YUkKFhLMMP8twemA2EApfMtEp+YayfN/djiwCTfhrCI2ObTZJZU6FwyKiENviKGo
+hH7rFeh1HdSJuU+HExF9bCq+1oGFjhpOKh982R0hasLzKgN2PmF1v/jEqNpibyIc
+o7/7xXFGne39xTrwIuvhjl44iCrIKrcqpObt2cHKRx3D5E1b5nz1JriceCQr4zPa
+tRBXyvl7Ub/N0xZ0K81LA5cDuP2h5H1W1X0BEVTMi+4vIJhaFfOCZhFp9vjlKuuW
+vLhPJWakaLOM2o0PawHW3pVQfq9vOPOGUYcQoSCjgplEsvySbIHS33/nHrPq9ncb
+S6kYQnXtNmWOuWoZfUmGNSBItzd9aOWJ/CukhtovJHRCvM9W68GhR4kqNhZpfvhY
+NL35NC3IydxvzZUZzW6OvaBzGnAVshILyVnlrGkI9ikc8BJUY6GllcMopD5+vCbt
+YYKZhThckaHmtZL4bkyA1v8KN7uVprCKQSgC56lbXD+fr7qM/sjNLmp+UVCnjTuU
+XDFnS7dELDZCXweTmxIowwPetaDtnfBPuYWmGtSezG63Zbsv32/UMAy3YCT7vg/V
+9dzK0h2/EG6GCZ9UfYj/uYCuvb8HhbVji0fMYbzo1eT4NAJwPpY=
+=/+S8
+-----END PGP SIGNATURE-----
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmoAZREACgkQRJMUlPKc
+Z3P87g//ZamgpADh+1CziP9UJ8iiQSi+6lGDcNmkLwNfw1dXA7zAJ2L10uz1We5V
+ercshPNSurf/rYCQJIvav1JE2x4oHXAgnzO1pnrIDriBmCa17EJD2udDHImE1A4K
+KP6JxeaaZTkPYCQftIh3bj7kyJnjpRIptN41GHLeyfQ9bD/ikpGm7uVVqOv1y08O
+Z1pBlZ4IeKrdN7ghHclTTS7+w9nDcYuP62B+KOg7U2oE6+hTfO6PZnHxumUqFlck
+iDEOpdjWixp62ju5ad2o+qWsV4QDg5y/smb51ZDIiFkQh3BJKs6qS83ZNBseGdCX
+vtfKLBSpH/k28WlIwzNq3xiwD7xLR1niX4IrNFUF71eFZhFt6FAMk7oBhSse86qs
+TUUDsssQBAGgNbyRAGSkjBKQ9hdrGXuqV7r8PnDGo+n+EF7pRBJTObM29jshgnjm
+CZ8zMu8LB5cCzWJCXUhNX9HqcW4LIDPGI6v24ychxGqLS5ekKHbv7Pr/xguHyVJq
+U7HXsUtA43HAXnk1RaVYV3I9CzLinJ9Cs3sNBRpcIEKQfpYXTDL58lEg/mJRloqC
+EIBgb9pB8EvFbIz3mbOayvrLnMzmyL1ujsc1CYUcEti1MV6IrgOjGxi/kUrcrZaQ
+1kPA/eRcG1iRpyYk19/cD1JyI477HRnRQDeqMPRO9VTeCMOXO2s=
+=PPW+
+-----END PGP SIGNATURE-----
@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V8.13.768.2025.12.06"
+declare -grx VAR_VERSION="Master V9.14.002.2026.05.13"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
  # Print $4 and $5; include $6 only if it exists
  out = $4
@@ -28,6 +28,7 @@ touch "${LOG_ERROR}" && chmod 0600 "${LOG_ERROR}"

 declare -g  __umask=""
 declare -g  VAR_ARCHITECTURE=""
+declare -g  VAR_DROPBEAR_VERSION="2026.91"
 declare -g  VAR_HANDLER_BUILD_DIR=""
 declare -g  VAR_HANDLER_CDI="false"
 declare -g  VAR_HANDLER_NETCUP_IPV6="false"
@@ -48,14 +49,14 @@ declare -gi VAR_REIONICE_CLASS=2
 declare -gi VAR_REIONICE_PRIORITY=4
 declare -gr VAR_CHROOT_DIR="chroot"
 declare -gr VAR_PACKAGES_FILE="chroot.packages.live"
-declare -gx VAR_AGE="false"
 declare -gx VAR_AGE_KEY=""
+declare -gx VAR_AGE="false"
 declare -gx VAR_CDLB_INSIDE_RUNNER="${VAR_CDLB_INSIDE_RUNNER:-false}"
-declare -gx VAR_LUKS="false"
 declare -gx VAR_LUKS_KEY=""
+declare -gx VAR_LUKS="false"
 declare -gx VAR_SIGNER="false"
-declare -gx VAR_SIGNING_CA=""
 declare -gx VAR_SIGNING_CA_FPR=""
+declare -gx VAR_SIGNING_CA=""
 declare -gx VAR_SIGNING_KEY_FPR=""
 declare -gx VAR_SIGNING_KEY_PASS=""
 declare -gx VAR_SIGNING_KEY_PASSFILE=""
@@ -83,6 +84,7 @@ declare -gir ERR_PASS_LENGH=210 # --root-password-file password MUST be between
 declare -gir ERR_PASS_PLICY=211 # --root-password-file password MUST NOT contain double quotes
 declare -gir ERR__SSH__PORT=212 # --ssh-port MUST be an integer between '1' and '65535'
 declare -gir ERR_ARG_MSMTCH=213 # Wrong Number of optional Arguments provided
+declare -gir ERR_DROPBEAR_V=214 # --dropbear-version MUST match the bundled Dropbear tarball version format
 declare -gir ERR_SECRETSSYM=251 # VAR_TMP_SECRET is a symlink.
 declare -gir ERR_NOTABSPATH=252 # Not an absolute path
 declare -gir ERR_INVLD_CHAR=253 # Invalid Character