V9.14.024.2026.06.11

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums

@@ -15,12 +15,14 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 # Module summary:
-# This live-boot component implements the verify-checksums mode for the mounted live medium.
-# It reads the live-boot command line to decide whether checksum verification is enabled and which digests to accept.
-# It locates the pinned CISS GPG key material on the live medium, optionally verifies this script's signed hash,
-# optionally verifies signed checksum files, and checks the first matching checksum manifest with the matching digest tool. It
-# writes detailed checksum output to the verification TTY. It panics instead of continuing boot when integrity or
-# authenticity verification fails.
+# This live-boot component implements verify-checksums mode for the mounted live medium.
+# It reads the live-boot command line to decide whether checksum verification is enabled, which digests to accept, and
+# whether checksum signature verification is required. When signature verification is enabled, it requires to be pinned CISS GPG
+# key material from the live medium, verifies this script's signed SHA-512 hash, and verifies the selected checksum manifest
+# signature before accepting checksum results. It checks the first supported checksum manifest with an available matching digest
+# tool and writes detailed checksum command output to the verification TTY when checksum execution runs. It fails closed by
+# panicking on missing manifests, missing digest tools, empty manifests, failed signatures, failed checksums, or unknown
+# verification states.
 
 ### Modified Version of the original file:
 ### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums'
@@ -87,11 +89,26 @@ Verify_checksums() {
 
   _CHECKSUM_LOG=""
 
+  _CHECKSUM_LOG_DIR="${LIVE_VERIFY_CHECKSUMS_LOG_DIR:-/run}"
+
   _KEYFILE=""
 
+  _MANIFEST_FOUND="false"
+
   _MP=""
 
+  _RETURN_PGP=""
+
+  _RETURN_SHA=""
+
+  _TOOL_FOUND="false"
+
+  _VERIFICATION_EXECUTED="false"
+
+  _VERIFICATION_SUCCEEDED="false"
+
   ### Parse commandline arguments ----------------------------------------------------------------------------------------------
+  # shellcheck disable=SC2154
   for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
 
     case "${_PARAMETER}" in
@@ -148,6 +165,14 @@ Verify_checksums() {
 
   done
 
+  if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ] && [ -z "${_KEYFILE}" ]; then
+
+    log_er "No pinned GPG key file found while checksum signature verification is enabled."
+    sleep 8
+    panic  "[FATAL] No pinned GPG key file found while checksum signature verification is enabled."
+
+  fi
+
   # shellcheck disable=SC2164
   cd "${_MOUNTPOINT}"
 
@@ -244,10 +269,14 @@ Verify_checksums() {
 
       if [ -e "${_CHECKSUM}" ]; then
 
+        _MANIFEST_FOUND="true"
+
         log_in "Found: [${_CHECKSUM}] ..."
 
         if [ -e "/usr/bin/${_DIGEST}sum" ]; then
 
+          _TOOL_FOUND="true"
+
           log_in "Found: [/usr/bin/${_DIGEST}sum] ..."
 
           if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
@@ -275,8 +304,15 @@ Verify_checksums() {
           fi
 
           # shellcheck disable=SC2312
-          _CHECKSUM_LOG="/run/ciss-${_DIGEST}sum-check.log"
-          if grep -v '^#' "${_CHECKSUM}" | LC_ALL=C /usr/bin/"${_DIGEST}"sum -c > "${_CHECKSUM_LOG}" 2>&1; then
+          _CHECKSUM_LOG="${_CHECKSUM_LOG_DIR}/ciss-${_DIGEST}sum-check.log"
+          _VERIFICATION_EXECUTED="true"
+          if ! grep -v '^#' "${_CHECKSUM}" | grep -q '[^[:space:]]'; then
+
+            _RETURN_SHA="254"
+            : > "${_CHECKSUM_LOG}"
+            log_er "Checksum manifest has no checksum entries: [${_CHECKSUM}]"
+
+          elif grep -v '^#' "${_CHECKSUM}" | LC_ALL=C /usr/bin/"${_DIGEST}"sum -c > "${_CHECKSUM_LOG}" 2>&1; then
 
             _RETURN_SHA="${?}"
             cat "${_CHECKSUM_LOG}" > "${_TTY}"
@@ -294,6 +330,12 @@ Verify_checksums() {
 
           fi
 
+          if { [ "${_RETURN_PGP}" = "0" ] || [ "${_RETURN_PGP}" = "na" ]; } && [ "${_RETURN_SHA}" = "0" ]; then
+
+            _VERIFICATION_SUCCEEDED="true"
+
+          fi
+
           # Stop after the first verification.
           break 2
 
@@ -313,6 +355,36 @@ Verify_checksums() {
   log_end_msg
   printf "\n"
 
+  if [ "${_MANIFEST_FOUND}" != "true" ]; then
+
+    log_er "No supported checksum manifest found. Checksum verification is fail-closed."
+    sleep 8
+    panic  "[FATAL] No supported checksum manifest found. Checksum verification is fail-closed."
+
+  fi
+
+  if [ "${_TOOL_FOUND}" != "true" ]; then
+
+    log_er "Checksum manifest found, but no supported checksum tool is available. Checksum verification is fail-closed."
+    sleep 8
+    panic  "[FATAL] Checksum manifest found, but no supported checksum tool is available. Checksum verification is fail-closed."
+
+  fi
+
+  if [ "${_VERIFICATION_EXECUTED}" != "true" ]; then
+
+    log_er "Checksum verification was not executed. Checksum verification is fail-closed."
+    sleep 8
+    panic  "[FATAL] Checksum verification was not executed. Checksum verification is fail-closed."
+
+  fi
+
+  if [ "${_VERIFICATION_SUCCEEDED}" != "true" ]; then
+
+    log_er "[FATAL] Checksum verification did not complete successfully. Evaluating fail-closed failure state."
+
+  fi
+
   case "${_RETURN_PGP},${_RETURN_SHA}" in
 
     "0,0")
@@ -345,6 +417,12 @@ Verify_checksums() {
       panic  "Verification of [sha checksum] file failed."
       ;;
 
+    *)
+      log_er "Unknown checksum verification state: [${_RETURN_PGP:-unset},${_RETURN_SHA:-unset}]."
+      sleep 8
+      panic  "[FATAL] Unknown checksum verification state. Checksum verification is fail-closed."
+      ;;
+
   esac
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh