V9.14.028.2026.06.18

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2026-06-18 10:49:41 +01:00
parent f31ac3503f
commit a8454eeadf
48 changed files with 189 additions and 70 deletions
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.17
+# Version Master V9.14.028.2026.06.18
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.17
+# Version Master V9.14.028.2026.06.18
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.17
+# Version Master V9.14.028.2026.06.18
 name: 💙 Generating a PUBLIC Live ISO.
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V9.14.026.2026.06.17"
+      placeholder: "e.g., Master V9.14.028.2026.06.18"
    validations:
      required: true
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.17
+# Version Master V9.14.028.2026.06.18
 FROM debian:bookworm
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.17
+# Version Master V9.14.028.2026.06.18
 name: 🔁 Render README.md to README.html.
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V9.14.026.2026.06.17
+  version: V9.14.028.2026.06.18
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V9.14.026.2026.06.17
+  version: V9.14.028.2026.06.18
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V9.14.026.2026.06.17
+  version: V9.14.028.2026.06.18
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.17
+# Version Master V9.14.028.2026.06.18
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.17
+# Version Master V9.14.028.2026.06.18
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.17
+# Version Master V9.14.028.2026.06.18
 name: 💙 Generating a PUBLIC Live ISO.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.17
+# Version Master V9.14.028.2026.06.18
 # Gitea Workflow: Shell-Script Linting
 #
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.17
+# Version Master V9.14.028.2026.06.18
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.17
+# Version Master V9.14.028.2026.06.18
 name: 🔁 Render Graphviz Diagrams.
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V9.14.026.2026.06.17"
+properties_version="V9.14.028.2026.06.18"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V9.14.026.2026.06.17
+PackageVersion: Master V9.14.028.2026.06.18
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.026.2026.06.17-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.028.2026.06.18-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 **CISS.debian.live.builder — First of its own.**<br>
 **World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
@@ -137,7 +137,7 @@ verification chain is documented separately in **[CISS ISO Boot Chain](docs/MAN_
 In compact form, my expectations for the system are:<br>
 * Every bit that matters for boot and provisioning is covered by checksums that I control and that are signed with keys under my solely authoritative HSM.
-* The live root runs out of a LUKS2 dm-integrity container, and the final SquashFS byte stream copied into the decrypted mapper is verified against a signed rootfs attestation manifest, so a tampered or bit-rotted SquashFS never becomes a trusted root.
+* The live root runs out of a LUKS2 dm-integrity container, and the final SquashFS byte stream copied into the decrypted mapper is verified against a signed rootfs attestation manifest, so a tampered or bit-rotted SquashFS never becomes a trusted root. During boot, `0024-ciss-crypt-squash` copies `/live/filesystem.squashfs.sha512sum.txt[.sig]` from the real ISO medium to `/run/ciss-rootfs-attestation/`; `0042_ciss_post_decrypt_attest` then verifies that cached manifest/signature pair against `/etc/ciss/keys/<FPR>.gpg` and the exact bytes read from `/dev/mapper/crypt_liveiso`.
 * Verification steps are not advisory. Any anomaly causes a hard abort during boot.
 * After the live environment has reached a stable, verified state, it can hand off to ``CISS.debian.installer``. The installer operates from the same image, does not pull random payloads from the internet, and keeps the target system behind a hardened firewall until the entire provisioning process has completed.
 * For unattended, headless scenarios I also support builds where the target system is installed without ever exposing a shell over the console. After installation and reboot, the machine waits for a decryption passphrase via an embedded Dropbear SSH instance in the initramfs, limited to public key authentication and guarded by strict cryptographic policies. In such variants even ``/boot`` can be encrypted, with GRUB taking care of unlocking the boot partition.
@@ -181,7 +181,7 @@ installer toolchain.
