V8.13.404.2025.11.10

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-10 11:57:27 +01:00
parent fc263c95e3
commit 6c00891cd4
62 changed files with 1419 additions and 312 deletions
--- a/.archive/.0000_lib_usage.sh
+++ b/.archive/.0000_lib_usage.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -21,7 +21,7 @@ usage() {
  clear
  cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.13.400.2025.11.08\e[0m")
+$(echo -e "\e[92mMaster V8.13.404.2025.11.10\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
@@ -46,7 +46,7 @@ $(echo -e "\e[97m  --build-directory </path/to/build_directory>\e[0m")
    MUST be provided.
 $(echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m")
-    A string reflecting the GRub Boot Screen Splash you want to use.
+    A string reflecting the Grub Boot Screen Splash you want to use.
    If omitted defaults to "./.archive/background/club.png".
 $(echo -e "\e[97m  --cdi (Experimental Feature)\e[0m")
--- a/.archive/generate_PRIVATE_trixie_0.yaml
+++ b/.archive/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.400.2025.11.08
+# Version Master V8.13.404.2025.11.10
 name: 🔐 Generating a Private Live ISO TRIXIE.
--- a/.archive/generate_PRIVATE_trixie_1.yaml
+++ b/.archive/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.400.2025.11.08
+# Version Master V8.13.404.2025.11.10
 name: 🔐 Generating a Private Live ISO TRIXIE.
--- a/.archive/generate_PUBLIC_iso.yaml
+++ b/.archive/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.400.2025.11.08
+# Version Master V8.13.404.2025.11.10
 name: 💙 Generating a PUBLIC Live ISO.
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.400.2025.11.08"
+      placeholder: "e.g., Master V8.13.404.2025.11.10"
    validations:
      required: true
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.400.2025.11.08
+# Version Master V8.13.404.2025.11.10
 FROM debian:bookworm
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.400.2025.11.08
+# Version Master V8.13.404.2025.11.10
 name: 🔁 Render README.md to README.html.
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.13.400.2025.11.08
+  version: V8.13.404.2025.11.10
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.400.2025.11.08
+# Version Master V8.13.404.2025.11.10
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -106,10 +106,18 @@ jobs:
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            BatchMode yes
            ConnectTimeout 5
            ControlMaster auto
            ControlPath ~/.ssh/cm-%r@%h:%p
            ControlPersist 5m
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            Port 42842
            ServerAliveCountMax 3
            ServerAliveInterval 10
            StrictHostKeyChecking yes
            User git
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 0600 ~/.ssh/config
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.400.2025.11.08
+# Version Master V8.13.404.2025.11.10
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -106,10 +106,18 @@ jobs:
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            BatchMode yes
            ConnectTimeout 5
            ControlMaster auto
            ControlPath ~/.ssh/cm-%r@%h:%p
            ControlPersist 5m
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            Port 42842
            ServerAliveCountMax 3
            ServerAliveInterval 10
            StrictHostKeyChecking yes
            User git
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 0600 ~/.ssh/config
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.400.2025.11.08
+# Version Master V8.13.404.2025.11.10
 name: 💙 Generating a PUBLIC Live ISO.
@@ -106,10 +106,18 @@ jobs:
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            BatchMode yes
            ConnectTimeout 5
            ControlMaster auto
            ControlPath ~/.ssh/cm-%r@%h:%p
            ControlPersist 5m
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            Port 42842
            ServerAliveCountMax 3
            ServerAliveInterval 10
            StrictHostKeyChecking yes
            User git
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 0600 ~/.ssh/config
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.400.2025.11.08
+# Version Master V8.13.404.2025.11.10
 # Gitea Workflow: Shell-Script Linting
 #
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.400.2025.11.08
+# Version Master V8.13.404.2025.11.10
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
@@ -58,10 +58,18 @@ jobs:
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            BatchMode yes
            ConnectTimeout 5
            ControlMaster auto
            ControlPath ~/.ssh/cm-%r@%h:%p
            ControlPersist 5m
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            Port 42842
            ServerAliveCountMax 3
            ServerAliveInterval 10
            StrictHostKeyChecking yes
            User git
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 0600 ~/.ssh/config
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.400.2025.11.08
+# Version Master V8.13.404.2025.11.10
 name: 🔁 Render Graphviz Diagrams.
@@ -59,10 +59,18 @@ jobs:
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            BatchMode yes
            ConnectTimeout 5
            ControlMaster auto
            ControlPath ~/.ssh/cm-%r@%h:%p
            ControlPersist 5m
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            Port 42842
            ServerAliveCountMax 3
            ServerAliveInterval 10
            StrictHostKeyChecking yes
            User git
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 0600 ~/.ssh/config
--- a/.shellcheckrc
+++ b/.shellcheckrc
@@ -1,14 +1,17 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
+# SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # https://github.com/koalaman/shellcheck/wiki/directive
 # https://github.com/koalaman/shellcheck/wiki/Optional
 encoding=utf-8
 external-sources=true
 shell=bash
@@ -16,6 +19,8 @@ source-path=~/lib
 source-path=~/scripts
 source-path=~/var
 enable=add-default-case
 enable=avoid-negated-conditions
 enable=avoid-nullary-conditions
 enable=check-extra-masked-returns
 enable=check-set-e-suppressed
@@ -24,5 +29,6 @@ enable=deprecate-which
 enable=quote-safe-variables
 enable=require-double-brackets
 enable=require-variable-braces
 enable=useless-use-of-cat
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.400.2025.11.08"
+properties_version="V8.13.404.2025.11.10"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.400.2025.11.08
+PackageVersion: Master V8.13.404.2025.11.10
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.400.2025.11.08-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.404.2025.11.10-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.400.2025.11.08<br>
+**Build**: V8.13.404.2025.11.10<br>
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -152,7 +152,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V8.13.400.2025.11.08`
+Example: `V8.13.404.2025.11.10`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
--- a/REPOSITORY.md
+++ b/REPOSITORY.md
@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.400.2025.11.08<br>
+**Build**: V8.13.404.2025.11.10<br>
 # 2.1. Repository Structure
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.400.2025.11.08** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.404.2025.11.10** (as of 2025-10-11)
 ## 2.2. Top-Level Layout
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -339,138 +339,10 @@ FSTYPE=auto
 EOF
-cat << EOF >| /etc/initramfs-tools/hooks/ciss_debian_live_builder
+chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh
-#!/bin/sh
+chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
-# SPDX-Version: 3.0
+chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
-# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 EOF
 cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
 set -e
 printf "\e[95mStarting: [ciss_debian_live_builder] \n\e[0m"
 PREREQ=""
 prereqs() { echo "${PREREQ}"; }
 # shellcheck disable=SC2249
 case "${1}" in
  prereqs) prereqs; exit 0 ;;
 esac
 . /usr/share/initramfs-tools/hook-functions
 ### Ensure directory structure in initramfs ------------------------------------------------------------------------------------
 install -d -m 0755  "${DESTDIR}/etc/ciss/keys"
 install -d -m 0755  "${DESTDIR}/etc/initramfs-tools/conf.d"
 install -d -m 0755  "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
 install -d -m 0755  "${DESTDIR}/usr/bin"
 install -d -m 0755  "${DESTDIR}/usr/local/bin"
 install -d -m 0755  "${DESTDIR}/usr/sbin"
 ### Include 'bash' -------------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/bash /usr/bin/bash
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/bash /usr/bin/bash] \n\e[0m"
 ### Include 'blkid' ------------------------------------------------------------------------------------------------------------
 copy_exec /usr/sbin/blkid /usr/sbin/blkid
 printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/blkid /usr/sbin/blkid] \n\e[0m"
 ### Include 'busybox' ----------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/busybox /usr/busybox
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/busybox] \n\e[0m"
 ### Include GNU coreutils 'sort' (has -V) --------------------------------------------------------------------------------------
 copy_exec /usr/bin/sort /usr/bin/sort
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sort /usr/bin/sort] \n\e[0m"
 ### Include 'gpgv' -------------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/gpgv /usr/bin/gpgv
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpgv /usr/bin/gpgv] \n\e[0m"
 ### Include 'lsblk' ------------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/lsblk /usr/bin/lsblk
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/lsblk /usr/bin/lsblk] \n\e[0m"
 ### Include 'mkpasswd' ---------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/mkpasswd /usr/mkpasswd
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/mkpasswd] \n\e[0m"
 copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd] \n\e[0m"
 ### Include 'udevadm' (udev management tool) -----------------------------------------------------------------------------------
 copy_exec /usr/bin/udevadm /usr/bin/udevadm
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/udevadm /usr/bin/udevadm] \n\e[0m"
 ### Include 'sha384sum' 'sha512sum' --------------------------------------------------------------------------------------------
 copy_exec /usr/bin/sha384sum /usr/bin/sha384sum
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha384sum /usr/bin/sha384sum ] \n\e[0m"
 copy_exec /usr/bin/sha512sum /usr/bin/sha512sum
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha512sum /usr/bin/sha512sum] \n\e[0m"
 ### Include 'tree' -------------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/tree /usr/bin/tree
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/tree /usr/bin/tree] \n\e[0m"
 ### Include 'whois' ------------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/whois /usr/bin/whois
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/whois /usr/bin/whois] \n\e[0m"
 ### Link busybox applets for compatibility -------------------------------------------------------------------------------------
 for dir in bin usr/bin; do
  ln -sf busybox "${DESTDIR}/${dir}/cat"
  ln -sf busybox "${DESTDIR}/${dir}/sleep"
 done
 ### Install GPG signing keys ---------------------------------------------------------------------------------------------------
 src_dir="/etc/ciss/keys"
 dst_dir="${DESTDIR}/etc/ciss/keys"
 key=""
 if [ -d "${src_dir}" ]; then
    install -d -m 0755 "${dst_dir}"
    for key in "${src_dir}"/*.gpg; do
        [ -e "${key}" ] || continue
        install -m 0444 "${key}" "${dst_dir}/"
        printf '\e[92mSuccessfully executed: [install -m 0444 %s %s]\n\e[0m' "${key}" "${dst_dir}"
    done
 fi
 printf "\e[92mSuccessfully executed: [ciss_debian_live_builder] \n\e[0m"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
--- a/config/hooks/live/0020_dropbear_build.chroot
+++ b/config/hooks/live/0020_dropbear_build.chroot
@@ -36,13 +36,22 @@ cd "${var_build_dir}"
 #  -Wl,-z,relro,-z,now: Enables full RELRO (symbol resolution at program startup)
 # shellcheck disable=SC2016,SC2312
-setsid bash -c '
+if ! setsid bash -c '
