msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.404.2025.11.10
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m15s
Details
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 54s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-10 11:57:27 +01:00
parent fc263c95e3
commit 6c00891cd4
62 changed files with 1419 additions and 312 deletions
Download Patch File Download Diff File Expand all files Collapse all files

181
scripts/usr/lib/live/boot/0030-verify-checksums
View File

@@ -28,14 +28,24 @@
# 0 : Successful verification
#######################################
Verify_checksums() {
printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-verify-checksums] ... \n\e[0m"
### Declare variables --------------------------------------------------------------------------------------------------------
_MOUNTPOINT="${1}"
_PARAMETER=""
_TTY="/dev/tty8"
LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"
_KEYFILE=""
_MP=""
### Parse commandline arguments ----------------------------------------------------------------------------------------------
for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
case "${_PARAMETER}" in
@@ -60,6 +70,20 @@ Verify_checksums() {
done
### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
if [ -e "${_MP}/0030-verify-checksums.gpg" ]; then
_KEYFILE="${_MP}/0030-verify-checksums.gpg"
break
fi
done
### Check if the function should be skipped ----------------------------------------------------------------------------------
case "${LIVE_VERIFY_CHECKSUMS}" in
true)
@@ -78,54 +102,59 @@ Verify_checksums() {
### CDLB verification of script integrity itself -----------------------------------------------------------------------------
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
log_begin_msg "Verifying integrity of '0030-verify-checksums' ..."
log_begin_msg "Verifying integrity of: [0030-verify-checksums]"
printf "\n"
CDLB_SCRIPT="$(basename "${0}")"
_CAND=""
CDLB_SCRIPT_SELF="" CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_SIG_FILE=""
CDLB_CMD="/usr/bin/sha512sum"
CDLB_SHA="sha512"
CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_ITEM="" CDLB_SIG_FILE=""
for CDLB_ITEM in ${CDLB_SHA}; do
for _CAND in /scripts/live-bottom/0030-verify-checksums /usr/lib/live/boot/0030-verify-checksums; do
CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_ITEM}"
CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
CDLB_CMD="${CDLB_ITEM}sum"
printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}"
if ! gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
printf "Signature verification failed for: [%s]\n" "${CDLB_HASHFILE}"
sleep 8
# TODO: Remove debug mode
# return 0
else
printf "Signature verification successful for: [%s]\n" "${CDLB_HASHFILE}"
fi
printf "Recomputing hash for: [%s]\n" "${CDLB_ITEM}"
CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first rest || exit 1; printf '%s\n' "${first}"; })
read -r CDLB_EXPECTED < "${CDLB_HASHFILE}"
if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
printf "Recomputed hash mismatch for: [%s]\n" "${CDLB_ITEM}"
sleep 8
# TODO: Remove debug mode
# return 0
fi
printf "Hash verification successful for: [%s]\n" "${CDLB_ITEM}"
[ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; }
done
printf "Verifying integrity of '0030-verify-checksums' successfully completed. Proceeding."
CDLB_SCRIPT_FILE="${CDLB_SCRIPT_SELF##*/}"
CDLB_SCRIPT_PATH="${CDLB_SCRIPT_SELF%/*}"
CDLB_SCRIPT_FULL="${CDLB_SCRIPT_PATH%/}/${CDLB_SCRIPT_FILE}"
CDLB_HASHFILE="${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt"
CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
printf "\e[95m[INFO] Verifying integrity of: [%s] ... \n\e[0m" "${CDLB_SCRIPT_FULL}"
printf "\e[95m[INFO] Verifying signature of: [%s] ... \n\e[0m" "${CDLB_SIG_FILE}"
if ! /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
printf "\e[91m[FATAL] Verifying signature of: [%s] failed. \n\e[0m" "${CDLB_SIG_FILE}"
sleep 16
panic "[FATAL] Verifying signature of: [${CDLB_SIG_FILE}] failed."
else
printf "\e[92m[INFO] Verifying signature of: [%s] successful. \n\e[0m" "${CDLB_SIG_FILE}"
fi
printf "\e[95m[INFO] Recomputing hash for: [%s] ... \n\e[0m" "${CDLB_SHA}"
CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT_FULL}" | { read -r first _ || exit 1; printf '%s\n' "${first}"; })
IFS=' ' read -r CDLB_EXPECTED _ < "${CDLB_HASHFILE}"
if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
printf "\e[91m[FATAL] Recomputing hash for: [%s] failed. \n\e[0m" "${CDLB_SHA}"
sleep 16
panic "[FATAL] Recomputing hash for: [${CDLB_SHA}] failed."
