V8.13.400.2025.11.08

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-08 18:32:13 +01:00
parent fb0183925a
commit abf9e8662c
49 changed files with 224 additions and 136 deletions
--- a/.archive/.0000_lib_usage.sh
+++ b/.archive/.0000_lib_usage.sh
@@ -21,7 +21,7 @@ usage() {
  clear
  cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.13.392.2025.11.07\e[0m")
+$(echo -e "\e[92mMaster V8.13.400.2025.11.08\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")

 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
--- a/.archive/generate_PRIVATE_trixie_0.yaml
+++ b/.archive/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.392.2025.11.07
+# Version Master V8.13.400.2025.11.08

 name: 🔐 Generating a Private Live ISO TRIXIE.

--- a/.archive/generate_PRIVATE_trixie_1.yaml
+++ b/.archive/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.392.2025.11.07
+# Version Master V8.13.400.2025.11.08

 name: 🔐 Generating a Private Live ISO TRIXIE.

--- a/.archive/generate_PUBLIC_iso.yaml
+++ b/.archive/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.392.2025.11.07
+# Version Master V8.13.400.2025.11.08

 name: 💙 Generating a PUBLIC Live ISO.

--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.392.2025.11.07"
+      placeholder: "e.g., Master V8.13.400.2025.11.08"
    validations:
      required: true

--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.392.2025.11.07
+# Version Master V8.13.400.2025.11.08

 FROM debian:bookworm

--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.392.2025.11.07
+# Version Master V8.13.400.2025.11.08

 name: 🔁 Render README.md to README.html.

--- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1024
-  version: V8.13.392.2025.11.07
+  version: V8.13.400.2025.11.08
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.13.392.2025.11.07
+  version: V8.13.400.2025.11.08
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.392.2025.11.07
+# Version Master V8.13.400.2025.11.08

 name: 🔐 Generating a Private Live ISO TRIXIE.

--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.392.2025.11.07
+# Version Master V8.13.400.2025.11.08

 name: 🔐 Generating a Private Live ISO TRIXIE.

--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.392.2025.11.07
+# Version Master V8.13.400.2025.11.08

 name: 💙 Generating a PUBLIC Live ISO.

--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.392.2025.11.07
+# Version Master V8.13.400.2025.11.08

 # Gitea Workflow: Shell-Script Linting
 #
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.392.2025.11.07
+# Version Master V8.13.400.2025.11.08

 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.

--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.392.2025.11.07
+# Version Master V8.13.400.2025.11.08

 name: 🔁 Render Graphviz Diagrams.

--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.392.2025.11.07"
+properties_version="V8.13.400.2025.11.08"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.392.2025.11.07
+PackageVersion: Master V8.13.400.2025.11.08
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.392.2025.11.07-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.400.2025.11.08-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.392.2025.11.07<br>
+**Build**: V8.13.400.2025.11.08<br>

 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -152,7 +152,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-

 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.

-Example: `V8.13.392.2025.11.07`
+Example: `V8.13.400.2025.11.08`

 `x.y.z` represents major (x), minor (y), and patch (z) version increments.

--- a/REPOSITORY.md
+++ b/REPOSITORY.md
@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.392.2025.11.07<br>
+**Build**: V8.13.400.2025.11.08<br>

 # 2.1. Repository Structure

 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.392.2025.11.07** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.400.2025.11.08** (as of 2025-10-11)

 ## 2.2. Top-Level Layout

--- a/config/hooks/live/0000_basic_chroot_setup.chroot
+++ b/config/hooks/live/0000_basic_chroot_setup.chroot
@@ -198,6 +198,7 @@ EOF
 # shellcheck disable=SC2034
 readonly -f generate_ciss_xdg_tmp_sh

+### Ensuring XDG compliance: https://specifications.freedesktop.org/basedir/latest/ --------------------------------------------
 generate_ciss_xdg_profile
 generate_ciss_xdg_sh
 generate_ciss_xdg_tmp_sh
@@ -207,6 +208,8 @@ export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get update -qq
 apt-get install -y --no-install-suggests libpam-systemd

+
+### Installing microcode updates -----------------------------------------------------------------------------------------------
 if [[ -f /root/.architecture ]]; then

  apt-get install -y --no-install-suggests amd64-microcode intel-microcode
@@ -214,12 +217,7 @@ if [[ -f /root/.architecture ]]; then

 fi

-
-if [[ -f /root/.architecture ]]; then
-  :
-fi
-
-
+### Prepare environment --------------------------------------------------------------------------------------------------------
 mkdir -p /root/.ciss/cdlb/{backup,log,private_keys}
 chmod 0700 /root/.ciss/cdlb/{backup,log,private_keys}

@@ -229,7 +227,7 @@ chmod 0700 /root/git
 mkdir -p /etc/ciss/keys
 chmod 0755 /etc/ciss/keys

-### Mask apt show version unit and timer.
+### Mask apt show version unit and timer ---------------------------------------------------------------------------------------
 ln -sf /dev/null /etc/systemd/system/apt-show-versions.timer
 ln -sf /dev/null /etc/systemd/system/apt-show-versions.service
 rm -f /etc/cron.daily/apt-show-versions || true
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -52,10 +52,9 @@ grep_nic_driver_modules() {

  return 0
 }
-
-[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
-apt-get install -y intel-microcode amd64-microcode
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f grep_nic_driver_modules

 # shellcheck disable=SC2155
 declare nic_driver="$(grep_nic_driver_modules)" VAR_DATE="$(date +%F)"
@@ -370,87 +369,101 @@ esac
 . /usr/share/initramfs-tools/hook-functions


-### Ensure directory structure in initramfs
-mkdir -p "${DESTDIR}/etc/ciss/keys"
-mkdir -p "${DESTDIR}/etc/initramfs-tools/conf.d"
-mkdir -p "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
-mkdir -p "${DESTDIR}/usr/bin"
-mkdir -p "${DESTDIR}/usr/local/bin"
-mkdir -p "${DESTDIR}/usr/sbin"
+### Ensure directory structure in initramfs ------------------------------------------------------------------------------------
+install -d -m 0755  "${DESTDIR}/etc/ciss/keys"
+install -d -m 0755  "${DESTDIR}/etc/initramfs-tools/conf.d"
+install -d -m 0755  "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
+install -d -m 0755  "${DESTDIR}/usr/bin"
+install -d -m 0755  "${DESTDIR}/usr/local/bin"
+install -d -m 0755  "${DESTDIR}/usr/sbin"


-### Include bash
+### Include 'bash' -------------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/bash /usr/bin/bash
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/bash /usr/bin/bash] \n\e[0m"


-### Include blkid
+### Include 'blkid' ------------------------------------------------------------------------------------------------------------
 copy_exec /usr/sbin/blkid /usr/sbin/blkid
 printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/blkid /usr/sbin/blkid] \n\e[0m"


-### Include busybox
+### Include 'busybox' ----------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/busybox /usr/busybox
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/busybox] \n\e[0m"


-### Include GNU coreutils 'sort' (has -V)
+### Include GNU coreutils 'sort' (has -V) --------------------------------------------------------------------------------------
 copy_exec /usr/bin/sort /usr/bin/sort
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sort /usr/bin/sort] \n\e[0m"


-### Include gpgv
+### Include 'gpgv' -------------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/gpgv /usr/bin/gpgv
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpgv /usr/bin/gpgv] \n\e[0m"


-### Include lsblk
+### Include 'lsblk' ------------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/lsblk /usr/bin/lsblk
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/lsblk /usr/bin/lsblk] \n\e[0m"


-### Include mkpasswd
+### Include 'mkpasswd' ---------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/mkpasswd /usr/mkpasswd
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/mkpasswd] \n\e[0m"
 copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd] \n\e[0m"


-### Include udevadm (udev management tool)
+### Include 'udevadm' (udev management tool) -----------------------------------------------------------------------------------
 copy_exec /usr/bin/udevadm /usr/bin/udevadm
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/udevadm /usr/bin/udevadm] \n\e[0m"


-### Include sha384sum, sha512sum
+### Include 'sha384sum' 'sha512sum' --------------------------------------------------------------------------------------------
 copy_exec /usr/bin/sha384sum /usr/bin/sha384sum
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha384sum /usr/bin/sha384sum ] \n\e[0m"
 copy_exec /usr/bin/sha512sum /usr/bin/sha512sum
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha512sum /usr/bin/sha512sum] \n\e[0m"


-### Include tree
+### Include 'tree' -------------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/tree /usr/bin/tree
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/tree /usr/bin/tree] \n\e[0m"


-### Include whois
+### Include 'whois' ------------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/whois /usr/bin/whois
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/whois /usr/bin/whois] \n\e[0m"


-### Link busybox applets for compatibility
+### Link busybox applets for compatibility -------------------------------------------------------------------------------------
 for dir in bin usr/bin; do
  ln -sf busybox "${DESTDIR}/${dir}/cat"
  ln -sf busybox "${DESTDIR}/${dir}/sleep"
 done


-### Install PGP Signing Keys
-install -m 0444 /etc/ciss/keys/0x8733B021_public.gpg "${DESTDIR}/etc/ciss/keys/0x8733B021_public.gpg"
-printf "\e[92mSuccessfully executed: [install -m 0444 /etc/ciss/keys/0x8733B021_public.gpg %s/etc/ciss/keys/0x8733B021_public.gpg] \n\e[0m" "${DESTDIR}"
-install -m 0444 /etc/ciss/keys/0xE62E84F8_public.gpg "${DESTDIR}/etc/ciss/keys/0xE62E84F8_public.gpg"
-printf "\e[92mSuccessfully executed: [install -m 0444 /etc/ciss/keys/0xE62E84F8_public.gpg %s/etc/ciss/keys/0xE62E84F8_public.gpg] \n\e[0m" "${DESTDIR}"
+### Install GPG signing keys ---------------------------------------------------------------------------------------------------
+src_dir="/etc/ciss/keys"
+dst_dir="${DESTDIR}/etc/ciss/keys"
+key=""

+if [ -d "${src_dir}" ]; then
+
+    install -d -m 0755 "${dst_dir}"
+
+    for key in "${src_dir}"/*.gpg; do
+
+        [ -e "${key}" ] || continue
+
+        install -m 0444 "${key}" "${dst_dir}/"
+
+        printf '\e[92mSuccessfully executed: [install -m 0444 %s %s]\n\e[0m' "${key}" "${dst_dir}"
+
+    done
+
+fi

 printf "\e[92mSuccessfully executed: [ciss_debian_live_builder] \n\e[0m"

@@ -459,10 +472,6 @@ EOF

 chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder

-# TODO: Move to 9999_zzzz.chroot
-### Regenerate the initramfs for the live system kernel.
-update-initramfs -u -k all -v
-
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
--- a/config/hooks/live/9999_zzzz.chroot
+++ b/config/hooks/live/9999_zzzz.chroot
@@ -15,10 +15,16 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "

 declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target"

-### Regenerate the initramfs for the live system kernel.
+### Remove CDLB artifacts ------------------------------------------------------------------------------------------------------
+rm -f /root/ciss_xdg_tmp.sh
+
+### Securing '/etc/ciss/keys' --------------------------------------------------------------------------------------------------
+find /etc/ciss/keys -type f -exec chmod 0444 {} +
+
+### Regenerate the initramfs for the live system kernel ------------------------------------------------------------------------
 update-initramfs -u -k all -v

-### Determine the canonical systemd unit dir inside chroot.
+### Determine the canonical systemd unit dir inside chroot ---------------------------------------------------------------------
 if [[ -d /lib/systemd/system ]]; then

  var_unit_dir=/lib/systemd/system
@@ -76,8 +82,6 @@ for var_dm in "${ary_dm_units[@]}"; do

 done

-rm -f /root/ciss_xdg_tmp.sh
-
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
--- a/config/includes.chroot/etc/ssh/ssh_known_hosts
+++ b/config/includes.chroot/etc/ssh/ssh_known_hosts
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.392.2025.11.07
+# Version Master V8.13.400.2025.11.08

