V8.13.400.2025.11.08

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-08 18:32:13 +01:00
parent fb0183925a
commit abf9e8662c
49 changed files with 224 additions and 136 deletions
--- a/config/hooks/live/0000_basic_chroot_setup.chroot
+++ b/config/hooks/live/0000_basic_chroot_setup.chroot
@@ -198,6 +198,7 @@ EOF
 # shellcheck disable=SC2034
 readonly -f generate_ciss_xdg_tmp_sh

+### Ensuring XDG compliance: https://specifications.freedesktop.org/basedir/latest/ --------------------------------------------
 generate_ciss_xdg_profile
 generate_ciss_xdg_sh
 generate_ciss_xdg_tmp_sh
@@ -207,6 +208,8 @@ export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get update -qq
 apt-get install -y --no-install-suggests libpam-systemd

+
+### Installing microcode updates -----------------------------------------------------------------------------------------------
 if [[ -f /root/.architecture ]]; then

  apt-get install -y --no-install-suggests amd64-microcode intel-microcode
@@ -214,12 +217,7 @@ if [[ -f /root/.architecture ]]; then

 fi

-
-if [[ -f /root/.architecture ]]; then
-  :
-fi
-
-
+### Prepare environment --------------------------------------------------------------------------------------------------------
 mkdir -p /root/.ciss/cdlb/{backup,log,private_keys}
 chmod 0700 /root/.ciss/cdlb/{backup,log,private_keys}

@@ -229,7 +227,7 @@ chmod 0700 /root/git
 mkdir -p /etc/ciss/keys
 chmod 0755 /etc/ciss/keys

-### Mask apt show version unit and timer.
+### Mask apt show version unit and timer ---------------------------------------------------------------------------------------
 ln -sf /dev/null /etc/systemd/system/apt-show-versions.timer
 ln -sf /dev/null /etc/systemd/system/apt-show-versions.service
 rm -f /etc/cron.daily/apt-show-versions || true
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -52,10 +52,9 @@ grep_nic_driver_modules() {

  return 0
 }
-
-[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
-apt-get install -y intel-microcode amd64-microcode
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f grep_nic_driver_modules

 # shellcheck disable=SC2155
 declare nic_driver="$(grep_nic_driver_modules)" VAR_DATE="$(date +%F)"
@@ -370,87 +369,101 @@ esac
 . /usr/share/initramfs-tools/hook-functions


-### Ensure directory structure in initramfs
-mkdir -p "${DESTDIR}/etc/ciss/keys"
-mkdir -p "${DESTDIR}/etc/initramfs-tools/conf.d"
-mkdir -p "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
-mkdir -p "${DESTDIR}/usr/bin"
-mkdir -p "${DESTDIR}/usr/local/bin"
-mkdir -p "${DESTDIR}/usr/sbin"
+### Ensure directory structure in initramfs ------------------------------------------------------------------------------------
+install -d -m 0755  "${DESTDIR}/etc/ciss/keys"
+install -d -m 0755  "${DESTDIR}/etc/initramfs-tools/conf.d"
+install -d -m 0755  "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
+install -d -m 0755  "${DESTDIR}/usr/bin"
+install -d -m 0755  "${DESTDIR}/usr/local/bin"
+install -d -m 0755  "${DESTDIR}/usr/sbin"


-### Include bash
+### Include 'bash' -------------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/bash /usr/bin/bash
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/bash /usr/bin/bash] \n\e[0m"


-### Include blkid
+### Include 'blkid' ------------------------------------------------------------------------------------------------------------
 copy_exec /usr/sbin/blkid /usr/sbin/blkid
 printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/blkid /usr/sbin/blkid] \n\e[0m"


-### Include busybox
+### Include 'busybox' ----------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/busybox /usr/busybox
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/busybox] \n\e[0m"


-### Include GNU coreutils 'sort' (has -V)
+### Include GNU coreutils 'sort' (has -V) --------------------------------------------------------------------------------------
 copy_exec /usr/bin/sort /usr/bin/sort
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sort /usr/bin/sort] \n\e[0m"


-### Include gpgv
+### Include 'gpgv' -------------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/gpgv /usr/bin/gpgv
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpgv /usr/bin/gpgv] \n\e[0m"


-### Include lsblk
+### Include 'lsblk' ------------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/lsblk /usr/bin/lsblk
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/lsblk /usr/bin/lsblk] \n\e[0m"