    ### Sterile environment for the build-process.
-    export -n SHELLOPTS
+
    export -n SHELLOPTS || true
    set +u
    unset PATH_SEPARATOR
    PATH_SEPARATOR=":"
    PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
    if ! command -v musl-gcc >/dev/null 2>&1; then
      echo "ERROR: musl-gcc not found. Install musl-tools in chroot." >&2
      exit 1
    fi
    CC=musl-gcc \
      CFLAGS="-Os -fPIE -Wno-undef -fstack-protector-strong -D_FORTIFY_SOURCE=2" \
      LDFLAGS="-static -pie -s -Wl,-z,relro,-z,now" \
@@ -55,6 +64,13 @@ setsid bash -c '
    # shellcheck disable=2312
    make -j"$(nproc)"
  ' >| "${var_logfile}" 2>&1
 then
  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Dropbear build failed. See [%s] \e[0m\n" "${var_logfile}" >&2
  tail -n 42 "${var_logfile}" >&2 || true
  exit 42
 fi
  rm -rf /root/dropbear
--- a/config/hooks/live/0021_dropbear_initramfs.chroot
+++ b/config/hooks/live/0021_dropbear_initramfs.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -13,60 +13,45 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 ### Declare Arrays, HashMaps, and Variables.
 declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
-### Declare Arrays, HashMaps, and Variables.
+apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
-declare     var_file=""
+apt-get purge -y dropbear dropbear-run 2>&1 | tee -a "${var_logfile}"
-declare -r  var_logfile="/root/.ciss/cdi/log/4311_dropbear_initramfs.log"
+apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a "${var_logfile}"
-declare     var_target="${TARGET}"
+apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a "${var_logfile}"
-### Check for TARGET / RECOVERY.
+mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /usr/share/initramfs-tools/scripts/init-premount/dropbear.trixie
-[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+install -m 0755 -o root -g root /root/dropbear /usr/share/initramfs-tools/scripts/init-premount/dropbear
-
+rm -f /root/dropbear
 chroot_logger "${var_target}${var_logfile}"
 chroot_script "${var_target}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs dropbear-bin 2>&1 | tee -a ${var_logfile}
  "
 chroot_script "${var_target}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get purge -y dropbear dropbear-run || true
  "
 chroot_script "${var_target}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a ${var_logfile}
  "
 chroot_script "${var_target}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a ${var_logfile}
  "
 mv "${var_target}/usr/sbin/dropbear" "${var_target}/usr/sbin/dropbear.trixie"
 install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/dropbear" "${var_target}/usr/sbin/"
 do_log "debug" "file_only" "4311() Installation [dropbear] successful."
 mv /usr/sbin/dropbear /usr/sbin/dropbear.trixie
 install -m 0755 -o root -g root /root/build/dropbear-2025.88/dropbear /usr/sbin/
 for var_file in dbclient dropbearconvert dropbearkey; do
-  mv "${var_target}/usr/bin/${var_file}" "${var_target}/usr/bin/${var_file}.trixie"
+  mv "/usr/bin/${var_file}" "/usr/bin/${var_file}.trixie"
-  install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/${var_file}" "${var_target}/usr/bin/"
+  install -m 0755 -o root -g root "/root/build/dropbear-2025.88/${var_file}" /usr/bin/
  do_log "debug" "file_only" "4311() Installation [${var_file}] successful."
 done
-mkdir -p "${var_target}/etc/initramfs-tools/scripts/init-bottom"
+mkdir -p /etc/initramfs-tools/scripts/init-bottom
-cat << 'EOF' >| "${var_target}/etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill"
+cat << 'EOF' >| /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
 #!/bin/sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 PREREQ=""
 prereqs() { echo "${PREREQ}"; }
@@ -91,12 +76,22 @@ exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
-chmod 0755 "${var_target}/etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill"
+chmod 0755 /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
 cat << EOF >| /etc/apt/preferences.d/99-mask-dropbear
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 insert_header   "${var_target}/etc/apt/preferences.d/99-mask-dropbear"
 insert_comments "${var_target}/etc/apt/preferences.d/99-mask-dropbear"
 cat << 'EOF' >> "${var_target}/etc/apt/preferences.d/99-mask-dropbear"
 # Never install the dropbear daemon package at all.
 Package: dropbear
 Pin: release *
 Pin-Priority: -1
@@ -104,10 +99,20 @@ Pin-Priority: -1
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-insert_header   "${var_target}/etc/apt/preferences.d/99-mask-dropbear-initramfs"
+cat << EOF >| /etc/apt/preferences.d/99-mask-dropbear-initramfs
-insert_comments "${var_target}/etc/apt/preferences.d/99-mask-dropbear-initramfs"
+# SPDX-Version: 3.0
-cat << 'EOF' >> "${var_target}/etc/apt/preferences.d/99-mask-dropbear-initramfs"
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Keep the currently installed initramfs integration; never upgrade it.
 Package: dropbear-initramfs
 Pin: release *
 Pin-Priority: -1
@@ -115,8 +120,7 @@ Pin-Priority: -1
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-chroot_script "${var_target}" "systemctl mask dropbear.service dropbear.socket"
+systemctl mask dropbear.service dropbear.socket
 do_log "info" "file_only" "4311() Masked: [dropbear.service dropbear.socket]"
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
--- a/config/hooks/live/0022_dropbear_setup.chroot
+++ b/config/hooks/live/0022_dropbear_setup.chroot
@@ -0,0 +1,149 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 #######################################
 # Set up the 'dropbear-initramfs' environment.
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 dropbear_setup() {
  ### Declare Arrays, HashMaps, and Variables.
  declare network_static_ipv4ntpserver_0="192.53.103.108"
  # shellcheck disable=SC2155
  declare user_root_sshpubkey="$(< /root/.ssh/authorized_keys)"
  declare var_force_command_string='command="/usr/local/bin/unlock_wrapper.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding '
  ### Prepare strong dropbear host keys.
  rm -f /etc/dropbear/initramfs/dropbear*key*
  if [[ -d /root/ssh ]]; then
    dropbearconvert openssh dropbear /root/ssh/ssh_host_ed25519_key     /etc/dropbear/initramfs/dropbear_ed25519_host_key
    dropbearconvert openssh dropbear /root/ssh/ssh_host_rsa_key         /etc/dropbear/initramfs/dropbear_rsa_host_key
    dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub
    dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key     /etc/dropbear/initramfs/dropbear_rsa_host_key.pub
  else
    # shellcheck disable=SC2312
    /usr/bin/dropbearkey -t ed25519     -f /etc/dropbear/initramfs/dropbear_ed25519_host_key -C "root@live-$(date -I)"
    # shellcheck disable=SC2312
    /usr/bin/dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key      -C "root@live-$(date -I)"
  fi
  ### Prepare dropbear authorized_keys.
  printf "%s\n" "${var_force_command_string}${user_root_sshpubkey}" >| /etc/dropbear/initramfs/authorized_keys
  chmod 0600 /etc/dropbear/initramfs/authorized_keys
  install -m 0644 -o root -g root /etc/banner /etc/dropbear/initramfs/banner
  ### "IP=<HOST IP>::<GATEWAY IP>:<SUBNET MASK>:<FQDN>:<NIC>:none:<DNS 0 IP>:<DNS 1 IP>:<NTP IP>"
  ### "IP=:::::<NIC>:dhcp"
  printf "IP=::::::dhcp\n" >| /etc/initramfs-tools/conf.d/ip
  ### Generate dropbear configuration file.
  write_dropbear_conf
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f dropbear_setup
 #######################################
 # Write '/etc/dropbear/initramfs/dropbear.conf'.
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 write_dropbear_conf() {
  # shellcheck disable=SC2155
  declare sshport="$(< /root/sshport)"
  rm -f /root/sshport
  [[ -z "${sshport:-}" ]] && sshport="2222"
  cat << EOF >| /etc/dropbear/initramfs/dropbear.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Configuration options for the dropbear-initramfs boot scripts.
 # Variable assignment follow shell semantics and escaping/quoting rules.
 # You must run update-initramfs(8) to effect changes to this file (like
 # for other files in the '/etc/dropbear/initramfs' directory).
 # Command line options to pass to dropbear(8).
 # Dropbear options for 2025+:
 # -b: Display the contents of bannerfile before user login
 # -E: Log to stderr
 # -I: Idle timeout in seconds
 # -K: Keepalive interval in seconds
 # -p: Specify port (and optionally address)
 # -w: Disable root login (SHOULD NOT be implemented for initramfs)
 DROPBEAR_OPTIONS="-b /etc/dropbear/banner -E -I 300 -K 60 -p ${sshport}"
 # On local (non-NFS) mounts, interfaces matching this pattern are
 # brought down before exiting the ramdisk to avoid dirty network
 # configuration in the normal kernel.
 # The special value 'none' keeps all interfaces up and preserves routing
 # tables and addresses.
 #IFDOWN="*"
 # On local (non-NFS) mounts, the network stack and dropbear are started
 # asynchronously at init-premount stage.  This value specifies the
 # maximum number of seconds to wait (while the network/dropbear are
 # being configured) at init-bottom stage before terminating dropbear and
 # bringing the network down.
 # If the timeout is too short, and if the boot process is not blocking
 # on user input supplied via SSHd (ie no remote unlocking), then the
 # initrd might pivot to init(1) too early, thereby causing a race
 # condition between network configuration from initramfs vs from the
 # normal system.
 #DROPBEAR_SHUTDOWN_TIMEOUT=60
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f write_dropbear_conf
 dropbear_setup
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh
+++ b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh
@@ -0,0 +1,490 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 # SPDX-Comment: unlock_wrapper.sh to be executed as 'dropbear-initramfs' SSH forced command.
 set -Ceu -o pipefail -o ignoreeof
 shopt -s failglob
 shopt -s lastpipe
 shopt -u nullglob
 umask 0077
 export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
 #######################################
 # Variable declaration
 #######################################
 # shellcheck disable=SC2016
 declare -r REGEX='^\$6\$(rounds=([1-9][0-9]{3,8})\$)?([./A-Za-z0-9]{1,16})\$([./A-Za-z0-9]{86})$'
 # shellcheck disable=SC2155
 declare -r CURRENTDATE=$(date +"%F %T")
 declare -g ERRTRAP='false'
 declare -r GRE='\e[0;92m'
 declare -r MAG='\e[0;95m'
 declare -r RED='\e[0;91m'
 declare -r RES='\e[0m'
 declare -r NL='\n'
 declare -g NUKE_ENABLED='false'
 declare -g NUKE_HASH=''
 declare -g PASSPHRASE=''
 #######################################
 # Read passphrase strictly from STDIN (SSH channel), not '/dev/console'.
 # Arguments:
 #   1: Prompt to print on terminal
 #   2: Variable name to capture passphrase
 #######################################
 ask_via_stdin() {
  declare -r  prompt="$1"
  declare -r  varname="$2"
  ### Prompt to STDERR so pipes don't capture it.
  printf "%s" "${prompt}" >&2
  ### Silent, canonical read from FD 0 (SSH channel when forced-command).
  IFS= read -r -s "${varname?}" <&0
  printf "\n" >&2
  return 0
 }
 #######################################
 # Printed text in color.
 # Arguments:
 #   1: Color code.
 #   *: Text to print.
 #######################################
 color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "${c}" "${msg}" "${RES}" "${NL}"; return 0; }
 #######################################
 # Die Helper: print and then exit hard.
 # Globals:
 #   NC
 #   RED
 # Arguments:
 #   1: Message string to print.
 #######################################
 die() { printf "%b✘ %s %b%b" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3; }
 #######################################
 # Drop into the bash environment.
 # Arguments:
 #   None
 #######################################
 drop_bash() { stty echo 2>/dev/null || true; prompt_string; exec /bin/bash -i; }
 #######################################
 # Extract the 'nuke=' parameter from '/proc/cmdline'.
 # Globals:
 #   GRE
 #   NUKE_ENABLED
 #   NUKE_HASH
 #   RED
 #   REGEX
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 extract_nuke_hash() {
  declare     ARG="" CMDLINE=""
  ### Read '/proc/cmdline' into a single line safely.
  read -r CMDLINE < /proc/cmdline
  for ARG in ${CMDLINE}; do
    case "${ARG,,}" in
      nuke=*)
        NUKE_HASH="${ARG#*=}"
        if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then
          declare -g NUKE_ENABLED="true"
          color_echo "${GRE}" "✅ System self check: [ok]"
          return 0
        else
          ### If there is a malformed Grub Bootparameter 'nuke=HASH', drop to bash.
          color_echo "${RED}" "✘ Nuke Hash Malformat : [${REGEX}] [${NUKE_HASH}]."
          color_echo "${RED}" "✘ Dropping to bash ...:"
          drop_bash
        fi
      ;;
    esac
  done
  color_echo "${GRE}" "✅ No Nuke Hash found."
  return 0
 }
 #######################################
 # Gather information of all LUKS Devices available on the system.
 # Arguments:
 #   None
 #######################################
 gather_luks_devices() {
  declare     prev=() curr=()
  declare -i  tries=0
  while ((tries < 10)); do
    # shellcheck disable=SC2312
    mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | /usr/bin/sort -V)
    if [[ "${curr[*]}" == "${prev[*]}" ]]; then
      break
    fi
    prev=("${curr[@]}")
    tries=$((tries + 1))
    sleep 1
  done
  printf '%s\n' "${curr[@]}"
  return 0
 }
 #######################################
 # Erase the LUKS headers on all LUKS devices, then shut down the system.
 # Globals:
 #   DEVICES_LUKS
 #   RED
 # Arguments:
 #   None
 #######################################
 nuke() {
  declare     dev=""
  for dev in "${DEVICES_LUKS[@]}"; do
    cryptsetup erase --batch-mode "${dev}" || true
    color_echo "${RED}" "✘ Error: LUKS Device Header malfunction: [${dev}]."
  done
  secure_unset_pass
  color_echo "${RED}" "✘ Error: LUKS Device malfunction. System Power Off in 16 seconds."
