diff --git a/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary b/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
index f3a9e80..f3ad157 100644
--- a/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
+++ b/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
@@ -84,26 +84,56 @@ create_attestation() {
   declare rootfs_hash=""
   declare rootfs_size=""
 
-
   rootfs_size="$(stat -c%s -- "${rootfs_file}")"
-  rootfs_hash="$(sha512sum "${rootfs_file}")"
+  rootfs_hash="$(LC_ALL=C sha512sum "${rootfs_file}")"
   rootfs_hash="${rootfs_hash%% *}"
 
+  if printf '%s  %s\n' "${rootfs_hash}" "${rootfs_file}" | LC_ALL=C sha512sum -c --strict --quiet; then
+
+    printf "\e[92m✅ [LC_ALL=C sha512sum -c --strict --quiet of %s] successful. \e[0m\n" "${rootfs_file}"
+
+  else
+
+    printf "\e[91m❌ [LC_ALL=C sha512sum -c --strict --quiet of %s] NOT successful. \e[0m\n" "${rootfs_file}"
+    return 42
+
+  fi
+
   # The attested boundary is the final SquashFS byte stream before LUKS wrapping. The boot verifier reads exactly this many
   # bytes from the decrypted mapper and intentionally excludes the LUKS allocation slack after the SquashFS payload.
   cat << EOF >| "${rootfs_attestation}"
-# CISS rootfs attestation manifest v1
-# boundary: final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso
-# rootfs-size-bytes: ${rootfs_size}
+# CISS.debian.live.builder Master ${VAR_VERSION}
+# Attestation file for filesystem.squashfs Version 1.0.0
+# Boundary : Final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso
+# Bytes    : Final filesystem.squashfs ${VAR_ROOTFS_SIZE}
 ${rootfs_hash}  ciss-rootfs.squashfs
 EOF
   chmod 0444 "${rootfs_attestation}"
 
-  gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
-    --detach-sign --output "${rootfs_attestation}.sig" "${rootfs_attestation}"
+  if gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
+    --detach-sign --output "${rootfs_attestation}.sig" "${rootfs_attestation}"; then
+
+    printf "\e[92m✅ [gpg of %s] successful. \e[0m\n" "${rootfs_attestation}"
+
+  else
+
+    printf "\e[91m❌ [gpg of %s] NOT successful. \e[0m\n" "${rootfs_attestation}"
+    return 42
+
+  fi
+
   chmod 0444 "${rootfs_attestation}.sig"
 
-  gpgv --keyring "${VAR_VERIFY_KEYRING}" "${rootfs_attestation}.sig" "${rootfs_attestation}"
+  if gpgv --keyring "${VAR_VERIFY_KEYRING}" "${rootfs_attestation}.sig" "${rootfs_attestation}"; then
+
+    printf "\e[92m✅ [gpgv of %s] successful. \e[0m\n" "${rootfs_attestation}.sig"
+
+  else
+
+    printf "\e[91m❌ [gpgv of %s] NOT successful. \e[0m\n" "${rootfs_attestation}.sig"
+    return 42
+
+  fi
 
   printf "\e[92m[INFO] Rootfs attestation manifest created and verified: [%s]. \e[0m\n" "${rootfs_attestation}"
 
@@ -122,9 +152,6 @@ declare    LUKS_KEY_FILE="${VAR_TMP_SECRET}/${VAR_LUKS_KEY:-luks.txt}"
 declare    KEYFD=""
 # shellcheck disable=SC2155
 declare -i VAR_ROOTFS_SIZE="$(stat -c%s -- "${ROOTFS}")"
-# shellcheck disable=SC2155
-declare    VAR_ROOTFS_HASH="$(LC_ALL=C sha512sum "${ROOTFS}")"
-declare    VAR_ROOTFS_HASH="${VAR_ROOTFS_HASH%% *}"
 
 ### Attestation Boundary
 #   - The attested boundary is the final SquashFS byte stream before LUKS wrapping.
@@ -132,51 +159,7 @@ declare    VAR_ROOTFS_HASH="${VAR_ROOTFS_HASH%% *}"
 #     slack after the SquashFS payload.
 printf "\e[95m🧪 Attestation of filesystem.squashfs ... \e[0m\n"
 
-cat << EOF >| "${ROOTFS_ATTESTATION}"
-# CISS.debian.live.builder Master ${VAR_VERSION}
-# Attestation file for filesystem.squashfs Version 1.0.0
-# Boundary : Final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso
-# Bytes    : Final filesystem.squashfs ${VAR_ROOTFS_SIZE}
-${VAR_ROOTFS_HASH}  filesystem.squashfs
-EOF
-
-chmod 0444 "${ROOTFS_ATTESTATION}"
-
-if gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
-  --detach-sign --output "${ROOTFS_ATTESTATION}.sig" "${ROOTFS_ATTESTATION}"; then
-
-  printf "\e[92m✅ [gpg of %s] successful. \e[0m\n" "${ROOTFS_ATTESTATION}"
-
-else
-
-  printf "\e[91m❌ [gpg of %s] NOT successful. \e[0m\n" "${ROOTFS_ATTESTATION}"
-  return 42
-
-fi
-
-chmod 0444 "${ROOTFS_ATTESTATION}.sig"
-
-if gpgv --keyring "${VAR_VERIFY_KEYRING}" "${ROOTFS_ATTESTATION}.sig" "${ROOTFS_ATTESTATION}"; then
-
-  printf "\e[92m✅ [gpgv of %s] successful. \e[0m\n" "${ROOTFS_ATTESTATION}.sig"
-
-else
-
-  printf "\e[91m❌ [gpgv of %s] NOT successful. \e[0m\n" "${ROOTFS_ATTESTATION}.sig"
-  return 42
-
-fi
-
-if LC_ALL=C sha512sum -c --strict --quiet "${ROOTFS_ATTESTATION}"; then
-
-  printf "\e[92m✅ [LC_ALL=C sha512sum -c --strict --quiet of %s] successful. \e[0m\n" "${ROOTFS_ATTESTATION}"
-
-else
-
-  printf "\e[91m❌ [LC_ALL=C sha512sum -c --strict --quiet of %s] NOT successful. \e[0m\n" "${ROOTFS_ATTESTATION}"
-  return 42
-
-fi
+create_attestation "${ROOTFS}" "${ROOTFS_ATTESTATION}"
 
 printf "\e[92m✅ Attestation of filesystem.squashfs successful. \e[0m\n"