msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V9.14.022.2026.06.11: enforce secret and cleanup safeguards

Browse Source
This commit is contained in:
André H. Zimnol
2026-06-11 05:08:01 +02:00
parent 74897d85b1
commit 9d3f283297
10 changed files with 182 additions and 154 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/lib_check_secrets.sh
+14 -24
View File
@@ -23,36 +23,26 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# 0: on success
#######################################
x_remove() {
declare luks_key_filename="${VAR_LUKS_KEY:-luks.txt}" luks_key_path="" signing_pass_path=""
declare -a find_args=("${VAR_TMP_SECRET}" -xdev -type f)
printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
declare _old_nullglob="" _old_dotglob=""
### Enable nullglob/dotglob, disable failglob for safe globbing.
_old_nullglob="$(shopt -p nullglob || true)"
_old_dotglob="$( shopt -p dotglob || true)"
shopt -s nullglob dotglob
validate_secret_staging_area || return "${ERR_SECRET_PATH}"
if [[ "${VAR_SIGNER}" == "true" ]]; then
# shellcheck disable=SC2312
find "${VAR_TMP_SECRET}" -xdev -type f \
! -path "${VAR_TMP_SECRET}/signing_key_pass.txt" \
! -path "${VAR_TMP_SECRET}/luks.txt" \
-print0 \
| xargs -0 --no-run-if-empty shred -fzu -n 5 --
else
### Removes secrets securely.
# shellcheck disable=SC2312
find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete
validate_secret_file_in_root "${VAR_SIGNING_KEY_PASS}" "signing passphrase file" || return "${ERR_SECRET_PATH}"
signing_pass_path="${VAR_TMP_SECRET}/${VAR_SIGNING_KEY_PASS}"
find_args+=(! -path "${signing_pass_path}")
fi
eval "${_old_nullglob}" 2>/dev/null || true
eval "${_old_dotglob}" 2>/dev/null || true
validate_secret_file_in_root "${luks_key_filename}" "LUKS key file" || return "${ERR_SECRET_PATH}"
luks_key_path="${VAR_TMP_SECRET}/${luks_key_filename}"
find_args+=(! -path "${luks_key_path}")
# shellcheck disable=SC2312
find "${find_args[@]}" -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete
printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"