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V9.14.026.2026.06.17`
+Example: `V9.14.028.2026.06.18`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Repository Structure
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **9.14**, Build **V9.14.026.2026.06.17** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.028.2026.06.18** (as of 2025-10-11)
 ## 3.1. Top-Level Layout
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. CISS Secure Boot Private Material
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. CISS Secure Boot Public Material
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.17
+# Version Master V9.14.028.2026.06.18
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.17
+# Version Master V9.14.028.2026.06.18
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.17
+# Version Master V9.14.028.2026.06.18
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V9.14.026.2026.06.17"
+declare -gr VERSION="Master V9.14.028.2026.06.18"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V9.14.026.2026.06.17 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V9.14.028.2026.06.18 at: 10:18:37.9542
@@ -395,7 +395,25 @@ if [ ! -f "${CDLB_ROOTFS_ATTEST_SOURCE}" ] || [ ! -f "${CDLB_ROOTFS_ATTEST_SOURC
 fi
-mkdir -p "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
+if ! mkdir -p "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"; then
  printf "\e[91m[FATAL] Boot failure        : Failed to create rootfs attestation cache directory: [%s] \n\e[0m" \
    "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
  sleep 8
  log   "[FATAL] Boot failure        : Failed to create rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
  panic "[FATAL] Boot failure        : Failed to create rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
 fi
 if ! chmod 0755 "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"; then
  printf "\e[91m[FATAL] Boot failure        : Failed to permission rootfs attestation cache directory: [%s] \n\e[0m" \
    "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
  sleep 8
  log   "[FATAL] Boot failure        : Failed to permission rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
  panic "[FATAL] Boot failure        : Failed to permission rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
 fi
 if ! cp "${CDLB_ROOTFS_ATTEST_SOURCE}" "${CDLB_ROOTFS_ATTEST_MANIFEST}" || \
   ! cp "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"; then
@@ -408,7 +426,17 @@ if ! cp "${CDLB_ROOTFS_ATTEST_SOURCE}" "${CDLB_ROOTFS_ATTEST_MANIFEST}" || \
 fi
-chmod 0444 "${CDLB_ROOTFS_ATTEST_MANIFEST}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}" 2>&- || true
+if ! chmod 0444 "${CDLB_ROOTFS_ATTEST_MANIFEST}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"; then
  printf "\e[91m[FATAL] Boot failure        : Failed to make rootfs attestation cache read-only: [%s] \n\e[0m" \
    "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
  sleep 8
  log   "[FATAL] Boot failure        : Failed to make rootfs attestation cache read-only: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
  panic "[FATAL] Boot failure        : Failed to make rootfs attestation cache read-only: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
 fi
 chmod 0555 "${CDLB_ROOTFS_ATTEST_CACHE_DIR}" 2>&- || true
 printf "\e[92m[INFO] Rootfs attestation   : Preserved [%s] and [%s] \n\e[0m" \
  "${CDLB_ROOTFS_ATTEST_MANIFEST}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. DNSSEC Status
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Haveged Audit on Netcup RS 2000 G11
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Lynis Audit:
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. SSH Audit by ssh-audit.com
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. TLS Audit:
 ````text
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Hardened Kernel Boot Parameters
@@ -8,10 +8,15 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Changelog
 ## V9.14.028.2026.06.18
 * **Changed**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) Explicitly permissions the runtime rootfs attestation cache and fails closed on cache creation or chmod errors.
 * **Changed**: [MAN_CISS_ISO_BOOT_CHAIN.md](MAN_CISS_ISO_BOOT_CHAIN.md) Documents the rootfs attestation artifact custody path from build-time `binary/live` creation through the `0024` runtime cache and `0042` verification.
 * **Changed**: [README.md](../README.md) Documents the runtime rootfs attestation cache handoff.