  power_off 16
 }
 #######################################
 # Unified power-off routine.
 # Arguments:
 #   1: Sleep time before power-off in seconds (Default to 0 seconds).
 #######################################
 power_off() {
  declare -r  wait="${1:-0}"
  sleep "${wait}"
  sync
  echo 1 >| /proc/sys/kernel/sysrq
  echo o >| /proc/sysrq-trigger
  ### The System powers off immediately; no further code is executed.
 }
 #######################################
 # Print Error Message for Trap on 'ERR' on Terminal.
 # Globals:
 #   NL
 #   RED
 # Arguments:
 #   1: ${?}
 #   2: ${BASH_SOURCE[0]}
 #   3: ${LINENO}
 #   4: ${FUNCNAME[0]:-main}
 #   5: ${BASH_COMMAND}
 #######################################
 print_scr_err() {
  declare -r  scr_err_errcode="$1"
  declare -r  scr_err_errscrt="$2"
  declare -r  scr_err_errline="$3"
  declare -r  scr_err_errfunc="$4"
  declare -r  scr_err_errcmmd="$5"
  printf "%b" "${NL}" >&2
  color_echo "${RED}" "✘ System caught an 'ERROR'. System Power Off in 16 seconds." >&2
  printf "%b" "${NL}" >&2
  color_echo "${RED}" "✘ Error               : [${scr_err_errcode}]" >&2
  color_echo "${RED}" "✘ Line                : [${scr_err_errline}]" >&2
  color_echo "${RED}" "✘ Script              : [${scr_err_errscrt}]" >&2
  color_echo "${RED}" "✘ Function            : [${scr_err_errfunc}]" >&2
  color_echo "${RED}" "✘ Command             : [${scr_err_errcmmd}]" >&2
  printf "%b" "${NL}" >&2
  return 0
 }
 #######################################
 # Print Error Message for '0'-Exit-Code on Terminal.
 # Globals:
 #   GRE
 # Arguments:
 #   None
 #######################################
 print_scr_scc() { color_echo "${GRE}" "✅ Script exited successfully. Proceeding with booting."; sleep 3; }
 #######################################
 # Generates an informative shell prompt.
 # Globals:
 #   PS1
 # Arguments:
 #   None
 #######################################
 prompt_string() {
  declare -gx PS1="\
 \[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\
 \[\033[1;95m\]\h\[\033[0m\]:\
 \[\033[1;96m\]\w\[\033[0m\]/>>\
 \$(if [[ \$? -eq 0 ]]; then \
  # Show exit status in green if zero
  echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
 else \
  # Show exit status in red otherwise
  echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
 fi)\
 |~\$ "
 }
 #######################################
 # Read the passphrase interactively.
 # Globals:
 #   NUKE_ENABLED
 #   NUKE_HASH
 #   PASSPHRASE
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 read_passphrase() {
  declare -i  ROUNDS=0
  declare     CAND="" SALT=""
  ### Read from SSH STDIN (or TTY fallback), never via '/lib/cryptsetup/askpass'.
  ask_via_stdin "Enter passphrase: " PASSPHRASE
  ### NUKE pre-check.
  if [[ "${NUKE_ENABLED,,}" == "true" ]]; then
    ROUNDS="$(cut -d'$' -f3 <<< "${NUKE_HASH}")"
    ROUNDS="${ROUNDS#rounds=}"
    SALT="$(cut -d'$' -f4 <<< "${NUKE_HASH}")"
    CAND=$(/usr/mkpasswd --method=sha-512 --salt="${SALT}" --rounds="${ROUNDS}" "${PASSPHRASE}")
    ### NUKE final check.
    if [[ "${CAND}" == "${NUKE_HASH}" ]]; then
      nuke
    fi
  fi
  return 0
 }
 #######################################
 # Securely unset the 'PASSPHRASE'-variable.
 # Globals:
 #   PASSPHRASE
 # Arguments:
 #   None
 #######################################
 secure_unset_pass() { unset PASSPHRASE; PASSPHRASE=""; return 0; }
 #######################################
 # Trap function to be called on 'ERR'.
 # Arguments:
 #   1: ${?}
 #   2: ${BASH_SOURCE[0]}
 #   3: ${LINENO}
 #   4: ${FUNCNAME[0]:-main}
 #   5: ${BASH_COMMAND}
 #######################################
 trap_on_err() {
  declare -r  errcode="$1"
  declare -r  errscrt="$2"
  declare -r  errline="$3"
  declare -r  errfunc="$4"
  declare -r  errcmmd="$5"
  declare -g  ERRTRAP='true'
  trap - ERR INT TERM
  stty echo 2>/dev/null || true
  print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
  power_off 16
 }
 #######################################
 # Security Trap on 'EXIT'.
 # Globals:
 #   ERRTRAP
 # Arguments:
 #   None
 #######################################
 trap_on_exit() {
  trap - ERR EXIT INT TERM
  [[ "${ERRTRAP,,}" == "false" ]] && print_scr_scc
 }
 #######################################
 # Security Trap on 'INT' and 'TERM' to provide a deterministic way to not circumvent the nuke routine.
 # Globals:
 #   NL
 #   RED
 # Arguments:
 #   None
 #######################################
 trap_on_term() {
  trap - ERR INT TERM
  stty echo 2>/dev/null || true
  printf "%b" "${NL}"
  color_echo "${RED}" "✘ Received termination signal. System Power Off in 3 seconds."
  power_off 3
 }
 #######################################
 # Check the integrity and authenticity of this script itself.
 # Globals:
 #   GRE
 #   MAG
 #   RED
 # Arguments:
 #   0: Script Name
 #######################################
 verify_script() {
  declare     dir
  # shellcheck disable=SC2312
  dir="$(dirname "$(readlink -f "${0}")")"
  declare     script; script="$(basename "${0}")"
  declare -a  algo=( "sha512" )
  declare     cmd="" computed="" expected="" hashfile="" item="" sigfile=""
  for item in "${algo[@]}"; do
    hashfile="${dir}/${script}.${item}"
    sigfile="${hashfile}.sig"
    cmd="${item}sum"
    color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]"
    if ! gpgv --keyring /etc/keys/unlock_wrapper_pubring.gpg "${sigfile}" "${hashfile}"; then
      color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
      color_echo "${RED}" "✘ System Power Off in 3 seconds."
      power_off 3
    else
      color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful."
    fi
    color_echo "${MAG}" "🔢 Recomputing Hash: [${item}]"
    # shellcheck disable=SC2312
    read -r computed _ < <("${cmd}" "${dir}/${script}")
    read -r expected < "${hashfile}"
    if [[ "${computed}" != "${expected}" ]]; then
      color_echo "${RED}" "✘ Recomputed hash mismatch for     : [${item}]"
      color_echo "${RED}" "✘ System Power Off in 3 seconds."
      power_off 3
    fi
    color_echo "${GRE}" "🔢 Recomputing Hash: [${item}] successful."
  done
  color_echo "${GRE}" "🔏 All signatures and hashes verified successfully. Proceeding."
  return 0
 }
 #######################################
 # Main Program Sequence.
 # Globals:
 #   CURRENTDATE
 #   DEVICES_LUKS
 #   GRE
 #   MAG
 #   NL
 #   PASSPHRASE
 #   RED
 # Arguments:
 #   None
 #######################################
 main() {
  exec 1>&2
  trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
  trap 'trap_on_exit' EXIT
  trap 'trap_on_term' INT TERM
  uname -a
  printf "%b" "${NL}"
  color_echo "${RED}" "Coresecret Connection established."
  color_echo "${RED}" "Starting Time: ${CURRENTDATE}"
  printf "%b" "${NL}"
  color_echo "${MAG}" "Integrity self-check ..."
  verify_script
  ### Read newline-separated output into an array.
  printf "%b" "${NL}"
  color_echo "${MAG}" "Scanning for LUKS devices ..."
  # shellcheck disable=SC2312
  mapfile -t DEVICES_LUKS < <(gather_luks_devices)
  ### If there are no LUKS devices at all, drop to bash.
  if (( ${#DEVICES_LUKS[@]} == 0 )); then
    printf "%b" "${NL}"
    color_echo "${RED}" "✘ No LUKS Devices found. Dropping to bash ..."
    drop_bash
  fi
  ### Extract the 'nuke='-parameter from '/proc/cmdline'.
  printf "%b" "${NL}"
  extract_nuke_hash
  ### Read passphrase interactively.
  read_passphrase
  if printf "%s" "${PASSPHRASE}" | cryptroot-unlock; then
    secure_unset_pass
    exit 0
  else
    secure_unset_pass
    printf "%b" "${NL}"
    color_echo "${RED}" "✘ Unsuccessful command 'cryptroot-unlock'."
    color_echo "${GRE}" "  No LUKS operations performed. Dropping to bash ..."
    color_echo "${GRE}" "  To unlock 'root' partition, and maybe others like '/home', run 'cryptroot-unlock'."