 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.392.2025.11.07
+# Version Master V8.13.400.2025.11.08

 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.392.2025.11.07
+# Version Master V8.13.400.2025.11.08

 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-declare -gr VERSION="Master V8.13.392.2025.11.07"
+declare -gr VERSION="Master V8.13.400.2025.11.08"

 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh

 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.392.2025.11.07 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.400.2025.11.08 at: 10:18:37.9542
--- a/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums
+++ b/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums
@@ -28,14 +28,24 @@
 #   0 : Successful verification
 #######################################
 Verify_checksums() {
+  printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-verify-checksums] ... \n\e[0m"
+
+  ### Declare variables --------------------------------------------------------------------------------------------------------
  _MOUNTPOINT="${1}"

+  _PARAMETER=""
+
  _TTY="/dev/tty8"

  LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"

  LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"

+  _KEYFILE=""
+
+  _MP=""
+
+  ### Parse commandline arguments ----------------------------------------------------------------------------------------------
  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do

    case "${_PARAMETER}" in
@@ -60,6 +70,20 @@ Verify_checksums() {

  done

+  ### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
+  for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
+
+    if [ -e "${_MP}/0030-verify-checksums.gpg" ]; then
+
+      _KEYFILE="${_MP}/0030-verify-checksums.gpg"
+
+      break
+
+    fi
+
+  done
+
+  ### Check if the function should be skipped ----------------------------------------------------------------------------------
  case "${LIVE_VERIFY_CHECKSUMS}" in

    true)
@@ -78,48 +102,58 @@ Verify_checksums() {
  ### CDLB verification of script integrity itself -----------------------------------------------------------------------------
  if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then

-    log_begin_msg "Verifying integrity of '0030-verify-checksums' ..."
+    log_begin_msg "Verifying integrity of: [0030-verify-checksums] "
    printf "\n"
+    printf "\e[95m[INFO] Verifying integrity of: [0030-verify-checksums] ... \n\e[0m"

-    CDLB_SCRIPT="0030-verify-checksums"
+    _CAND=""
+    CDLB_SCRIPT_SELF=""  CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_SIG_FILE=""
+
+    for _CAND in /scripts/live-bottom/0030-verify-checksums /usr/lib/live/boot/0030-verify-checksums; do
+
+      [ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; }
+
+    done
+    [ -n "${CDLB_SCRIPT_SELF}" ] || { echo "cannot locate 0030-verify-checksums"; exit 1; }
+
+    CDLB_CMD="/usr/bin/sha512sum"
    CDLB_SHA="sha512"
-    CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_SIG_FILE=""

-    CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_SHA}"
+    CDLB_SCRIPT_FILE="${CDLB_SCRIPT_SELF##*/}"
+    CDLB_SCRIPT_PATH="${CDLB_SCRIPT_SELF%/*}"
+    CDLB_SCRIPT_FULL="${CDLB_SCRIPT_PATH%/}/${CDLB_SCRIPT_FILE}"
+    CDLB_HASHFILE="${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt"
    CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
-    CDLB_CMD="/bin/sha512sum"

-    printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}"
+    printf "\e[95m[INFO] Verifying signature of: [%s] ... \n\e[0m" "${CDLB_SIG_FILE}"

-    if ! /bin/gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
+    if ! /usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then

-      printf "[PANIC] Signature verification failed for: [0030-verify-checksums.sha512]\n"
+      printf "\e[91m[FATAL] Verifying signature of: [%s] failed. \n\e[0m" "${CDLB_SIG_FILE}"
      sleep 16
-      # TODO panic  "[PANIC] Signature verification failed for: [0030-verify-checksums.sha512]"
+      # TODO panic "[FATAL] Verifying signature of: [0030-verify-checksums.sha512sum.txt.sig] failed. "

    else

-      printf "Signature verification successful for: [0030-verify-checksums.sha512]\n"
+      printf "\e[92m[INFO] Verifying signature of: [%s] successful. \n\e[0m" "${CDLB_SIG_FILE}"

    fi

-    printf "Recomputing hash for: [sha512]\n"
+    printf "\e[95m[INFO] Recomputing hash for: [%s] ... \n\e[0m" "${CDLB_SHA}"