-### Include mkpasswd
+### Include 'mkpasswd' ---------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/mkpasswd /usr/mkpasswd
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/mkpasswd] \n\e[0m"
 copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd] \n\e[0m"


-### Include udevadm (udev management tool)
+### Include 'udevadm' (udev management tool) -----------------------------------------------------------------------------------
 copy_exec /usr/bin/udevadm /usr/bin/udevadm
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/udevadm /usr/bin/udevadm] \n\e[0m"


-### Include sha384sum, sha512sum
+### Include 'sha384sum' 'sha512sum' --------------------------------------------------------------------------------------------
 copy_exec /usr/bin/sha384sum /usr/bin/sha384sum
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha384sum /usr/bin/sha384sum ] \n\e[0m"
 copy_exec /usr/bin/sha512sum /usr/bin/sha512sum
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha512sum /usr/bin/sha512sum] \n\e[0m"


-### Include tree
+### Include 'tree' -------------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/tree /usr/bin/tree
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/tree /usr/bin/tree] \n\e[0m"


-### Include whois
+### Include 'whois' ------------------------------------------------------------------------------------------------------------
 copy_exec /usr/bin/whois /usr/bin/whois
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/whois /usr/bin/whois] \n\e[0m"


-### Link busybox applets for compatibility
+### Link busybox applets for compatibility -------------------------------------------------------------------------------------
 for dir in bin usr/bin; do
  ln -sf busybox "${DESTDIR}/${dir}/cat"
  ln -sf busybox "${DESTDIR}/${dir}/sleep"
 done


-### Install PGP Signing Keys
-install -m 0444 /etc/ciss/keys/0x8733B021_public.gpg "${DESTDIR}/etc/ciss/keys/0x8733B021_public.gpg"
-printf "\e[92mSuccessfully executed: [install -m 0444 /etc/ciss/keys/0x8733B021_public.gpg %s/etc/ciss/keys/0x8733B021_public.gpg] \n\e[0m" "${DESTDIR}"
-install -m 0444 /etc/ciss/keys/0xE62E84F8_public.gpg "${DESTDIR}/etc/ciss/keys/0xE62E84F8_public.gpg"
-printf "\e[92mSuccessfully executed: [install -m 0444 /etc/ciss/keys/0xE62E84F8_public.gpg %s/etc/ciss/keys/0xE62E84F8_public.gpg] \n\e[0m" "${DESTDIR}"
+### Install GPG signing keys ---------------------------------------------------------------------------------------------------
+src_dir="/etc/ciss/keys"
+dst_dir="${DESTDIR}/etc/ciss/keys"
+key=""

+if [ -d "${src_dir}" ]; then
+
+    install -d -m 0755 "${dst_dir}"
+
+    for key in "${src_dir}"/*.gpg; do
+
+        [ -e "${key}" ] || continue
+
+        install -m 0444 "${key}" "${dst_dir}/"
+
+        printf '\e[92mSuccessfully executed: [install -m 0444 %s %s]\n\e[0m' "${key}" "${dst_dir}"
+
+    done
+
+fi

 printf "\e[92mSuccessfully executed: [ciss_debian_live_builder] \n\e[0m"

@@ -459,10 +472,6 @@ EOF

 chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder

-# TODO: Move to 9999_zzzz.chroot
-### Regenerate the initramfs for the live system kernel.
-update-initramfs -u -k all -v
-
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
--- a/config/hooks/live/9999_zzzz.chroot
+++ b/config/hooks/live/9999_zzzz.chroot
@@ -15,10 +15,16 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "

 declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target"

-### Regenerate the initramfs for the live system kernel.
+### Remove CDLB artifacts ------------------------------------------------------------------------------------------------------
+rm -f /root/ciss_xdg_tmp.sh
+
+### Securing '/etc/ciss/keys' --------------------------------------------------------------------------------------------------
+find /etc/ciss/keys -type f -exec chmod 0444 {} +
+
+### Regenerate the initramfs for the live system kernel ------------------------------------------------------------------------
 update-initramfs -u -k all -v

-### Determine the canonical systemd unit dir inside chroot.
+### Determine the canonical systemd unit dir inside chroot ---------------------------------------------------------------------
 if [[ -d /lib/systemd/system ]]; then

  var_unit_dir=/lib/systemd/system
@@ -76,8 +82,6 @@ for var_dm in "${ary_dm_units[@]}"; do

 done

-rm -f /root/ciss_xdg_tmp.sh
-
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
--- a/config/includes.chroot/etc/ssh/ssh_known_hosts
+++ b/config/includes.chroot/etc/ssh/ssh_known_hosts
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.392.2025.11.07
+# Version Master V8.13.400.2025.11.08