    drop_bash
  fi
 }
 main "${@}"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512
+++ b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512
@@ -0,0 +1 @@
 2d90783e0ffba3c6972b3a0d5335cca4a37c03b417f43b62b082a83734d4e4148390ac22509e68d63aaca11baf4fb081747f83347eab08176fb647e5445372f6
--- a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig
+++ b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig
--- a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_pubring.gpg
+++ b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_pubring.gpg
--- a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_signer.sh
+++ b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_signer.sh
@@ -0,0 +1,78 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 # SPDX-Comment: unlock_wrapper_signer.sh for signing unlock_wrapper.sh
 set -Ceuo pipefail
 ### Paths
 declare -r SCRIPT="/etc/initramfs-tools/files/unlock_wrapper.sh"
 declare -r KEYFILE="/root/.ciss/keys/dummy_0x12345678_SECRET.asc"
 declare -r GNUPGHOME="/root/.ciss/gnupg"
 ### Output Files
 declare -r HASH384="${SCRIPT}.sha384"
 declare -r HASH512="${SCRIPT}.sha512"
 declare -r SIG384="${HASH384}.sig"
 declare -r SIG512="${HASH512}.sig"
 ### Ensure GNUPGHOME exists with secure permissions
 mkdir -p "${GNUPGHOME}"
 chmod 0700 "${GNUPGHOME}"
 ### Import private key only if not already present
 if ! gpg --homedir "${GNUPGHOME}" --list-secret-keys | grep -q "sec"; then
  printf "\e[0;92m✅ Importing private key ... \e[0m\n"
  gpg --homedir "${GNUPGHOME}" --import "${KEYFILE}"
 else
  printf "\e[0;92m✅ Private key already present in keyring. \e[0m\n"
 fi
 ### Extract fingerprint of the first secret key
 # shellcheck disable=SC2155
 declare -r FPR=$(gpg --homedir "${GNUPGHOME}" --list-secret-keys --with-colons | awk -F: '/^fpr:/ { print $10; exit }')
 if [[ -z "${FPR}" ]]; then
  printf "\e[0;91m✘ Error: Could not extract fingerprint from keyring. \e[0m\n" >&2
  exit 1
 fi
 printf "\e[0;92m✅ Using GPG key fingerprint: [%s] \e[0m\n" "${FPR}"
 ### Hashing (only the hash value, no filename)
 printf "\e[0;95m🔢 Generating Hashes ... \e[0m\n"
 if sha384sum "${SCRIPT}" | awk '{print $1}' >| "${HASH384}"; then
  printf "\e[0;92m✅ Hash: [%s] of Script: [%s] created. \e[0m\n" "${HASH384}" "${SCRIPT}"
 fi
 if sha512sum "${SCRIPT}" | awk '{print $1}' >| "${HASH512}"; then
  printf "\e[0;92m✅ Hash: [%s] of Script: [%s] created. \e[0m\n" "${HASH512}" "${SCRIPT}"
 fi
 printf "\e[0;92m🔢 Generating Hashes done. \e[0m\n"
 ### Signing Hashes
 printf "\e[0;95m🔑 Signing hashes ... \e[0m\n"
 if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${SIG384}" --detach-sign "${HASH384}"; then
  printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH384}" "${SIG384}"
 fi
 if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${SIG512}" --detach-sign "${HASH512}"; then
  printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH512}" "${SIG512}"
 fi
 printf "\e[0;92m🔑 Signing hashes done.  \e[0m\n"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh
+++ b/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh
@@ -0,0 +1,42 @@
 #!/bin/sh
 # bashsupport disable=BP5007
 # shellcheck shell=sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -e
 printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh] \n\e[0m"
 PREREQ=""
 prereqs() { echo "${PREREQ}"; }
 # shellcheck disable=SC2249
 case "${1}" in
  prereqs) prereqs; exit 0 ;;
 esac
 . /usr/share/initramfs-tools/hook-functions
 mkdir -p "${DESTDIR}/etc"
 cat >| "${DESTDIR}/etc/profile" << 'EOF'
 export PS1='$( STATUS=$?; \
  if [ "${STATUS}" -eq 0 ]; then \
    printf "\001\e[0;31m\002\u@\H\001\e[0m\002:\001\e[0;95m\002\w\001\e[0m\002>>\001\e[0;92m\002%d\001\e[0m\002|~#> " "${STATUS}"; \
  else \
    printf "\001\e[0;31m\002\u@\H\001\e[0m\002:\001\e[0;95m\002\w\001\e[0m\002>>\001\e[0;91m\002%d\001\e[0m\002|~#> " "${STATUS}"; \
  fi; ) '
 EOF
 printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh] \n\e[0m"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
+++ b/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
@@ -0,0 +1,155 @@
 #!/bin/sh
 # bashsupport disable=BP5007
 # shellcheck shell=sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -e
 printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh] \n\e[0m"
 PREREQ=""
 prereqs() { echo "${PREREQ}"; }
 # shellcheck disable=SC2249
 case "${1}" in
  prereqs) prereqs; exit 0 ;;
 esac
 . /usr/share/initramfs-tools/hook-functions
 ### Ensure directory structure in initramfs ------------------------------------------------------------------------------------
 install -d -m 0755  "${DESTDIR}/etc/ciss/keys"
 install -d -m 0755  "${DESTDIR}/etc/initramfs-tools/conf.d"
 install -d -m 0755  "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
 install -d -m 0755  "${DESTDIR}/usr/bin"
 install -d -m 0755  "${DESTDIR}/usr/local/bin"
 install -d -m 0755  "${DESTDIR}/usr/sbin"
 ### Include 'bash' -------------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/bash /usr/bin/bash
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/bash /usr/bin/bash] \n\e[0m"
 ### Include 'blkid' ------------------------------------------------------------------------------------------------------------
 copy_exec /usr/sbin/blkid /usr/sbin/blkid
 printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/blkid /usr/sbin/blkid] \n\e[0m"
 ### Include 'busybox' ----------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/busybox /usr/busybox
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/busybox] \n\e[0m"
 ### Include GNU coreutils 'sort' (has -V) --------------------------------------------------------------------------------------
 copy_exec /usr/bin/sort /usr/bin/sort
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sort /usr/bin/sort] \n\e[0m"
 ### Include 'gpgv' -------------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/gpgv /usr/bin/gpgv
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpgv /usr/bin/gpgv] \n\e[0m"
 ### Include 'lsblk' ------------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/lsblk /usr/bin/lsblk
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/lsblk /usr/bin/lsblk] \n\e[0m"
 ### Include 'mkpasswd' ---------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/mkpasswd /usr/mkpasswd
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/mkpasswd] \n\e[0m"
 copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd] \n\e[0m"
 ### Include 'udevadm' (udev management tool) -----------------------------------------------------------------------------------
 copy_exec /usr/bin/udevadm /usr/bin/udevadm
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/udevadm /usr/bin/udevadm] \n\e[0m"
 ### Include 'sha384sum' 'sha512sum' --------------------------------------------------------------------------------------------
 copy_exec /usr/bin/sha384sum /usr/bin/sha384sum
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha384sum /usr/bin/sha384sum ] \n\e[0m"
 copy_exec /usr/bin/sha512sum /usr/bin/sha512sum
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha512sum /usr/bin/sha512sum] \n\e[0m"
 ### Include 'tree' -------------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/tree /usr/bin/tree
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/tree /usr/bin/tree] \n\e[0m"
 ### Include 'whois' ------------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/whois /usr/bin/whois
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/whois /usr/bin/whois] \n\e[0m"
 ### Link busybox applets for compatibility -------------------------------------------------------------------------------------
 for dir in bin usr/bin; do
  ln -sf busybox "${DESTDIR}/${dir}/cat"
  ln -sf busybox "${DESTDIR}/${dir}/sleep"
 done
 ### Install GPG signing keys ---------------------------------------------------------------------------------------------------
 src_dir="/etc/ciss/keys"
 dst_dir="${DESTDIR}/etc/ciss/keys"
 key=""
 if [ -d "${src_dir}" ]; then
    install -d -m 0755 "${dst_dir}"
    for key in "${src_dir}"/*.gpg; do
        [ -e "${key}" ] || continue
        install -m 0444 "${key}" "${dst_dir}/"
        printf '\e[92mSuccessfully executed: [install -m 0444 %s %s]\n\e[0m' "${key}" "${dst_dir}"
    done
 fi
 ### Install Dropbear configuration ---------------------------------------------------------------------------------------------
 install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/dropbear.conf %s/etc/dropbear/dropbear.conf] \n\e[0m" "${DESTDIR}"
 # TODO: Update the scripts to be usable for upcoming Live ISO encryption
 # TODO: Integrate online signing
 ### Install Dropbear 'cryptroot-unlock'-Wrapper --------------------------------------------------------------------------------
 install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh "${DESTDIR}/usr/local/bin/unlock_wrapper.sh"
 printf "\e[92mSuccessfully executed: [install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh %s/usr/local/bin/unlock_wrapper.sh] \n\e[0m" "${DESTDIR}"
 install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512 "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512 %s/usr/local/bin/unlock_wrapper.sh.sha512] \n\e[0m" "${DESTDIR}"
 install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512.sig"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig %s/usr/local/bin/unlock_wrapper.sh.sha512.sig] \n\e[0m" "${DESTDIR}"
 # TODO: Refactor with online signing
 ### Install Dropbear GPG Signing Keys ------------------------------------------------------------------------------------------
 install -m 0444 /root/.ciss/cdi/keys/unlock_wrapper_pubring.gpg "${DESTDIR}/etc/keys/unlock_wrapper_pubring.gpg"
 printf "\e[92mSuccessfully executed: [install -m 0444 /root/.ciss/cdi/keys/unlock_wrapper_pubring.gpg %s/etc/keys/unlock_wrapper_pubring.gpg] \n\e[0m" "${DESTDIR}"
 ### Install Dropbear Banner ----------------------------------------------------------------------------------------------------
 install -m 0444 /etc/dropbear/initramfs/banner "${DESTDIR}/etc/dropbear/banner"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/banner %s/etc/dropbear/banner] \n\e[0m" "${DESTDIR}"
 ### EOS
 printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh] \n\e[0m"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
+++ b/config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
@@ -0,0 +1,33 @@
 #!/bin/sh
 # bashsupport disable=BP5007
 # shellcheck shell=sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -e
 PREREQ=""
 prereqs() { echo "${PREREQ}"; }
 # shellcheck disable=SC2249
 case "${1}" in
  prereqs) prereqs; exit 0 ;;