-    CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first _ || exit 1; printf '%s\n' "${first}"; })
+    CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT_FULL}" | { read -r first _ || exit 1; printf '%s\n' "${first}"; })
    IFS=' ' read -r CDLB_EXPECTED _ < "${CDLB_HASHFILE}"

    if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then

-      printf "[PANIC] Recomputing hash for: [sha512] failed.\n"
+      printf "\e[91m[FATAL] Recomputing hash for: [%s] failed. \n\e[0m" "${CDLB_SHA}"
      sleep 16
-      # TODO panic  "[PANIC] Recomputing hash for: [sha512] failed."
+      # TODO panic "[FATAL] Recomputing hash for: [sha512] failed."

    fi

-    printf "Hash verification successful for: [sha512]\n"
-
-    printf "Verification of authenticity and integrity of '0030-verify-checksums' successfully completed. Proceeding."
-
+    printf "\e[92m[INFO] Recomputing hash for: [%s] successful. \n\e[0m" "${CDLB_SHA}"
+    printf "\e[92m[INFO] Verification of authenticity and integrity of [%s] successfully completed. \n\e[0m" "${CDLB_SHA}"
    log_end_msg
    printf "\n"

@@ -128,6 +162,7 @@ Verify_checksums() {
  ### Checksum and checksum signature verification -----------------------------------------------------------------------------
  log_begin_msg "Verifying checksums"
  printf "\n"
+  printf "\e[95m[INFO] Verifying checksums ... \n\e[0m"

  # shellcheck disable=SC2001
  for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
@@ -139,24 +174,30 @@ Verify_checksums() {

      if [ -e "${_CHECKSUM}" ]; then

-        printf "Found [%s] ...\n" "${_CHECKSUM}"
+        printf "\e[95m[INFO] Found [%s] ... \n\e[0m" "${_CHECKSUM}"

-        if [ -e "/bin/${_DIGEST}sum" ]; then
+        if [ -e "/usr/bin/${_DIGEST}sum" ]; then
+
+          printf "\e[95m[INFO] Found [%s] ... \n\e[0m" "/usr/bin/${_DIGEST}sum"

          if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then

-            printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}"
+            printf "\e[95m[INFO] Checking signature of [%s] ... \n\e[0m" "${_CHECKSUM}"
+
            _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
-            gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"
+
+            /usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"
            _RETURN_PGP="${?}"

+            printf "\e[92m[INFO] Checking signature of [%s] successful. \n\e[0m" "${_CHECKSUM}"
+
          else

            _RETURN_PGP="na"

          fi

-          printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}"
+          printf "\e[92m[INFO] Found [%s] done. \n\e[0m" "/usr/bin/${_DIGEST}sum"

          # shellcheck disable=SC2312
          grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
@@ -167,7 +208,7 @@ Verify_checksums() {

        else

-          printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum"
+          printf "\e[93m[WARN] NOT Found [%s]. \n\e[0m" "/usr/bin/${_DIGEST}sum"

        fi

@@ -178,26 +219,44 @@ Verify_checksums() {
  done

  log_end_msg
+  printf "\n"

  case "${_RETURN_PGP},${_RETURN_SHA}" in

    "0,0")
-      log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds."
+      printf "\e[92m[INFO] Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds. \n\e[0m"
+      printf "\e[92m[INFO] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
      sleep 8
+      log_success_msg "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds."
      return 0
      ;;

    "na,0")
-      log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds."
+      printf "\e[92m[INFO] Verification of [sha checksum] file successful; continuing booting in 8 seconds. \n\e[0m"
+      printf "\e[92m[INFO] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
      sleep 8
+      log_success_msg "Verification of [sha checksum] file successful; continuing booting in 8 seconds."
      return 0
      ;;

