msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.400.2025.11.08
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m11s
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 45m25s
Details
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Failing after 1m9s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-08 19:55:40 +01:00
parent d808185fba
commit a7896c9cfc
6 changed files with 51 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
View File

@@ -11,5 +11,5 @@
build: build:
counter: 1023 counter: 1023
version: V8.13.296.2025.10.29 version: V8.13.400.2025.11.08
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

2
.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
View File

@@ -10,6 +10,6 @@
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
build: build:
counter: 1024 counter: 1023
version: V8.13.400.2025.11.08 version: V8.13.400.2025.11.08
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

2
.gitea/trigger/t_generate_PUBLIC.yaml
View File

@@ -11,5 +11,5 @@
build: build:
counter: 1023 counter: 1023
version: V8.13.296.2025.10.29 version: V8.13.400.2025.11.08
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

37
.gitea/workflows/generate_PRIVATE_trixie_0.yaml
View File

@@ -219,6 +219,7 @@ jobs:
--trixie --trixie
- name: 📥 Checking Centurion Cloud for existing LIVE ISOs. - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
shell: bash
env: env:
NC_BASE: "https://cloud.e2ee.li" NC_BASE: "https://cloud.e2ee.li"
SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}" SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
@@ -228,8 +229,11 @@ jobs:
SHARE_SUBDIR="" SHARE_SUBDIR=""
echo "📥 Get directory listing via PROPFIND ..." echo "📥 Get directory listing via PROPFIND ..."
curl -s \
curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \ --user "${SHARE_TOKEN}:${SHARE_PASS}" \
-X PROPFIND \
-H "Depth: 1" \
"${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
-o propfind_public.xml -o propfind_public.xml
echo "📥 Filter .iso files from the PROPFIND response ..." echo "📥 Filter .iso files from the PROPFIND response ..."
@@ -237,65 +241,46 @@ jobs:
grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
echo "💡 Old ISO files found and deleted :" echo "💡 Old ISO files found and deleted :"
while IFS= read -r href; do while IFS= read -r href; do
FILE_URL="${NC_BASE}${href}" FILE_URL="${NC_BASE}${href}"
echo " Delete: ${FILE_URL}" echo " Delete: ${FILE_URL}"
if curl -s \
if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then --user "${SHARE_TOKEN}:${SHARE_PASS}" \
-X DELETE "${FILE_URL}"; then
echo " ✅ Successfully deleted: $(basename "${href}")" echo " ✅ Successfully deleted: $(basename "${href}")"
else else
echo " ❌ Error: $(basename "${href}") could not be deleted" echo " ❌ Error: $(basename "${href}") could not be deleted"
fi fi
done < public_iso_list.txt done < public_iso_list.txt
else else
echo "💡 No old ISO files found to delete." echo "💡 No old ISO files found to delete."
fi fi
- name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV. - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
shell: bash
env: env:
NC_BASE: "https://cloud.e2ee.li" NC_BASE: "https://cloud.e2ee.li"
SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}" SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}" SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
run: | run: |
set -euo pipefail set -euo pipefail
if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
echo "❌ There must be exactly one .iso file in the directory!" echo "❌ There must be exactly one .iso file in the directory!"
exit 1 exit 1
else else
VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso) VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}" echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
fi fi
AUTH="${SHARE_TOKEN}:${SHARE_PASS}" AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}"
--upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
echo "✅ New ISO successfully uploaded." echo "✅ New ISO successfully uploaded."
else else
echo "❌ Uploading the new ISO failed." echo "❌ Uploading the new ISO failed."
exit 1 exit 1
fi fi
- name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file. - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.

2
ciss_live_builder.sh
View File

@@ -235,7 +235,7 @@ init_gnupg
### Integrate primordial SSH identity files. ### Integrate primordial SSH identity files.
init_primordial init_primordial
### Integrate CISS.debian.live.builder repository into build dir. ### Integrate CISS.debian.live.builder repository into the build dir.
hardening_ultra hardening_ultra
### CISS.debian.installer 'GRUB' and 'autostart' generator. ### CISS.debian.installer 'GRUB' and 'autostart' generator.