 ## V9.14.026.2026.06.17
 * **Updated**: git.coresecret.dev nginx Mainline 1.31.1 custom build with OpenSSL 4.0.1 to support PQC KEX algorithms:
 * * ``MLKEM1024`` ``SecP384r1MLKEM1024`` ``X25519MLKEM768`` 
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Centurion Net - Developer Branch Overview
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Purpose
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Contributing / participating
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Credits
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2.1. Usage
 ````text
                        CDLB(1)                        CISS.debian.live.builder                        CDLB(1)
 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V9.14.026.2026.06.17
+Master V9.14.028.2026.06.18
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 (c) Marc S. Weidner, 2018 - 2026
@@ -190,7 +190,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/
-                        V9.14.026.2026.06.17                        2026-05-17                         CDLB(1)
+                        V9.14.028.2026.06.18                        2026-05-17                         CDLB(1)
 ````
 # 3. Booting
@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)
-**Status:** 2026-06-10<br>
+**Status:** 2026-06-18<br>
 **Audience:** CICA CISO, CISS staff, technically proficient administrators<br>
-**Summary:** The **CISS.debian.live.builder** Live-ISO establishes a two-stage verification chain around the live root: after the CISS LUKS/dm-integrity container has been opened, and the live medium context has been exposed, `0030-ciss-verify-checksums` verifies the mounted live-medium checksum manifest, detached signature, and signer fingerprint; later, `0042_ciss_post_decrypt_attest` verifies the signed rootfs attestation manifest, and the exact final SquashFS payload bytes copied into the decrypted LUKS mapper. UEFI Secure Boot can use either the default Microsoft/Debian shim chain, or a CISS-signed UKI chain for systems that trust the CISS Secure Boot key material.<br>
+**Summary:** The **CISS.debian.live.builder** Live-ISO establishes a two-stage verification chain around the live root: after the CISS LUKS/dm-integrity container has been opened, and the live medium context has been exposed, `0030-ciss-verify-checksums` verifies the mounted live-medium checksum manifest, detached signature, and signer fingerprint; `0024-ciss-crypt-squash` preserves the rootfs attestation artifacts from the real ISO medium into a stable initramfs runtime cache; later, `0042_ciss_post_decrypt_attest` verifies the signed rootfs attestation manifest, and the exact final SquashFS payload bytes copied into the decrypted LUKS mapper. UEFI Secure Boot can use either the default Microsoft/Debian shim chain, or a CISS-signed UKI chain for systems that trust the CISS Secure Boot key material.<br>
 # 3. Overview
@@ -22,7 +22,7 @@ include_toc: true
 * **Integrity and authenticity verification:**
  1. **Mounted live medium:** After `0024-ciss-crypt-squash` has opened the encrypted container and exposed `/run/live/medium`, verify `sha512sum.txt` using `gpgv`, FPR pinning, and checksum execution.
-  2. **Decrypted rootfs payload:** Verify the external rootfs attestation manifest using `gpgv` and FPR pinning, then verify the exact SquashFS payload bytes from the decrypted mapper with `sha512sum -c`.
+  2. **Decrypted rootfs payload:** Preserve the external rootfs attestation manifest and detached signature before live-boot may replace or unmount the medium view, verify the cached manifest using `gpgv` and FPR pinning, then verify the exact SquashFS payload bytes from the decrypted mapper with `sha512sum -c`.
 * **Storage-level confidentiality and keyed sector integrity:** `dm-crypt` (AES-XTS-512) and `dm-integrity` (HMAC-SHA-512, 4 KiB).
 * **Remotely unlock:** CISS hardened and build dropbear, modern primitives only, no passwords, no agent/forwarding.
@@ -55,7 +55,7 @@ private Secure Boot key names are detected in those paths before live-build chec