 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.392.2025.11.07
+# Version Master V8.13.400.2025.11.08

 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.392.2025.11.07
+# Version Master V8.13.400.2025.11.08

 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-declare -gr VERSION="Master V8.13.392.2025.11.07"
+declare -gr VERSION="Master V8.13.400.2025.11.08"

 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh

 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.392.2025.11.07 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.400.2025.11.08 at: 10:18:37.9542
--- a/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums
+++ b/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums
@@ -28,14 +28,24 @@
 #   0 : Successful verification
 #######################################
 Verify_checksums() {
+  printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-verify-checksums] ... \n\e[0m"
+
+  ### Declare variables --------------------------------------------------------------------------------------------------------
  _MOUNTPOINT="${1}"

+  _PARAMETER=""
+
  _TTY="/dev/tty8"

  LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"

  LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"

+  _KEYFILE=""
+
+  _MP=""
+
+  ### Parse commandline arguments ----------------------------------------------------------------------------------------------
  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do

    case "${_PARAMETER}" in
@@ -60,6 +70,20 @@ Verify_checksums() {

  done

+  ### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
+  for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
+
+    if [ -e "${_MP}/0030-verify-checksums.gpg" ]; then
+
+      _KEYFILE="${_MP}/0030-verify-checksums.gpg"
+
+      break
+
+    fi
+
+  done
+
+  ### Check if the function should be skipped ----------------------------------------------------------------------------------
  case "${LIVE_VERIFY_CHECKSUMS}" in

    true)
@@ -78,48 +102,58 @@ Verify_checksums() {
  ### CDLB verification of script integrity itself -----------------------------------------------------------------------------
  if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then

-    log_begin_msg "Verifying integrity of '0030-verify-checksums' ..."
+    log_begin_msg "Verifying integrity of: [0030-verify-checksums] "
    printf "\n"
+    printf "\e[95m[INFO] Verifying integrity of: [0030-verify-checksums] ... \n\e[0m"

-    CDLB_SCRIPT="0030-verify-checksums"
+    _CAND=""
+    CDLB_SCRIPT_SELF=""  CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_SIG_FILE=""
+
+    for _CAND in /scripts/live-bottom/0030-verify-checksums /usr/lib/live/boot/0030-verify-checksums; do
+
+      [ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; }
+
+    done
+    [ -n "${CDLB_SCRIPT_SELF}" ] || { echo "cannot locate 0030-verify-checksums"; exit 1; }
+
+    CDLB_CMD="/usr/bin/sha512sum"
    CDLB_SHA="sha512"
-    CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_SIG_FILE=""

-    CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_SHA}"
+    CDLB_SCRIPT_FILE="${CDLB_SCRIPT_SELF##*/}"
+    CDLB_SCRIPT_PATH="${CDLB_SCRIPT_SELF%/*}"
+    CDLB_SCRIPT_FULL="${CDLB_SCRIPT_PATH%/}/${CDLB_SCRIPT_FILE}"
+    CDLB_HASHFILE="${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt"
    CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
-    CDLB_CMD="/bin/sha512sum"

-    printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}"
+    printf "\e[95m[INFO] Verifying signature of: [%s] ... \n\e[0m" "${CDLB_SIG_FILE}"

-    if ! /bin/gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
+    if ! /usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then

-      printf "[PANIC] Signature verification failed for: [0030-verify-checksums.sha512]\n"
+      printf "\e[91m[FATAL] Verifying signature of: [%s] failed. \n\e[0m" "${CDLB_SIG_FILE}"
      sleep 16
-      # TODO panic  "[PANIC] Signature verification failed for: [0030-verify-checksums.sha512]"
+      # TODO panic "[FATAL] Verifying signature of: [0030-verify-checksums.sha512sum.txt.sig] failed. "

    else

-      printf "Signature verification successful for: [0030-verify-checksums.sha512]\n"
+      printf "\e[92m[INFO] Verifying signature of: [%s] successful. \n\e[0m" "${CDLB_SIG_FILE}"

    fi

-    printf "Recomputing hash for: [sha512]\n"
+    printf "\e[95m[INFO] Recomputing hash for: [%s] ... \n\e[0m" "${CDLB_SHA}"