 esac
 mkdir -p /run/ciss
 printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_premount_early.log
 ### Make sure /usr/local/bin is in front of 'PATH'.
 export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
 printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_premount_late.log
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
+++ b/config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
@@ -0,0 +1,33 @@
 #!/bin/sh
 # bashsupport disable=BP5007
 # shellcheck shell=sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -e
 PREREQ=""
 prereqs() { echo "${PREREQ}"; }
 # shellcheck disable=SC2249
 case "${1}" in
  prereqs) prereqs; exit 0 ;;
 esac
 mkdir -p /run/ciss
 printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_top_early.log
 ### Make sure /usr/local/bin is in front of 'PATH'.
 export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
 printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_top_late.log
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/ssh/ssh_known_hosts
+++ b/config/includes.chroot/etc/ssh/ssh_known_hosts
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.400.2025.11.08
+# Version Master V8.13.404.2025.11.10
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.400.2025.11.08
+# Version Master V8.13.404.2025.11.10
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.400.2025.11.08
+# Version Master V8.13.404.2025.11.10
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.13.400.2025.11.08"
+declare -gr VERSION="Master V8.13.404.2025.11.10"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.400.2025.11.08 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.404.2025.11.10 at: 10:18:37.9542
--- a/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums
+++ b/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums
@@ -209,12 +209,12 @@ Verify_checksums() {
          if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then
            _RETURN_SHA="${?}"
-            printf "\e[92m[INFO] Found: [%s] successful done, for: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
+            printf "\e[92m[INFO] Found: [%s] successful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
          else
            _RETURN_SHA="${?}"
-            printf "\e[91m[FATAL] Found: [%s] failed, for: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
+            printf "\e[91m[FATAL] Found: [%s] unsuccessful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
          fi
--- a/config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear
+++ b/config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear
@@ -0,0 +1,65 @@
 #!/bin/sh
 # bashsupport disable=BP5007
 # shellcheck shell=sh
 PREREQ="udev"
 prereqs() {
    echo "${PREREQ}"
 }
 # shellcheck disable=SC2249
 case "$1" in
    prereqs)
        prereqs
        exit 0
    ;;
 esac
 # shellcheck disable=SC2292
 [ -x /sbin/dropbear ] || exit 0
 run_dropbear() {
    ### CISS.debian.live.builder
    ### Remove old flags for dropbear version 2025.88-2.
    ### Only accepts flags from '/etc/dropbear/dropbear.conf'.
    #local flags="Fs"
    # shellcheck disable=SC2034,SC2154,SC2292
    [ "${debug}" != y ] || flags="E${flags}" # log to standard error
    # Always run configure_networking() before dropbear(8); on NFS
    # mounts this has been done already
    # shellcheck disable=SC2292
    [ "${BOOT}" = nfs ] || configure_networking
    log_begin_msg "Starting dropbear"
    # Using exec and keeping dropbear in the foreground enables the
    # init-bottom script to kill the remaining ipconfig processes if
    # someone unlocks the rootfs from the console while the network is
    # being configured
    # shellcheck disable=SC2086
    exec /sbin/dropbear ${DROPBEAR_OPTIONS-}
 }
 # shellcheck disable=SC2292
 if [ -e /etc/dropbear/dropbear.conf ]; then
    . /etc/dropbear/dropbear.conf
 fi
 . /scripts/functions
 # On NFS mounts, wait until the network is configured.  On local mounts,
 # configure the network in the background (in run_dropbear()) so someone
 # with console access can enter the passphrase immediately.  (With the
 # default ip=dhcp, configure_networking hangs for 5mins or so when the
 # network is unavailable, for instance.)
 # shellcheck disable=SC2292
 [ "${BOOT}" != nfs ] || configure_networking
 run_dropbear &
 echo $! >/run/dropbear.pid
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.400.2025.11.08<br>
+**Build**: V8.13.404.2025.11.10<br>
 # 2. DNSSEC Status
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.400.2025.11.08<br>
+**Build**: V8.13.404.2025.11.10<br>
 # 2. Haveged Audit on Netcup RS 2000 G11
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.400.2025.11.08<br>
+**Build**: V8.13.404.2025.11.10<br>
 # 2. Lynis Audit:
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.400.2025.11.08<br>
+**Build**: V8.13.404.2025.11.10<br>
 # 2. SSH Audit by ssh-audit.com
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.400.2025.11.08<br>
+**Build**: V8.13.404.2025.11.10<br>
 # 2. TLS Audit:
 ````text
--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.400.2025.11.08<br>
+**Build**: V8.13.404.2025.11.10<br>
 # 2. Hardened Kernel Boot Parameters
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,10 +8,29 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.400.2025.11.08<br>
+**Build**: V8.13.404.2025.11.10<br>
 # 2. Changelog
 ## V8.13.404.2025.11.10
 * **Added**: [0020_dropbear_build.chroot](../config/hooks/live/0020_dropbear_build.chroot)
 * **Added**: [0021_dropbear_initramfs.chroot](../config/hooks/live/0021_dropbear_initramfs.chroot)
 * **Added**: [0022_dropbear_setup.chroot](../config/hooks/live/0022_dropbear_setup.chroot) 
 * **Added**: [9999_ciss_custom_prompt.sh](../config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh)
 * **Added**: [9999_ciss_debian_live_builder.sh](../config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh)
 * **Added**: [1000_ciss_fixpath.sh](../config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh)
 * **Added**: [0000_ciss_fixpath.sh](../config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh)
 * **Added**: [dropbear](../config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear)
 * **Bugfixes**: [generate_PRIVATE_trixie_0.yaml](../.gitea/workflows/generate_PRIVATE_trixie_0.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
 * **Bugfixes**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
 * **Bugfixes**: [generate_PUBLIC_iso.yaml](../.gitea/workflows/generate_PUBLIC_iso.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
 * **Bugfixes**: [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
 * **Bugfixes**: [render-dnssec-status.yaml](../.gitea/workflows/render-dnssec-status.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
 * **Bugfixes**: [render-dot-to-png.yaml](../.gitea/workflows/render-dot-to-png.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
 * **Bugfixes**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums)
 * **Changed**: [localoptions.h](../upgrades/dropbear/localoptions.h)
 * **Changed**: [.shellcheckrc](../.shellcheckrc)
 ## V8.13.400.2025.11.08
 * **Bugfixes**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums) - GPG key handling
 * **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) - Unified naming scheme
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.400.2025.11.08<br>
+**Build**: V8.13.404.2025.11.10<br>
 # 2. Centurion Net - Developer Branch Overview
--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.400.2025.11.08<br>
+**Build**: V8.13.404.2025.11.10<br>
 # 2. Coding Style
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.400.2025.11.08<br>
+**Build**: V8.13.404.2025.11.10<br>
 # 2. Contributing / participating
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.400.2025.11.08<br>
+**Build**: V8.13.404.2025.11.10<br>
 # 2. Credits
--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.400.2025.11.08<br>
+**Build**: V8.13.404.2025.11.10<br>
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.400.2025.11.08<br>
+**Build**: V8.13.404.2025.11.10<br>
 # 2.1. Usage
 ````text
                        CDLB(1)                        CISS.debian.live.builder                        CDLB(1)
 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V8.13.400.2025.11.08
+Master V8.13.404.2025.11.10
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 (c) Marc S. Weidner, 2018 - 2025
@@ -145,7 +145,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/
-                        V8.13.400.2025.11.08                        2025-11-06                         CDLB(1)
+                        V8.13.404.2025.11.10                        2025-11-06                         CDLB(1)
 ````
 # 3. Booting
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.400.2025.11.08<br>
+**Build**: V8.13.404.2025.11.10<br>
 # 2. Resources
--- a/lib/lib_clean_up.sh
+++ b/lib/lib_clean_up.sh
@@ -30,9 +30,15 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   0: on success
 #######################################
 clean_up() {
-  declare clean_exit_code="$1" fs_type=""
+  declare clean_exit_code="$1" fs_type="" _old_nullglob="" _old_dotglob="" _old_failglob=""