 | dm-integrity | `hmac-sha512` (keyed), journal                                                   | Keyed per-sector integrity for the opened mapping; not origin authenticity |
 | PBKDF        | `argon2id`, `--iter-time 1000` ms, `--pbkdf-memory 262144`, `--pbkdf-parallel 1` | Bounded key derivation cost for initramfs unlock                           |
 | Signatures   | Ed25519 or RSA-4096 (FPR pinned)                                                 | Public verifiability, non-repudiation                                      |
-| Verification | `gpgv --no-default-keyring`                                                      | No agent dependency in initramfs                                           |
+| Verification | `gpgv --keyring <pinned-keyring>`                                                | Explicit keyring selection and no agent dependency in initramfs            |
 | Hash lists   | `sha512sum` format                                                               | Deterministic content verification                                         |
 | Dropbear     | Modern KEX/AEAD (per `localoptions.h`)                                           | Minimal attack surface, remote unlock                                      |
@@ -92,8 +92,10 @@ flowchart TD
    0090 e09@--> 0100["Starting CISS.hardened dropbear"];
    0100 e10@--> 0110["Executing live-boot, mounting ISO FS"];
    0110 e11@--> 0122["Executing 0022-ciss: Hardening tmpfs for OverlayFS upper/work"];
-    0122 e12@--> 0124["Executing 0024-ciss: LUKS open (dm-crypt & integrity)"];
+    0122 e12@--> 0124["Executing 0024-ciss: Mount ISO medium and locate /live/ciss_rootfs.crypt"];
-    0124 e13@--> |SUCCESSFUL| LUKS["Decrypted mapper exposed; livefs_root=/run/live/medium set"];
+    0124 e13@--> CACHE["0024-ciss: Preserve rootfs attestation artifacts in /run/ciss-rootfs-attestation"];
    CACHE e13b@--> LUKSOPEN["0024-ciss: LUKS open (dm-crypt & integrity)"];
    LUKSOPEN e13c@--> |SUCCESSFUL| LUKS["Decrypted mapper exposed; livefs_root=/run/live/medium set"];
    LUKS e14@--> 0126["Executing 0026-ciss: Hardening early sysctls"];
    0126 e15@--> 0130["Executing 0030-ciss: Mounted live-medium checksum and signature verification"];
    0130 e16@--> |SUCCESSFUL| ROOT["9990-overlay: Mount SquashFS / OverlayFS"];
@@ -111,6 +113,8 @@ flowchart TD
    e11@{ animation: fast }
    e12@{ animation: fast }
    e13@{ animation: fast }
    e13b@{ animation: fast }
    e13c@{ animation: fast }
    e14@{ animation: fast }
    e15@{ animation: fast }
    e16@{ animation: fast }
@@ -130,6 +134,8 @@ flowchart TD
 0030 -- FAIL --> X;
 0040 -- FAIL --> X;
 0124 -- FAIL --> X;
 CACHE -- FAIL --> X;
 LUKSOPEN -- FAIL --> X;
 0130 -- FAIL --> X;
 0142 -- FAIL --> X;
 ```
@@ -145,6 +151,19 @@ ISO medium
                └── OverlayFS / running root filesystem
 ```
 Rootfs attestation evidence follows a separate side path:
 ```text
 ISO medium
 ├── /live/filesystem.squashfs.sha512sum.txt
 └── /live/filesystem.squashfs.sha512sum.txt.sig
    └── copied by 0024-ciss-crypt-squash to:
        ├── /run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt
        └── /run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt.sig
 ```
 The `/run/ciss-rootfs-attestation/` cache is only a stable initramfs runtime location. It is not a trust anchor. `0042_ciss_post_decrypt_attest` still requires the cached manifest to verify against the detached signature, the pinned GPG fingerprint, and the actual decrypted mapper bytes.
 ```mermaid
 ---
 config:
@@ -186,6 +205,38 @@ cryptsetup luksFormat \
 **Signing keys:** Ed25519 and RSA-4096; **FPR pinned at build time** in hooks. Signing keys are **additionally** signed by an offline GPG Root-CA (out-of-band trust chain).
 ## 7.1. Rootfs Attestation Artifacts Created at Build Time
 `config/hooks/live/zzzz_ciss_crypt_squash.hook.binary` runs in the live-build binary phase after `binary/live/filesystem.squashfs` exists and before the final ISO image is emitted.
