From d1e6e462b642d204e50ca5e84da75ee27e50d86184625793dae576824e4dbf6a Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Wed, 19 Nov 2025 16:36:29 +0000 Subject: [PATCH] V8.13.440.2025.11.19 Signed-off-by: Marc S. Weidner --- .../usr/lib/live/boot/0024-ciss-crypt-squash | 2 +- .../usr/lib/live/boot/0042-ciss-post-decrypt-attest | 6 +++--- lib/lib_run_analysis.sh | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash index 248d768..5962909 100644 --- a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash +++ b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash @@ -40,7 +40,7 @@ log() { ### Declare variables. --------------------------------------------------------------------------------------------------------- export CDLB_ISO_LABEL="CISS.debian.live" export CDLB_LUKS_FS="/live/ciss_rootfs.crypt" -export CDLB_MAPPER_NAME="ciss_rootfs.crypt" +export CDLB_MAPPER_NAME="crypt_liveiso" MNT_MEDIUM="/run/live/medium" MNT_ROOTFS="/run/live/rootfs" _PARAMETER="" diff --git a/config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest b/config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest index 3ff2c2d..9663f43 100644 --- a/config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest +++ b/config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest @@ -28,7 +28,7 @@ export CDLB_EXP_FPR="@EXP_FPR@" export CDLB_EXP_CA_FPR="@EXP_CA_FPR@" ### Name of the top-level dm-crypt mapping (e.g., cryptsetup --label): zzzz_ciss_crypt_squash.hook.binary ---------------------- -CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-ciss_rootfs.crypt}" +CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}" ### Attestation file locations inside decrypted rootfs. ------------------------------------------------------------------------ CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/root/.ciss/attest/${CDLB_EXP_FPR}.sha512sum.txt}" @@ -87,12 +87,12 @@ HASH_FILE="${ROOTMP}${CDLB_ATTEST_FPR_SHA}" SIGN_FILE="${ROOTMP}${CDLB_ATTEST_FPR_SIG}" KEYFILE="${ROOTMP}${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg" -[ -n "${KEYFILE}" ] || { log_er "No public key found under: [${ROOTMP}${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"; exit 42; } +[ -s "${KEYFILE}" ] || { log_er "No public key found under: [${ROOTMP}${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"; exit 42; } [ -s "${HASH_FILE}" ] || { log_er "Attestation data missing: [${HASH_FILE}]"; exit 42; } [ -s "${SIGN_FILE}" ] || { log_er "Attestation signature missing: [${SIGN_FILE}]"; exit 42; } log_in "Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR." -_STATUS="$(${GPGV} --no-default-keyring --keyring "${KEYFILE}" --status-fd 1 --verify "${SIGN_FILE}" "${HASH_FILE}" 2>/dev/null)" +_STATUS="$(gpgv --no-default-keyring --keyring "${KEYFILE}" --status-fd 1 --verify "${SIGN_FILE}" "${HASH_FILE}" 2>/dev/null)" _CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')" ### Compare against pinned and expected fingerprint. --------------------------------------------------------------------------- diff --git a/lib/lib_run_analysis.sh b/lib/lib_run_analysis.sh index eaf8385..5c9788c 100644 --- a/lib/lib_run_analysis.sh +++ b/lib/lib_run_analysis.sh @@ -110,7 +110,7 @@ run_analysis() { printf "\e[97m📦 Packages : %s \e[0m\n" "${package_count}" printf "\e[97m🕐 Build Time : %s \e[0m\n" "${build_duration}" printf "\e[97m🧠 CPUs for SquashFS : %s \e[0m\n" "${squash_cpu_used}" - printf "\e[97m✍️ SHA256SUM : %s \e[0m\n" "${sha_sum}" + printf "\e[97m🔐 SHA256SUM : %s \e[0m\n" "${sha_sum}" printf "\e[92m----------------------------------------------------------------------------------------\e[0m\n" printf "\e[97m📅 Analysis Time : %s \e[0m\n" "${time}" printf "\e[92m✅ Analysis completed.\e[0m\n"