  ### Enable nullglob/dotglob, disable failglob for safe globbing.
  _old_nullglob="$(shopt -p nullglob || true)"
  _old_dotglob="$( shopt -p dotglob  || true)"
  _old_failglob="$(shopt -p failglob || true)"
  shopt -s nullglob dotglob
  shopt -u failglob
  rm -f -- "${VAR_KERNEL_INF}"
  rm -f -- "${VAR_KERNEL_SRT}"
@@ -90,7 +96,21 @@ clean_up() {
  find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
  find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete
-  shopt -u nullglob dotglob
+  # TODO: Activate shred
  ### Securely shred all regular files below ./includes.chroot, then remove empty dirs.
  #if [[ -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
    # shellcheck disable=SC2312
  #  find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
    ### Remove empty directories (bottom-up).
  #  find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -depth -xdev -type d -empty -delete
  #fi
  eval "${_old_nullglob}" 2>/dev/null || true
  eval "${_old_dotglob}"  2>/dev/null || true
  eval "${_old_failglob}" 2>/dev/null || true
  return 0
 }
--- a/lib/lib_hardening_ultra.sh
+++ b/lib/lib_hardening_ultra.sh
@@ -185,6 +185,7 @@ hardening_ultra() {
  install -m 0600 -o root -g root "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/"
  declare -r sshport="${VAR_SSHPORT:-22}"
  printf "%s" "${sshport}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/sshport"
  ### /config/includes.chroot/etc/ssh/sshd_config
  # shellcheck disable=SC2155
--- a/lib/lib_primordial.sh
+++ b/lib/lib_primordial.sh
@@ -38,6 +38,8 @@ init_primordial() {
    "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
  install    -m 0444 "${VAR_WORKDIR}/upgrades/dropbear/localoptions.h" \
    "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/localoptions.h"
  install    -m 0444 "${VAR_WORKDIR}/config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
    "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear"
  ### Check for SOPS AGE key integration ---------------------------------------------------------------------------------------
  if [[ "${VAR_AGE,,}" == "true" ]]; then
@@ -115,7 +117,7 @@ normalize_ssh_key_file() {
      if ! ssh-keygen -yf "${var_key_file}" >/dev/null; then
-        printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed check ssh-keygen -lf: [%s] \e[0m\n" "${var_key_file}"
+        printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed check ssh-keygen -yf: [%s] \e[0m\n" "${var_key_file}"
        return "${ERR_SANITIZING}"
      fi
@@ -144,13 +146,21 @@ readonly -f normalize_ssh_key_file
 #   ERR_SANITIZING: on failure
 #######################################
 normalize_ssh_keys_in_dir() {
-  declare var_key_dir="" var_key_file=""
+  declare var_key_dir="" var_key_file="" _old_nullglob="" _old_dotglob="" _old_failglob=""
  var_key_dir="$1"
  ### Enable nullglob/dotglob, disable failglob for safe globbing.
  _old_nullglob="$(shopt -p nullglob || true)"
  _old_dotglob="$( shopt -p dotglob  || true)"
  _old_failglob="$(shopt -p failglob || true)"
  shopt -s nullglob dotglob
  shopt -u failglob
  if [[ ! -d "${var_key_dir}" ]]; then
-    shopt -u nullglob dotglob
+    eval "${_old_nullglob}" 2>/dev/null || true
    eval "${_old_dotglob}"  2>/dev/null || true
    eval "${_old_failglob}" 2>/dev/null || true
    return 0
  fi
@@ -160,13 +170,17 @@ normalize_ssh_keys_in_dir() {
    [[ -e "${var_key_file}" ]] || continue
    if ! normalize_ssh_key_file "${var_key_file}"; then
-      shopt -u nullglob dotglob
+      eval "${_old_nullglob}" 2>/dev/null || true
      eval "${_old_dotglob}"  2>/dev/null || true
      eval "${_old_failglob}" 2>/dev/null || true
      return "${ERR_SANITIZING}"
    fi
  done
-  shopt -u nullglob dotglob
+  eval "${_old_nullglob}" 2>/dev/null || true
  eval "${_old_dotglob}"  2>/dev/null || true
  eval "${_old_failglob}" 2>/dev/null || true
  return 0
 }
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -39,13 +39,13 @@ usage() {
  # shellcheck disable=SC2155
  declare var_header=$(center "CDLB(1)                        CISS.debian.live.builder                        CDLB(1)" "${var_cols}")
  # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.13.400.2025.11.08                        2025-11-06                         CDLB(1)" "${var_cols}")
+  declare var_footer=$(center "V8.13.404.2025.11.10                        2025-11-06                         CDLB(1)" "${var_cols}")
  {
    echo -e "\e[1;97m${var_header}\e[0m"
    echo
    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.13.400.2025.11.08\e[0m"
+    echo -e "\e[92mMaster V8.13.404.2025.11.10\e[0m"
    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
    echo
    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
--- a/scripts/usr/lib/live/boot/0030-verify-checksums
+++ b/scripts/usr/lib/live/boot/0030-verify-checksums
@@ -28,14 +28,24 @@
 #   0 : Successful verification
 #######################################
 Verify_checksums() {
  printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-verify-checksums] ... \n\e[0m"
  ### Declare variables --------------------------------------------------------------------------------------------------------
  _MOUNTPOINT="${1}"
  _PARAMETER=""
  _TTY="/dev/tty8"
  LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
  LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"
  _KEYFILE=""
  _MP=""
  ### Parse commandline arguments ----------------------------------------------------------------------------------------------
  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
    case "${_PARAMETER}" in
@@ -60,6 +70,20 @@ Verify_checksums() {
  done
  ### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
  for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
    if [ -e "${_MP}/0030-verify-checksums.gpg" ]; then
      _KEYFILE="${_MP}/0030-verify-checksums.gpg"
      break
    fi
  done
  ### Check if the function should be skipped ----------------------------------------------------------------------------------
  case "${LIVE_VERIFY_CHECKSUMS}" in
    true)
@@ -78,54 +102,59 @@ Verify_checksums() {
  ### CDLB verification of script integrity itself -----------------------------------------------------------------------------
  if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
-    log_begin_msg "Verifying integrity of '0030-verify-checksums' ..."
+    log_begin_msg "Verifying integrity of: [0030-verify-checksums]"
    printf "\n"
-    CDLB_SCRIPT="$(basename "${0}")"
+    _CAND=""
    CDLB_SCRIPT_SELF=""  CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_SIG_FILE=""
    CDLB_CMD="/usr/bin/sha512sum"
    CDLB_SHA="sha512"
    CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_ITEM="" CDLB_SIG_FILE=""
-    for CDLB_ITEM in ${CDLB_SHA}; do
+    for _CAND in /scripts/live-bottom/0030-verify-checksums /usr/lib/live/boot/0030-verify-checksums; do
-      CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_ITEM}"
+      [ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; }
      CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
      CDLB_CMD="${CDLB_ITEM}sum"
      printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}"
      if ! gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
        printf "Signature verification failed for: [%s]\n" "${CDLB_HASHFILE}"
        sleep 8
        # TODO: Remove debug mode
        # return 0
      else
        printf "Signature verification successful for: [%s]\n" "${CDLB_HASHFILE}"
      fi
      printf "Recomputing hash for: [%s]\n" "${CDLB_ITEM}"
      CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first rest || exit 1; printf '%s\n' "${first}"; })
      read -r CDLB_EXPECTED < "${CDLB_HASHFILE}"
      if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
        printf "Recomputed hash mismatch for: [%s]\n" "${CDLB_ITEM}"
        sleep 8
        # TODO: Remove debug mode
        # return 0
      fi
      printf "Hash verification successful for: [%s]\n" "${CDLB_ITEM}"
    done
-    printf "Verifying integrity of '0030-verify-checksums' successfully completed. Proceeding."