fi
printf "\e[92m[INFO] Recomputing hash for: [%s] successful. \n\e[0m" "${CDLB_SHA}"
printf "\e[92m[INFO] Verification of authenticity and integrity of [%s] successfully completed. \n\e[0m" "${CDLB_SCRIPT_FULL}"
log_end_msg
printf "\n"
@@ -134,6 +163,7 @@ Verify_checksums() {
### Checksum and checksum signature verification -----------------------------------------------------------------------------
log_begin_msg "Verifying checksums"
printf "\n"
printf "\e[95m[INFO] Verifying checksums ... \n\e[0m"
# shellcheck disable=SC2001
for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
@@ -145,16 +175,29 @@ Verify_checksums() {
if [ -e "${_CHECKSUM}" ]; then
printf "Found [%s] ...\n" "${_CHECKSUM}"
printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "${_CHECKSUM}"
if [ -e "/bin/${_DIGEST}sum" ]; then
if [ -e "/usr/bin/${_DIGEST}sum" ]; then
printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "/usr/bin/${_DIGEST}sum"
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}"
printf "\e[95m[INFO] Checking signature of: [%s] ... \n\e[0m" "${_CHECKSUM}"
_CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"
_RETURN_PGP="${?}"
if /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"; then
_RETURN_PGP="${?}"
printf "\e[92m[INFO] Checking signature of: [%s] successful. \n\e[0m" "${_CHECKSUM}"
else
_RETURN_PGP="${?}"
printf "\e[91m[FATAL] Checking signature of: [%s] failed. \n\e[0m" "${_CHECKSUM}"
fi
else
@@ -162,18 +205,26 @@ Verify_checksums() {
fi
printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}"
# shellcheck disable=SC2312
grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
_RETURN_SHA="${?}"
if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then
_RETURN_SHA="${?}"
printf "\e[92m[INFO] Found: [%s] successful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
else
_RETURN_SHA="${?}"
printf "\e[91m[FATAL] Found: [%s] unsuccessful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
fi
# Stop after the first verification.
break 2
else
printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum"
_RETURN_SHA="255"
printf "\e[93m[WARN] NOT Found [%s]. \n\e[0m" "/usr/bin/${_DIGEST}sum"
fi
@@ -184,26 +235,44 @@ Verify_checksums() {
done
log_end_msg
printf "\n"
case "${_RETURN_PGP},${_RETURN_SHA}" in
0,0)
log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds."
"0,0")
printf "\e[92m[INFO] Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds. \n\e[0m"
printf "\e[92m[INFO] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
sleep 8
log_success_msg "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds."
return 0
;;
na,0)
log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds."
"na,0")
printf "\e[92m[INFO] Verification of [sha checksum] file successful; continuing booting in 8 seconds. \n\e[0m"
printf "\e[92m[INFO] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
sleep 8
log_success_msg "Verification of [sha checksum] file successful; continuing booting in 8 seconds."
return 0
;;
*,0)
panic "Verification of signature file failed while verification of checksum file successful."
"0,"*)
printf "\e[91m[FATAL] Verification of [GPG signature] file successful, while verification of [sha checksum] file failed. \n\e[0m"
printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
sleep 8
panic "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
;;
na,*)
*",0")
printf "\e[91m[FATAL] Verification of [GPG signature] file failed, while verification of [sha checksum] file successful. \n\e[0m"
printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
sleep 8
panic "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
;;
"na,"*)
printf "\e[91m[FATAL] Verification of [sha checksum] file failed. \n\e[0m"
printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
sleep 8
panic "Verification of checksum file failed."
;;

4
scripts/usr/local/sbin/9999-cdi-starter
View File

@@ -127,7 +127,7 @@ main() {
# shellcheck disable=SC2312
exec > >(tee -a "${var_log}") 2>&1
printf "CISS.debian.installer Master V8.13.400.2025.11.08 is up! \n" >> "${var_log}"
printf "CISS.debian.installer Master V8.13.404.2025.11.10 is up! \n" >> "${var_log}"
### Sleep a moment to settle boot artifacts.
sleep 8
@@ -182,7 +182,7 @@ main() {
### Timeout reached without acceptable semaphore.
logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
printf "CISS.debian.installer Master V8.13.400.2025.11.08: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
printf "CISS.debian.installer Master V8.13.404.2025.11.10: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
exit 0
}