diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml index 8f65393..cece650 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.13.296.2025.10.29 + version: V8.13.400.2025.11.08 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml index 4dac30c..cece650 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml @@ -10,6 +10,6 @@ # SPDX-Security-Contact: security@coresecret.eu build: - counter: 1024 + counter: 1023 version: V8.13.400.2025.11.08 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_PUBLIC.yaml b/.gitea/trigger/t_generate_PUBLIC.yaml index dc81ba4..3c06eac 100644 --- a/.gitea/trigger/t_generate_PUBLIC.yaml +++ b/.gitea/trigger/t_generate_PUBLIC.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.13.296.2025.10.29 + version: V8.13.400.2025.11.08 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml index a1de38c..7862535 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml @@ -219,6 +219,7 @@ jobs: --trixie - name: 📥 Checking Centurion Cloud for existing LIVE ISOs. + shell: bash env: NC_BASE: "https://cloud.e2ee.li" SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}" @@ -228,8 +229,11 @@ jobs: SHARE_SUBDIR="" echo "📥 Get directory listing via PROPFIND ..." - - curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \ + curl -s \ + --user "${SHARE_TOKEN}:${SHARE_PASS}" \ + -X PROPFIND \ + -H "Depth: 1" \ + "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \ -o propfind_public.xml echo "📥 Filter .iso files from the PROPFIND response ..." @@ -237,65 +241,46 @@ jobs: grep -oP '(?<=)[^<]+\.iso(?=)' propfind_public.xml >| public_iso_list.txt || true if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then - echo "💡 Old ISO files found and deleted :" - while IFS= read -r href; do - FILE_URL="${NC_BASE}${href}" echo " Delete: ${FILE_URL}" - - if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then - + if curl -s \ + --user "${SHARE_TOKEN}:${SHARE_PASS}" \ + -X DELETE "${FILE_URL}"; then echo " ✅ Successfully deleted: $(basename "${href}")" - else - echo " ❌ Error: $(basename "${href}") could not be deleted" - fi - done < public_iso_list.txt - else - echo "💡 No old ISO files found to delete." - fi - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV. + shell: bash env: NC_BASE: "https://cloud.e2ee.li" SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}" SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}" run: | set -euo pipefail - if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then - echo "❌ There must be exactly one .iso file in the directory!" exit 1 - else - VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso) VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}" - fi AUTH="${SHARE_TOKEN}:${SHARE_PASS}" - - if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" + if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \ --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then - echo "✅ New ISO successfully uploaded." - else - echo "❌ Uploading the new ISO failed." exit 1 - fi - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file. diff --git a/ciss_live_builder.sh b/ciss_live_builder.sh index 425da04..ca8b367 100644 --- a/ciss_live_builder.sh +++ b/ciss_live_builder.sh @@ -235,7 +235,7 @@ init_gnupg ### Integrate primordial SSH identity files. init_primordial -### Integrate CISS.debian.live.builder repository into build dir. +### Integrate CISS.debian.live.builder repository into the build dir. hardening_ultra ### CISS.debian.installer 'GRUB' and 'autostart' generator. diff --git a/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums b/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums index f0ab2e3..9fbb28a 100644 --- a/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums +++ b/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums @@ -102,22 +102,20 @@ Verify_checksums() { ### CDLB verification of script integrity itself ----------------------------------------------------------------------------- if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then - log_begin_msg "Verifying integrity of: [0030-verify-checksums] " + log_begin_msg "Verifying integrity of: [0030-verify-checksums]" printf "\n" - printf "\e[95m[INFO] Verifying integrity of: [0030-verify-checksums] ... \n\e[0m" _CAND="" CDLB_SCRIPT_SELF="" CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_SIG_FILE="" + CDLB_CMD="/usr/bin/sha512sum" + CDLB_SHA="sha512" + for _CAND in /scripts/live-bottom/0030-verify-checksums /usr/lib/live/boot/0030-verify-checksums; do [ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; } done - [ -n "${CDLB_SCRIPT_SELF}" ] || { echo "cannot locate 0030-verify-checksums"; exit 1; } - - CDLB_CMD="/usr/bin/sha512sum" - CDLB_SHA="sha512" CDLB_SCRIPT_FILE="${CDLB_SCRIPT_SELF##*/}" CDLB_SCRIPT_PATH="${CDLB_SCRIPT_SELF%/*}" @@ -125,13 +123,16 @@ Verify_checksums() { CDLB_HASHFILE="${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt" CDLB_SIG_FILE="${CDLB_HASHFILE}.sig" + + printf "\e[95m[INFO] Verifying integrity of: [%s] ... \n\e[0m" "${CDLB_SCRIPT_FULL}" + printf "\e[95m[INFO] Verifying signature of: [%s] ... \n\e[0m" "${CDLB_SIG_FILE}" - if ! /usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then + if ! /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then printf "\e[91m[FATAL] Verifying signature of: [%s] failed. \n\e[0m" "${CDLB_SIG_FILE}" sleep 16 - # TODO panic "[FATAL] Verifying signature of: [0030-verify-checksums.sha512sum.txt.sig] failed. " + panic "[FATAL] Verifying signature of: [${CDLB_SIG_FILE}] failed." else @@ -148,12 +149,12 @@ Verify_checksums() { printf "\e[91m[FATAL] Recomputing hash for: [%s] failed. \n\e[0m" "${CDLB_SHA}" sleep 16 - # TODO panic "[FATAL] Recomputing hash for: [sha512] failed." + panic "[FATAL] Recomputing hash for: [${CDLB_SHA}] failed." fi printf "\e[92m[INFO] Recomputing hash for: [%s] successful. \n\e[0m" "${CDLB_SHA}" - printf "\e[92m[INFO] Verification of authenticity and integrity of [%s] successfully completed. \n\e[0m" "${CDLB_SHA}" + printf "\e[92m[INFO] Verification of authenticity and integrity of [%s] successfully completed. \n\e[0m" "${CDLB_SCRIPT_FULL}" log_end_msg printf "\n" @@ -174,22 +175,29 @@ Verify_checksums() { if [ -e "${_CHECKSUM}" ]; then - printf "\e[95m[INFO] Found [%s] ... \n\e[0m" "${_CHECKSUM}" + printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "${_CHECKSUM}" if [ -e "/usr/bin/${_DIGEST}sum" ]; then - printf "\e[95m[INFO] Found [%s] ... \n\e[0m" "/usr/bin/${_DIGEST}sum" + printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "/usr/bin/${_DIGEST}sum" if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then - printf "\e[95m[INFO] Checking signature of [%s] ... \n\e[0m" "${_CHECKSUM}" + printf "\e[95m[INFO] Checking signature of: [%s] ... \n\e[0m" "${_CHECKSUM}" _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig" - /usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}" - _RETURN_PGP="${?}" + if /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"; then - printf "\e[92m[INFO] Checking signature of [%s] successful. \n\e[0m" "${_CHECKSUM}" + _RETURN_PGP="${?}" + printf "\e[92m[INFO] Checking signature of: [%s] successful. \n\e[0m" "${_CHECKSUM}" + + else + + _RETURN_PGP="${?}" + printf "\e[91m[FATAL] Checking signature of: [%s] failed. \n\e[0m" "${_CHECKSUM}" + + fi else @@ -197,17 +205,25 @@ Verify_checksums() { fi - printf "\e[92m[INFO] Found [%s] done. \n\e[0m" "/usr/bin/${_DIGEST}sum" - # shellcheck disable=SC2312 - grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}" - _RETURN_SHA="${?}" + if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then + + _RETURN_SHA="${?}" + printf "\e[92m[INFO] Found: [%s] successful done, for: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}" + + else + + _RETURN_SHA="${?}" + printf "\e[91m[FATAL] Found: [%s] failed, for: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}" + + fi # Stop after the first verification. break 2 else + _RETURN_SHA="255" printf "\e[93m[WARN] NOT Found [%s]. \n\e[0m" "/usr/bin/${_DIGEST}sum" fi