From db5e1836f8a523cae0a4c4f9e3c574cd3dcaef52bb6ce60fb37eb5847ea41b27 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Tue, 28 Oct 2025 18:07:46 +0100 Subject: [PATCH] V8.13.294.2025.10.28 Signed-off-by: Marc S. Weidner --- .../hooks/live/0002_verify_checksums.chroot | 59 ++++++++++++++----- lib/lib_lb_config_write_trixie.sh | 2 +- scripts/live-boot/0030-verify-checksums | 2 +- 3 files changed, 46 insertions(+), 17 deletions(-) diff --git a/config/hooks/live/0002_verify_checksums.chroot b/config/hooks/live/0002_verify_checksums.chroot index 088359a..26c5d83 100644 --- a/config/hooks/live/0002_verify_checksums.chroot +++ b/config/hooks/live/0002_verify_checksums.chroot @@ -22,24 +22,25 @@ fi cat << 'EOF' >| "${src}" #!/bin/sh +# bashsupport disable=BP5007 + # SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; +# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE -# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Changed version of https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums' -### In case of successful verification of the offered checksums, proceed with booting, else panic. - -### Inside 0002_verify_checksums.chroot ### +### Modified Version of the original file: +### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums' +### In case of successful verification of one of the offered checksums, proceed with booting, else panic. ####################################### -# Live build ISO with the modified checksum verification script for continuing the boot process. +# Modified checksum-verification script for continuing the boot process. # Globals: # LIVE_BOOT_CMDLINE # LIVE_VERIFY_CHECKSUMS @@ -52,30 +53,40 @@ cat << 'EOF' >| "${src}" # _RETURN # _TTY # Arguments: -# $1: ${_PARAMETER} +# 1: ${_PARAMETER} # Returns: # 0 : Successful Verification ####################################### Verify_checksums() { for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do + case "${_PARAMETER}" in + live-boot.verify-checksums=* | verify-checksums=*) + LIVE_VERIFY_CHECKSUMS="true" LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}" ;; live-boot.verify-checksums | verify-checksums) + LIVE_VERIFY_CHECKSUMS="true" ;; + esac + done case "${LIVE_VERIFY_CHECKSUMS}" in - true) ;; + + true) + : + ;; *) return 0 ;; + esac _MOUNTPOINT="${1}" @@ -88,42 +99,60 @@ Verify_checksums() { # shellcheck disable=SC2164 cd "${_MOUNTPOINT}" + # shellcheck disable=SC2001 for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do + # shellcheck disable=SC2060 _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt" for _CHECKSUM in ${_CHECKSUMS}; do + + # shellcheck disable=SC2292 if [ -e "${_CHECKSUM}" ]; then - echo "Found ${_CHECKSUM}..." > "${_TTY}" + + #echo "Found ${_CHECKSUM}..." > "${_TTY}" + log_begin_msg "Found ${_CHECKSUM}..." if [ -e "/bin/${_DIGEST}sum" ]; then - echo "Checking ${_CHECKSUM}..." > "${_TTY}" + + #echo "Checking ${_CHECKSUM}..." > "${_TTY}" + log_begin_msg "Checking ${_CHECKSUM}..." # Verify checksums + # shellcheck disable=SC2312 grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}" _RETURN="${?}" # Stop after the first verification # break 2 + else - echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}" + + #echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}" + log_begin_msg "Not found /bin/${_DIGEST}sum...." + fi + fi + done + done log_end_msg case "${_RETURN}" in + 0) - log_success_msg "Verification sha512 sha384 sha256 successful, continuing booting in 10 seconds." - sleep 10 + log_success_msg "Verification of ${_CHECKSUMS[*]} successful; continuing booting in 8 seconds." + sleep 8 return 0 ;; *) - panic "Verification failed, $(basename ${_TTY}) for more information." + panic "Verification failed, $(basename "${_TTY}") for more information." ;; + esac } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_lb_config_write_trixie.sh b/lib/lib_lb_config_write_trixie.sh index ef7ddeb..015e909 100644 --- a/lib/lib_lb_config_write_trixie.sh +++ b/lib/lib_lb_config_write_trixie.sh @@ -36,7 +36,7 @@ lb_config_write_trixie() { --apt-secure true \ --apt-source-archives true \ --architecture "${VAR_ARCHITECTURE}" \ - --archive-areas "main contrib non-free non-free-firmware" \ + --archive-areas main contrib non-free non-free-firmware \ --backports true \ --binary-filesystem fat32 \ --binary-image iso-hybrid \ diff --git a/scripts/live-boot/0030-verify-checksums b/scripts/live-boot/0030-verify-checksums index a47747d..2084518 100644 --- a/scripts/live-boot/0030-verify-checksums +++ b/scripts/live-boot/0030-verify-checksums @@ -17,7 +17,7 @@ ### In case of successful verification of one of the offered checksums, proceed with booting, else panic. ####################################### -# Modified checksum verification script for continuing the boot process. +# Modified checksum-verification script for continuing the boot process. # Globals: # LIVE_BOOT_CMDLINE # LIVE_VERIFY_CHECKSUMS