 The hook expects:
 | Artifact                    | Build-time path                                            | Purpose                                                                                 |
 |-----------------------------|------------------------------------------------------------|-----------------------------------------------------------------------------------------|
 | Final plaintext SquashFS    | `${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs` | Source byte stream that will be attested and copied into the encrypted mapper.          |
 | Signing key passphrase file | `${VAR_SIGNING_KEY_PASSFILE}`                              | Unlocks the configured signing key without exposing the passphrase on the command line. |
 | Verification keyring        | `${VAR_VERIFY_KEYRING}`                                    | Build-time self-check for the detached signature before the ISO is accepted.            |
 The hook creates:
 | Artifact                              | Build-time path                                                              | ISO path                                      |
 |---------------------------------------|------------------------------------------------------------------------------|-----------------------------------------------|
 | Encrypted live root container         | `${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt`                     | `/live/ciss_rootfs.crypt`                     |
 | Rootfs attestation manifest           | `${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs.sha512sum.txt`     | `/live/filesystem.squashfs.sha512sum.txt`     |
 | Rootfs attestation detached signature | `${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs.sha512sum.txt.sig` | `/live/filesystem.squashfs.sha512sum.txt.sig` |
 The manifest format is intentionally small and deterministic:
 ```text
 # CISS.debian.live.builder Master <version>
 # Attestation file for filesystem.squashfs Version 1.0.0
 # Boundary : Final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso
 # Bytes    : Final filesystem.squashfs <exact-byte-count>
 <sha512-of-final-filesystem.squashfs>  filesystem.squashfs
 ```
 The signed boundary is the final SquashFS byte stream before LUKS wrapping. The hook writes that byte stream into `/dev/mapper/crypt_liveiso`, closes the mapper, shreds the transient LUKS key file, removes `binary/live/filesystem.squashfs`, and keeps only `/live/ciss_rootfs.crypt` plus the manifest/signature pair in the final ISO payload tree.
 # 8. Mounted Live-Medium Checksum Verification (CISS modified hook 0030-ciss-verify-checksums, live-bottom)
 **Goal:** After `0024-ciss-crypt-squash` has opened the encrypted container and exposed the live medium context, but before the final live root is accepted, verify:
@@ -203,17 +254,39 @@ cryptsetup luksFormat \
 # 9. Late Root-FS Attestation and dmsetup Health (CISS hook 0042_ciss_post_decrypt_attest, called by 9990-overlay.sh)
-**Goal:** After LUKS unlocked, validate the **decrypted** rootfs payload selected at build time and the **actual** mapping topology.
+**Goal:** After LUKS unlocked, and the live root has been mounted by `9990-overlay.sh`, validate the **decrypted** rootfs payload selected at build time and the **actual** mapping topology.
 * **Attested boundary:** the final `binary/live/filesystem.squashfs` byte stream, immediately before it is copied into `/dev/mapper/crypt_liveiso` by `zzzz_ciss_crypt_squash.hook.binary`.
 * **Runtime verification boundary:** the first byte count declared by `# Bytes    : Final filesystem.squashfs <bytes>` in the signed manifest, read from the decrypted mapper. Any LUKS allocation slack after the SquashFS payload is intentionally excluded.
-* **Attestation files:** `/run/live/medium/live/filesystem.squashfs.sha512sum.txt[.sig]`
+* **ISO attestation files:** `/run/live/medium/live/filesystem.squashfs.sha512sum.txt[.sig]` while the original ISO medium is mounted by `0024-ciss-crypt-squash`.
 * **Runtime attestation cache:** `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt[.sig]`, copied by `0024-ciss-crypt-squash` before live-boot may replace or unmount the medium view during `toram` handling.
 * **Key source:** `/etc/ciss/keys/*.gpg` (accepted only if FPR == build-pin)
 ## 9.1. Runtime Artifact Custody and Expectations
 | Step | Actor                           | Requires                                                                                                                                                                                                      | Copies / writes                                                                                                                                                                                                                                                                                                    | Later consumer                                                               |
 |------|---------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------|