+    "0,"*)
+      printf "\e[91m[FATAL] Verification of [GPG signature] file successful, while verification of [sha checksum] file failed. \n\e[0m"
+      printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
+      sleep 8
+      panic "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
+      ;;
+
    *",0")
-      panic "Verification of signature file failed while verification of checksum file successful."
+      printf "\e[91m[FATAL] Verification of [GPG signature] file failed, while verification of [sha checksum] file successful. \n\e[0m"
+      printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
+      sleep 8
+      panic "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
      ;;

    "na,"*)
+      printf "\e[91m[FATAL] Verification of [sha checksum] file failed. \n\e[0m"
+      printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
+      sleep 8
      panic "Verification of checksum file failed."
      ;;

--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.392.2025.11.07<br>
+**Build**: V8.13.400.2025.11.08<br>

 # 2. DNSSEC Status

--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.392.2025.11.07<br>
+**Build**: V8.13.400.2025.11.08<br>

 # 2. Haveged Audit on Netcup RS 2000 G11

--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.392.2025.11.07<br>
+**Build**: V8.13.400.2025.11.08<br>

 # 2. Lynis Audit:

--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.392.2025.11.07<br>
+**Build**: V8.13.400.2025.11.08<br>

 # 2. SSH Audit by ssh-audit.com

--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.392.2025.11.07<br>
+**Build**: V8.13.400.2025.11.08<br>

 # 2. TLS Audit:
 ````text
--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.392.2025.11.07<br>
+**Build**: V8.13.400.2025.11.08<br>

 # 2. Hardened Kernel Boot Parameters

--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,10 +8,20 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.392.2025.11.07<br>
+**Build**: V8.13.400.2025.11.08<br>

 # 2. Changelog

+## V8.13.400.2025.11.08
+* **Bugfixes**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums) - GPG key handling
+* **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) - Unified naming scheme
+* **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) - Unified naming scheme
+* **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) - Unified naming scheme, added verbosity output
+* **Changed**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) - added verbosity output
+* **Changed**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) - bugfixes
+* **Changed**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) - moved ``update-initramfs`` to:
+* **Changed**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot)
+
 ## V8.13.392.2025.11.07
 * **Global**: Changed ``guard_sourcing`` to ``guard_sourcing || return "${ERR_GUARD_SRCE}"``
 * **Added**: [lib_check_secrets.sh](../lib/lib_check_secrets.sh) + Final secrets wiper before starting ``lb build``.
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.392.2025.11.07<br>
+**Build**: V8.13.400.2025.11.08<br>

 # 2. Centurion Net - Developer Branch Overview

--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.392.2025.11.07<br>
+**Build**: V8.13.400.2025.11.08<br>

 # 2. Coding Style

--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.392.2025.11.07<br>
+**Build**: V8.13.400.2025.11.08<br>

 # 2. Contributing / participating

--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.392.2025.11.07<br>
+**Build**: V8.13.400.2025.11.08<br>

 # 2. Credits

--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.392.2025.11.07<br>
+**Build**: V8.13.400.2025.11.08<br>

 # 2. Download the latest PUBLIC CISS.debian.live.ISO

--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.392.2025.11.07<br>
+**Build**: V8.13.400.2025.11.08<br>

 # 2.1. Usage
 ````text
                        CDLB(1)                        CISS.debian.live.builder                        CDLB(1)

 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V8.13.392.2025.11.07
+Master V8.13.400.2025.11.08
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.

 (c) Marc S. Weidner, 2018 - 2025
@@ -145,7 +145,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/