+    CDLB_SCRIPT_FILE="${CDLB_SCRIPT_SELF##*/}"
    CDLB_SCRIPT_PATH="${CDLB_SCRIPT_SELF%/*}"
    CDLB_SCRIPT_FULL="${CDLB_SCRIPT_PATH%/}/${CDLB_SCRIPT_FILE}"
    CDLB_HASHFILE="${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt"
    CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
    printf "\e[95m[INFO] Verifying integrity of: [%s] ... \n\e[0m" "${CDLB_SCRIPT_FULL}"
    printf "\e[95m[INFO] Verifying signature of: [%s] ... \n\e[0m" "${CDLB_SIG_FILE}"
    if ! /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
      printf "\e[91m[FATAL] Verifying signature of: [%s] failed. \n\e[0m" "${CDLB_SIG_FILE}"
      sleep 16
      panic        "[FATAL] Verifying signature of: [${CDLB_SIG_FILE}] failed."
    else
      printf "\e[92m[INFO] Verifying signature of: [%s] successful. \n\e[0m" "${CDLB_SIG_FILE}"
    fi
    printf "\e[95m[INFO] Recomputing hash for: [%s] ... \n\e[0m" "${CDLB_SHA}"
    CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT_FULL}" | { read -r first _ || exit 1; printf '%s\n' "${first}"; })
    IFS=' ' read -r CDLB_EXPECTED _ < "${CDLB_HASHFILE}"
    if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
      printf "\e[91m[FATAL] Recomputing hash for: [%s] failed. \n\e[0m" "${CDLB_SHA}"
      sleep 16
      panic        "[FATAL] Recomputing hash for: [${CDLB_SHA}] failed."
    fi
    printf "\e[92m[INFO] Recomputing hash for: [%s] successful. \n\e[0m" "${CDLB_SHA}"
    printf "\e[92m[INFO] Verification of authenticity and integrity of [%s] successfully completed. \n\e[0m" "${CDLB_SCRIPT_FULL}"
    log_end_msg
    printf "\n"
@@ -134,6 +163,7 @@ Verify_checksums() {
  ### Checksum and checksum signature verification -----------------------------------------------------------------------------
  log_begin_msg "Verifying checksums"
  printf "\n"
  printf "\e[95m[INFO] Verifying checksums ... \n\e[0m"
  # shellcheck disable=SC2001
  for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
@@ -145,16 +175,29 @@ Verify_checksums() {
      if [ -e "${_CHECKSUM}" ]; then
-        printf "Found [%s] ...\n" "${_CHECKSUM}"
+        printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "${_CHECKSUM}"
-        if [ -e "/bin/${_DIGEST}sum" ]; then
+        if [ -e "/usr/bin/${_DIGEST}sum" ]; then
          printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "/usr/bin/${_DIGEST}sum"
          if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
-            printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}"
+            printf "\e[95m[INFO] Checking signature of: [%s] ... \n\e[0m" "${_CHECKSUM}"
            _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
-            gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"
+
            if /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"; then
              _RETURN_PGP="${?}"
              printf "\e[92m[INFO] Checking signature of: [%s] successful. \n\e[0m" "${_CHECKSUM}"
            else
              _RETURN_PGP="${?}"
              printf "\e[91m[FATAL] Checking signature of: [%s] failed. \n\e[0m" "${_CHECKSUM}"
            fi
          else
@@ -162,18 +205,26 @@ Verify_checksums() {
          fi
          printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}"
          # shellcheck disable=SC2312
-          grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
+          if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then
            _RETURN_SHA="${?}"
            printf "\e[92m[INFO] Found: [%s] successful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
          else
            _RETURN_SHA="${?}"
            printf "\e[91m[FATAL] Found: [%s] unsuccessful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
          fi
          # Stop after the first verification.
          break 2
        else
-          printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum"
+          _RETURN_SHA="255"
          printf "\e[93m[WARN] NOT Found [%s]. \n\e[0m" "/usr/bin/${_DIGEST}sum"
        fi
@@ -184,26 +235,44 @@ Verify_checksums() {
  done
  log_end_msg
  printf "\n"
  case "${_RETURN_PGP},${_RETURN_SHA}" in
-    0,0)
+    "0,0")
-      log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds."
+      printf "\e[92m[INFO] Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds. \n\e[0m"
      printf "\e[92m[INFO] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
      sleep 8
      log_success_msg "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds."
      return 0
      ;;
-    na,0)
+    "na,0")
-      log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds."
+      printf "\e[92m[INFO] Verification of [sha checksum] file successful; continuing booting in 8 seconds. \n\e[0m"
      printf "\e[92m[INFO] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
      sleep 8
      log_success_msg "Verification of [sha checksum] file successful; continuing booting in 8 seconds."
      return 0
      ;;
-    *,0)
+    "0,"*)
-      panic "Verification of signature file failed while verification of checksum file successful."
+      printf "\e[91m[FATAL] Verification of [GPG signature] file successful, while verification of [sha checksum] file failed. \n\e[0m"
      printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
      sleep 8
      panic "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
      ;;
-    na,*)
+    *",0")
      printf "\e[91m[FATAL] Verification of [GPG signature] file failed, while verification of [sha checksum] file successful. \n\e[0m"
      printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
      sleep 8
      panic "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
      ;;
    "na,"*)
      printf "\e[91m[FATAL] Verification of [sha checksum] file failed. \n\e[0m"
      printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
      sleep 8
      panic "Verification of checksum file failed."
      ;;
--- a/scripts/usr/local/sbin/9999-cdi-starter
+++ b/scripts/usr/local/sbin/9999-cdi-starter
@@ -127,7 +127,7 @@ main() {
  # shellcheck disable=SC2312
  exec > >(tee -a "${var_log}") 2>&1
-  printf "CISS.debian.installer Master V8.13.400.2025.11.08 is up! \n" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.404.2025.11.10 is up! \n" >> "${var_log}"
  ### Sleep a moment to settle boot artifacts.
  sleep 8
@@ -182,7 +182,7 @@ main() {
  ### Timeout reached without acceptable semaphore.
  logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.installer Master V8.13.400.2025.11.08: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.404.2025.11.10: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
  exit 0
 }
--- a/upgrades/dropbear/localoptions.h
+++ b/upgrades/dropbear/localoptions.h
@@ -1,12 +1,12 @@
 /* # SPDX-Version: 3.0 */
-/* # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev> */
+/* # SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev> */
-/* # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git */
+/* # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git */
 /* # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency */
 /* # SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; <git.cs@physnet.eu> */
 /* # SPDX-FileType: SOURCE */
 /* # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 */
 /* # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. */
-/* # SPDX-PackageName: CISS.debian.installer */
+/* # SPDX-PackageName: CISS.debian.live.builder */
 /* # SPDX-Security-Contact: security@coresecret.eu */
 #ifndef DROPBEAR_LOCALOPTIONS_H_
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V8.13.400.2025.11.08"
+declare -grx VAR_VERSION="Master V8.13.404.2025.11.10"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
  # Print $4 and $5; include $6 only if it exists
  out = $4
--- a/var/global.var.sh
+++ b/var/global.var.sh
@@ -66,7 +66,7 @@ declare -gir ERR_FLOCK_WRTG=129 # Cannot open lockfile for writing
 declare -gir ERR_FLOCK_COLL=130 # The Script is already running
 declare -gir ERR_GUARD_SRCE=131 # Module tried to load twice.
 declare -gir ERR_GPG__AGENT=132 # GNUPG agent error.
-declare -gir ERR_SANITIZING=133 # Error occurred while sanitizing file.
+declare -gir ERR_SANITIZING=133 # The error occurred while sanitizing a file.
 declare -gir ERR_SPLASH_PNG=200 # --change-splash MUST be 'club' or 'hexagon'
 declare -gir ERR_CONTROL_CT=201 # --control MUST be an integer between '1' and '65535'
 declare -gir ERR_RENICE_PRI=202 # --renice-priority MUST an integer between '-19' and '19'
		`@@ -0,0 +1 @@`
							`2d90783e0ffba3c6972b3a0d5335cca4a37c03b417f43b62b082a83734d4e4148390ac22509e68d63aaca11baf4fb081747f83347eab08176fb647e5445372f6`