54
config/includes.chroot/usr/lib/live/boot/0030-verify-checksums
View File

@@ -102,22 +102,20 @@ Verify_checksums() {
### CDLB verification of script integrity itself ----------------------------------------------------------------------------- ### CDLB verification of script integrity itself -----------------------------------------------------------------------------
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
log_begin_msg "Verifying integrity of: [0030-verify-checksums] " log_begin_msg "Verifying integrity of: [0030-verify-checksums]"
printf "\n" printf "\n"
printf "\e[95m[INFO] Verifying integrity of: [0030-verify-checksums] ... \n\e[0m"
_CAND="" _CAND=""
CDLB_SCRIPT_SELF="" CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_SIG_FILE="" CDLB_SCRIPT_SELF="" CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_SIG_FILE=""
CDLB_CMD="/usr/bin/sha512sum"
CDLB_SHA="sha512"
for _CAND in /scripts/live-bottom/0030-verify-checksums /usr/lib/live/boot/0030-verify-checksums; do for _CAND in /scripts/live-bottom/0030-verify-checksums /usr/lib/live/boot/0030-verify-checksums; do
[ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; } [ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; }
done done
[ -n "${CDLB_SCRIPT_SELF}" ] || { echo "cannot locate 0030-verify-checksums"; exit 1; }
CDLB_CMD="/usr/bin/sha512sum"
CDLB_SHA="sha512"
CDLB_SCRIPT_FILE="${CDLB_SCRIPT_SELF##*/}" CDLB_SCRIPT_FILE="${CDLB_SCRIPT_SELF##*/}"
CDLB_SCRIPT_PATH="${CDLB_SCRIPT_SELF%/*}" CDLB_SCRIPT_PATH="${CDLB_SCRIPT_SELF%/*}"
@@ -125,13 +123,16 @@ Verify_checksums() {
CDLB_HASHFILE="${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt" CDLB_HASHFILE="${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt"
CDLB_SIG_FILE="${CDLB_HASHFILE}.sig" CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
printf "\e[95m[INFO] Verifying integrity of: [%s] ... \n\e[0m" "${CDLB_SCRIPT_FULL}"
printf "\e[95m[INFO] Verifying signature of: [%s] ... \n\e[0m" "${CDLB_SIG_FILE}" printf "\e[95m[INFO] Verifying signature of: [%s] ... \n\e[0m" "${CDLB_SIG_FILE}"
if ! /usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then if ! /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
printf "\e[91m[FATAL] Verifying signature of: [%s] failed. \n\e[0m" "${CDLB_SIG_FILE}" printf "\e[91m[FATAL] Verifying signature of: [%s] failed. \n\e[0m" "${CDLB_SIG_FILE}"
sleep 16 sleep 16
# TODO panic "[FATAL] Verifying signature of: [0030-verify-checksums.sha512sum.txt.sig] failed. " panic "[FATAL] Verifying signature of: [${CDLB_SIG_FILE}] failed."
else else
@@ -148,12 +149,12 @@ Verify_checksums() {
printf "\e[91m[FATAL] Recomputing hash for: [%s] failed. \n\e[0m" "${CDLB_SHA}" printf "\e[91m[FATAL] Recomputing hash for: [%s] failed. \n\e[0m" "${CDLB_SHA}"
sleep 16 sleep 16
# TODO panic "[FATAL] Recomputing hash for: [sha512] failed." panic "[FATAL] Recomputing hash for: [${CDLB_SHA}] failed."
fi fi
printf "\e[92m[INFO] Recomputing hash for: [%s] successful. \n\e[0m" "${CDLB_SHA}" printf "\e[92m[INFO] Recomputing hash for: [%s] successful. \n\e[0m" "${CDLB_SHA}"
printf "\e[92m[INFO] Verification of authenticity and integrity of [%s] successfully completed. \n\e[0m" "${CDLB_SHA}" printf "\e[92m[INFO] Verification of authenticity and integrity of [%s] successfully completed. \n\e[0m" "${CDLB_SCRIPT_FULL}"
log_end_msg log_end_msg
printf "\n" printf "\n"
@@ -174,22 +175,29 @@ Verify_checksums() {
if [ -e "${_CHECKSUM}" ]; then if [ -e "${_CHECKSUM}" ]; then
printf "\e[95m[INFO] Found [%s] ... \n\e[0m" "${_CHECKSUM}" printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "${_CHECKSUM}"
if [ -e "/usr/bin/${_DIGEST}sum" ]; then if [ -e "/usr/bin/${_DIGEST}sum" ]; then
printf "\e[95m[INFO] Found [%s] ... \n\e[0m" "/usr/bin/${_DIGEST}sum" printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "/usr/bin/${_DIGEST}sum"
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
printf "\e[95m[INFO] Checking signature of [%s] ... \n\e[0m" "${_CHECKSUM}" printf "\e[95m[INFO] Checking signature of: [%s] ... \n\e[0m" "${_CHECKSUM}"
_CHECKSUM_SIGNATURE="${_CHECKSUM}.sig" _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
/usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}" if /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"; then
_RETURN_PGP="${?}"
printf "\e[92m[INFO] Checking signature of [%s] successful. \n\e[0m" "${_CHECKSUM}" _RETURN_PGP="${?}"
printf "\e[92m[INFO] Checking signature of: [%s] successful. \n\e[0m" "${_CHECKSUM}"
else
_RETURN_PGP="${?}"
printf "\e[91m[FATAL] Checking signature of: [%s] failed. \n\e[0m" "${_CHECKSUM}"
fi
else else
@@ -197,17 +205,25 @@ Verify_checksums() {
fi fi
printf "\e[92m[INFO] Found [%s] done. \n\e[0m" "/usr/bin/${_DIGEST}sum"
# shellcheck disable=SC2312 # shellcheck disable=SC2312
grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}" if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then
_RETURN_SHA="${?}" _RETURN_SHA="${?}"
printf "\e[92m[INFO] Found: [%s] successful done, for: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
else
_RETURN_SHA="${?}"
printf "\e[91m[FATAL] Found: [%s] failed, for: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
fi
# Stop after the first verification. # Stop after the first verification.
break 2 break 2
else else
_RETURN_SHA="255"
printf "\e[93m[WARN] NOT Found [%s]. \n\e[0m" "/usr/bin/${_DIGEST}sum" printf "\e[93m[WARN] NOT Found [%s]. \n\e[0m" "/usr/bin/${_DIGEST}sum"
fi fi