-                        V8.13.392.2025.11.07                        2025-11-06                         CDLB(1)
+                        V8.13.400.2025.11.08                        2025-11-06                         CDLB(1)
 ````

 # 3. Booting
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.392.2025.11.07<br>
+**Build**: V8.13.400.2025.11.08<br>

 # 2. Resources

--- a/lib/lib_ciss_upgrades_boot.sh
+++ b/lib/lib_ciss_upgrades_boot.sh
@@ -37,8 +37,8 @@ ciss_upgrades_boot() {

  fi

-  declare var_sha="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512"
-  declare var_sig="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512.sig"
+  declare var_sha="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512sum.txt"
+  declare var_sig="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512sum.txt.sig"
  declare var_fil="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
  declare var_prefix="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"

--- a/lib/lib_gnupg.sh
+++ b/lib/lib_gnupg.sh
@@ -45,7 +45,7 @@ init_gnupg() {
    ### Avoid collision with Gitea runner workflows.
    if [[ ! "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then

-      printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ VAR_CDLB_INSIDE_RUNNER: [%s] \e[0m\n" "${VAR_CDLB_INSIDE_RUNNER}"
+      printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔐 VAR_CDLB_INSIDE_RUNNER: [%s] \e[0m\n" "${VAR_CDLB_INSIDE_RUNNER}"

      declare -grx GNUPGHOME="${VAR_WORKDIR}/cdlb_$$_gnupg"

@@ -59,14 +59,14 @@ EOF

      if ! gpgconf --launch gpg-agent 2>&1; then

-        printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ Failed to launch gpg-agent. \e[0m\n"
+        printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed to launch gpg-agent. \e[0m\n"
        return "${ERR_GPG__AGENT}"

      fi

    else

-      printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ VAR_CDLB_INSIDE_RUNNER: [%s] leaving GNUPGHOME untouched.\e[0m\n" "${VAR_CDLB_INSIDE_RUNNER}"
+      printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔐 VAR_CDLB_INSIDE_RUNNER: [%s] leaving GNUPGHOME untouched.\e[0m\n" "${VAR_CDLB_INSIDE_RUNNER}"

    fi

@@ -87,7 +87,7 @@ EOF

    if ! gpg --batch --yes --pinentry-mode=loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --import "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"; then

-      printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ Failed to import signing key. \e[0m\n"
+      printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed to import signing key. \e[0m\n"
      return "${ERR_GPG__AGENT}"

    fi
@@ -97,8 +97,8 @@ EOF
    ### Export public key for verification inside ISO / chroot.
    install -d -m 0755 -o root -g root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys"
    install -d -m 0755 -o root -g root "${VAR_HANDLER_BUILD_DIR}/config/includes.binary"
-    gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_KEY_FPR}_public.gpg"
-    gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums_public.gpg"
+    gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_KEY_FPR}.gpg"
+    gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.gpg"

    umask "${__umask}"
    __umask=""
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -39,13 +39,13 @@ usage() {
  # shellcheck disable=SC2155
  declare var_header=$(center "CDLB(1)                        CISS.debian.live.builder                        CDLB(1)" "${var_cols}")
  # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.13.392.2025.11.07                        2025-11-06                         CDLB(1)" "${var_cols}")
+  declare var_footer=$(center "V8.13.400.2025.11.08                        2025-11-06                         CDLB(1)" "${var_cols}")

  {
    echo -e "\e[1;97m${var_header}\e[0m"
    echo
    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.13.392.2025.11.07\e[0m"
+    echo -e "\e[92mMaster V8.13.400.2025.11.08\e[0m"
    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
    echo
    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
--- a/scripts/usr/lib/live/build/binary_checksums.sh