 | 1    | `0024-ciss-crypt-squash`        | Mounted ISO medium at `/run/live/medium`; `/run/live/medium/live/ciss_rootfs.crypt`; `/run/live/medium/live/filesystem.squashfs.sha512sum.txt`; `/run/live/medium/live/filesystem.squashfs.sha512sum.txt.sig` | Copies the manifest to `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt` and the detached signature to `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt.sig`; sets the cache directory to `0755` before copy, cached files to `0444`, and best-effort final directory mode to `0555` | `0042_ciss_post_decrypt_attest`                                              |
 | 2    | `0024-ciss-crypt-squash`        | `/run/live/medium/live/ciss_rootfs.crypt`; unlock passphrase from console or Dropbear path                                                                                                                    | Opens the encrypted container as `/dev/mapper/crypt_liveiso`; writes `/run/ciss-rootdev` with mapper, medium, and attestation-cache paths                                                                                                                                                                          | `9990-overlay.sh`                                                            |
 | 3    | `9990-main.sh`                  | `/conf/param.conf` with `PLAIN_ROOT=1` and `livefs_root=/run/live/medium`; optional `toram` boot parameter                                                                                                    | May copy live media to RAM and may leave `/run/live/medium` busy, replaced, or otherwise unsuitable as the only attestation source                                                                                                                                                                                 | `9990-overlay.sh` and `0042_ciss_post_decrypt_attest`                        |
 | 4    | `9990-overlay.sh`               | `/run/ciss-rootdev`; `/dev/mapper/crypt_liveiso`                                                                                                                                                              | Sources `/run/ciss-rootdev`, overrides the image directory to `/dev/mapper/crypt_liveiso`, mounts the decrypted SquashFS read-only, and invokes `/usr/lib/live/boot/0042_ciss_post_decrypt_attest`                                                                                                                 | `0042_ciss_post_decrypt_attest`                                              |
 | 5    | `0042_ciss_post_decrypt_attest` | `/etc/ciss/keys/<pinned-FPR>.gpg`; `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt`; `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt.sig`; `/dev/mapper/crypt_liveiso`        | Creates transient `/run/ciss-rootfs-attestation.sha512sum` for `sha512sum -c`; does not create trusted evidence                                                                                                                                                                                                    | Boot continues only after signature, FPR, and exact payload bytes all verify |
 `0042_ciss_post_decrypt_attest` resolves artifacts in this order:
 1. The explicit manifest/signature paths exported through `/run/ciss-rootdev`.
 2. The default runtime cache under `/run/ciss-rootfs-attestation/`.
 3. Compatibility fallback mountpoints: `${CDLB_MNT_MEDIUM}`, `/run/live/medium`, `/lib/live/mount/medium`, and `/cdrom`.
 The fallback mountpoints are diagnostic and compatibility paths. The intended normal path for current CISS ISOs is the runtime cache copied by `0024-ciss-crypt-squash`.
 **Core calls (initramfs):**
 ```sh
 # 1) Signature and FPR pin (no agent)
 DATA="/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt"
 SIG="${DATA}.sig"
 KEYFILE="/etc/ciss/keys/<pinned-FPR>.gpg"
 /usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIG}" "${DATA}"
 # 2) Mandatory content hash verification
@@ -222,7 +295,7 @@ dd if="${CDLB_MAPPER_DEV}" ... | /usr/bin/sha512sum -c /run/ciss-rootfs-attestat
 # 10. Failure Policy (fail-closed, deterministic)
-* **Abort** on: missing checksum manifest, unsupported checksum manifest/tool state, failed checksum, empty checksum manifest, missing `VALIDSIG`, FPR mismatch, missing key/signature, malformed rootfs attestation manifest, or rootfs payload hash mismatch.
+* **Abort** on: missing checksum manifest, unsupported checksum manifest/tool state, failed checksum, empty checksum manifest, missing rootfs attestation artifacts on the real ISO medium during `0024`, failed preservation of the runtime attestation cache, missing cached rootfs manifest/signature during `0042`, missing `VALIDSIG`, FPR mismatch, missing key/signature, malformed rootfs attestation manifest, or rootfs payload hash mismatch.
 * A signed rootfs manifest alone is not sufficient. Boot continues only after the manifest signature/FPR, and the decrypted SquashFS payload bytes both verify successfully.
 * `dm-integrity` protects the opened LUKS mapping against sector corruption or tampering under the LUKS key, but it is not treated as origin authenticity. Origin authenticity is provided by the signed rootfs attestation manifest and pinned signer fingerprint.