-    CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first _ || exit 1; printf '%s\n' "${first}"; })
+    CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT_FULL}" | { read -r first _ || exit 1; printf '%s\n' "${first}"; })
    IFS=' ' read -r CDLB_EXPECTED _ < "${CDLB_HASHFILE}"

    if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then

-      printf "[PANIC] Recomputing hash for: [sha512] failed.\n"
+      printf "\e[91m[FATAL] Recomputing hash for: [%s] failed. \n\e[0m" "${CDLB_SHA}"
      sleep 16
-      # TODO panic  "[PANIC] Recomputing hash for: [sha512] failed."
+      # TODO panic "[FATAL] Recomputing hash for: [sha512] failed."

    fi

-    printf "Hash verification successful for: [sha512]\n"
-
-    printf "Verification of authenticity and integrity of '0030-verify-checksums' successfully completed. Proceeding."
-
+    printf "\e[92m[INFO] Recomputing hash for: [%s] successful. \n\e[0m" "${CDLB_SHA}"
+    printf "\e[92m[INFO] Verification of authenticity and integrity of [%s] successfully completed. \n\e[0m" "${CDLB_SHA}"
    log_end_msg
    printf "\n"

@@ -128,6 +162,7 @@ Verify_checksums() {
  ### Checksum and checksum signature verification -----------------------------------------------------------------------------
  log_begin_msg "Verifying checksums"
  printf "\n"
+  printf "\e[95m[INFO] Verifying checksums ... \n\e[0m"

  # shellcheck disable=SC2001
  for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
@@ -139,24 +174,30 @@ Verify_checksums() {

      if [ -e "${_CHECKSUM}" ]; then

-        printf "Found [%s] ...\n" "${_CHECKSUM}"
+        printf "\e[95m[INFO] Found [%s] ... \n\e[0m" "${_CHECKSUM}"

-        if [ -e "/bin/${_DIGEST}sum" ]; then
+        if [ -e "/usr/bin/${_DIGEST}sum" ]; then
+
+          printf "\e[95m[INFO] Found [%s] ... \n\e[0m" "/usr/bin/${_DIGEST}sum"

          if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then

-            printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}"
+            printf "\e[95m[INFO] Checking signature of [%s] ... \n\e[0m" "${_CHECKSUM}"
+
            _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
-            gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"
+
+            /usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"
            _RETURN_PGP="${?}"

+            printf "\e[92m[INFO] Checking signature of [%s] successful. \n\e[0m" "${_CHECKSUM}"
+
          else

            _RETURN_PGP="na"

          fi

-          printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}"
+          printf "\e[92m[INFO] Found [%s] done. \n\e[0m" "/usr/bin/${_DIGEST}sum"

          # shellcheck disable=SC2312
          grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
@@ -167,7 +208,7 @@ Verify_checksums() {

        else

-          printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum"
+          printf "\e[93m[WARN] NOT Found [%s]. \n\e[0m" "/usr/bin/${_DIGEST}sum"

        fi

@@ -178,26 +219,44 @@ Verify_checksums() {
  done

  log_end_msg
+  printf "\n"

  case "${_RETURN_PGP},${_RETURN_SHA}" in

    "0,0")
-      log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds."
+      printf "\e[92m[INFO] Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds. \n\e[0m"
+      printf "\e[92m[INFO] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
      sleep 8
+      log_success_msg "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds."
      return 0
      ;;

    "na,0")
-      log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds."
+      printf "\e[92m[INFO] Verification of [sha checksum] file successful; continuing booting in 8 seconds. \n\e[0m"
+      printf "\e[92m[INFO] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
      sleep 8
+      log_success_msg "Verification of [sha checksum] file successful; continuing booting in 8 seconds."
      return 0
      ;;

+    "0,"*)
+      printf "\e[91m[FATAL] Verification of [GPG signature] file successful, while verification of [sha checksum] file failed. \n\e[0m"
+      printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
+      sleep 8
+      panic "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
+      ;;
+
    *",0")
-      panic "Verification of signature file failed while verification of checksum file successful."
+      printf "\e[91m[FATAL] Verification of [GPG signature] file failed, while verification of [sha checksum] file successful. \n\e[0m"
+      printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
+      sleep 8
+      panic "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
      ;;

    "na,"*)
+      printf "\e[91m[FATAL] Verification of [sha checksum] file failed. \n\e[0m"
+      printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
+      sleep 8
      panic "Verification of checksum file failed."
      ;;