+++ b/scripts/usr/lib/live/build/binary_checksums.sh
@@ -26,6 +26,8 @@

 set -e

+printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/build/binary_checksums] ... \n\e[0m"
+
 ### Including common functions.
 if [ -e "${LIVE_BUILD}/scripts/build.sh" ]; then
  . "${LIVE_BUILD}/scripts/build.sh"
@@ -66,7 +68,7 @@ for CHECKSUM in ${LB_CHECKSUMS}; do

 	CHECKSUMS="${CHECKSUM}sum.txt"

-	Echo_message "Begin creating binary ${CHECKSUMS} ..."
+	Echo_message "Creating binary ${CHECKSUMS} ..."

  ### Remove old checksums.
  # shellcheck disable=SC2292
@@ -90,26 +92,26 @@ for CHECKSUM in ${LB_CHECKSUMS}; do
    \! -path './*gpg' \
    \! -path './*sig' \
 		-print0 | LC_ALL=C sort -z | xargs -0 "${CHECKSUM}sum" >| "${CHECKSUMS}"
-  Echo_message "Begin creating binary ${CHECKSUMS} done."
+  Echo_message "Creating binary ${CHECKSUMS} done."

-  Echo_message "Begin verifying binary ${CHECKSUMS} ..."
+  Echo_message "Verifying binary ${CHECKSUMS} ..."
  "${CHECKSUM}sum" -c --strict --quiet "${CHECKSUMS}"
-  Echo_message "Begin verifying binary ${CHECKSUMS} done."
+  Echo_message "Verifying binary ${CHECKSUMS} done."

  if [ "${VAR_SIGNER}" = "true" ]; then

-    Echo_message "Begin creating GPG binary signature ${CHECKSUMS} ..."
+    Echo_message "Creating GPG binary signature of ${CHECKSUMS} ..."
    gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
      --detach-sign --output "${CHECKSUMS}.sig" "${CHECKSUMS}"
-    Echo_message "Begin creating GPG binary signature ${CHECKSUMS} done."
+    Echo_message "Creating GPG binary signature of ${CHECKSUMS} done."

-    Echo_message "Begin verifying GPG binary signature ${CHECKSUMS} ..."
+    Echo_message "Verifying GPG binary signature of ${CHECKSUMS} ..."
    gpgv --keyring "${VAR_VERIFY_KEYRING}" "${CHECKSUMS}.sig" "${CHECKSUMS}"
-    Echo_message "Begin verifying GPG binary signature ${CHECKSUMS} done."
+    Echo_message "Verifying GPG binary signature of ${CHECKSUMS} done."

  fi

-  Echo_message "Begin creating '${CHECKSUM}sum.README' ..."
+  Echo_message "Creating '${CHECKSUM}sum.README' ..."
 	cat << EOF >| "${CHECKSUM}sum.README"
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -129,7 +131,7 @@ ${CHECKSUM}sum -c ${CHECKSUMS}

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
 EOF
-  Echo_message "Begin creating '${CHECKSUM}sum.README' done."
+  Echo_message "Creating '${CHECKSUM}sum.README' done."

 	cd "${OLDPWD}"

@@ -144,4 +146,6 @@ cd "${OLDPWD}"
 ### Creating a stage file.
 Create_stagefile

+printf "\e[92m[INFO] CDLB modified: [/usr/lib/live/build/binary_checksums] done. \n\e[0m"
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/scripts/usr/lib/live/build/binary_rootfs.sh
+++ b/scripts/usr/lib/live/build/binary_rootfs.sh
@@ -26,6 +26,8 @@

 set -e

+printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/build/binary_rootfs] ... \n\e[0m"
+
 # Including common functions.
 if [ -e "${LIVE_BUILD}/scripts/build.sh" ]; then
  . "${LIVE_BUILD}/scripts/build.sh"
@@ -460,4 +462,6 @@ fi
 # Creating a stage file
 Create_stagefile

+printf "\e[92m[INFO] CDLB modified: [/usr/lib/live/build/binary_rootfs] done. \n\e[0m"
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/scripts/usr/local/sbin/9999-cdi-starter
+++ b/scripts/usr/local/sbin/9999-cdi-starter
@@ -127,7 +127,7 @@ main() {
  # shellcheck disable=SC2312
  exec > >(tee -a "${var_log}") 2>&1

-  printf "CISS.debian.installer Master V8.13.392.2025.11.07 is up! \n" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.400.2025.11.08 is up! \n" >> "${var_log}"

  ### Sleep a moment to settle boot artifacts.
  sleep 8
@@ -182,7 +182,7 @@ main() {

  ### Timeout reached without acceptable semaphore.
  logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.installer Master V8.13.392.2025.11.07: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.400.2025.11.08: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"

  exit 0
 }
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V8.13.392.2025.11.07"
+declare -grx VAR_VERSION="Master V8.13.400.2025.11.08"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
  # Print $4 and $5; include $6 only if it exists
  out = $4