@@ -260,7 +333,12 @@ dd if="${CDLB_MAPPER_DEV}" ... | /usr/bin/sha512sum -c /run/ciss-rootfs-attestat
 * **Key files:**
  * Mounted live medium (for 0030): embedded public key blob (project-specific FPR)
  * Root FS (for 0042): `/etc/ciss/keys/<FPR>.gpg`
-* **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay`
+* **Rootfs attestation artifacts:**
  * ISO payload paths: `/live/filesystem.squashfs.sha512sum.txt`, `/live/filesystem.squashfs.sha512sum.txt.sig`
  * Runtime cache paths: `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt`, `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt.sig`
  * Transient checksum file for exact mapper-byte verification: `/run/ciss-rootfs-attestation.sha512sum`
 * **Runtime handoff state:** `/run/ciss-rootdev`
 * **Mounts (typical):** `/run/live/medium`, `/run/live/rootfs`, `/run/live/overlay`
 # 13. Diagram: CISS Live ISO Build, Boot, and Run Time Trust Chain & Verification Paths
 ```mermaid
@@ -268,21 +346,27 @@ flowchart TD
  subgraph ISO Build Time
    A["Embed and pin GPG FPR (into ISO & RootFS as needed)"] e00@--> B["Generate mounted-medium sha512sum.txt and .sig"];
-    B e01@--> C["Build filesystem.squashfs and wrap it into ciss_rootfs.crypt"];
+    B e01@--> C["Build filesystem.squashfs"];
    C e01b@--> C2["Generate rootfs attestation manifest and detached signature in binary/live"];
    C2 e01c@--> C3["Copy filesystem.squashfs into ciss_rootfs.crypt and remove plaintext filesystem.squashfs"];
    e00@{ animation: fast }
    e01@{ animation: fast }
    e01b@{ animation: fast }
    e01c@{ animation: fast }
  end
  subgraph ISO Boot Time
-    C e02@--> D["0024 opens ciss_rootfs.crypt with LUKS2 and dm-integrity"];
+    C3 e02@--> D["0024 mounts real ISO medium and expects ciss_rootfs.crypt plus rootfs attestation files under /live"];
-    D e03@-->|SUCCESSFUL| E["Decrypted mapper exposed and livefs_root=/run/live/medium set"];
+    D e02b@--> DCACHE["0024 copies rootfs attestation files to /run/ciss-rootfs-attestation"];
    DCACHE e03@--> E["0024 opens ciss_rootfs.crypt with LUKS2/dm-integrity and exposes /dev/mapper/crypt_liveiso"];
    E e04@--> F["0030 verifies mounted live-medium manifest, signature, FPR, and checksums"];
    F e05@-->|SUCCESSFUL| G["Mounted live medium verified"];
    G e06@--> H["9990-overlay mounts SquashFS / OverlayFS"];
-    H e07@--> I["0042 verifies signed rootfs attestation manifest and FPR"];
+    H e07@--> I["0042 verifies cached rootfs attestation manifest and FPR"];
    I e08@--> J["0042 verifies exact SquashFS bytes from /dev/mapper/crypt_liveiso"];
    J e09@-->|SUCCESSFUL| K["RootFS SquashFS payload attestation successful"];
    e02@{ animation: fast }
    e02b@{ animation: fast }
    e03@{ animation: fast }
    e04@{ animation: fast }
    e05@{ animation: fast }
@@ -299,6 +383,8 @@ flowchart TD
  end
 D -- FAIL --> X;
 DCACHE -- FAIL --> X;
 E -- FAIL --> X;
 F -- FAIL --> X;
 I -- FAIL --> X;
 J -- FAIL --> X;
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Resources
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. ``30-ciss-hardening.conf``
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. ``90-ciss-local.hardened``
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. ``ciss_live_builder.sh``
@@ -601,7 +601,7 @@ main() {
  var_log="/root/.ciss/cdi/log/9999-cdi-starter_$(date +"%Y-%m-%d_%H-%M-%S").log"
  touch "${var_log}"
-  printf "CISS.debian.live.builder V9.14.026.2026.06.17 calling CISS.debian.installer ... \n" >> "${var_log}"
+  printf "CISS.debian.live.builder V9.14.028.2026.06.18 calling CISS.debian.installer ... \n" >> "${var_log}"
  ### Sleep a moment to settle boot artifacts.
  sleep 8
@@ -696,7 +696,7 @@ main() {
  ### Timeout reached without acceptable semaphore.
  logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.live.builder V9.14.026.2026.06.17: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.live.builder V9.14.028.2026.06.18: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
  exit 0
 }
@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V9.14.026.2026.06.17"
+declare -grx VAR_VERSION="Master V9.14.028.2026.06.18"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
  # Print $4 and $5; include $6 only if it exists
  out = $4