diff --git a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh index 743b6f9..7c8d925 100644 --- a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh +++ b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh @@ -376,13 +376,13 @@ verify_script() { for item in "${algo[@]}"; do - hashfile="${dir}/${script}.${item}" + hashfile="${dir}/${script}.${item}sum.txt" sigfile="${hashfile}.sig" cmd="${item}sum" color_echo "${MAG}" "๐Ÿ” Verifying signature of: [${hashfile}]" - if ! gpgv --keyring /etc/keys/unlock_wrapper_pubring.gpg "${sigfile}" "${hashfile}"; then + if ! gpgv --keyring /etc/ciss/keys/unlock_wrapper_pubring.gpg "${sigfile}" "${hashfile}"; then color_echo "${RED}" "โœ˜ Signature verification failed for: [${hashfile}]" color_echo "${RED}" "โœ˜ System Power Off in 3 seconds." diff --git a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512 b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512 deleted file mode 100644 index 704aaa3..0000000 --- a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512 +++ /dev/null @@ -1 +0,0 @@ -2d90783e0ffba3c6972b3a0d5335cca4a37c03b417f43b62b082a83734d4e4148390ac22509e68d63aaca11baf4fb081747f83347eab08176fb647e5445372f6 diff --git a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig deleted file mode 100644 index 2cf5fb8..0000000 Binary files a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig and /dev/null differ diff --git a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_pubring.gpg b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_pubring.gpg deleted file mode 100644 index c190cd1..0000000 Binary files a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_pubring.gpg and /dev/null differ diff --git a/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh b/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh index 4e692b5..fe43450 100644 --- a/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh +++ b/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh @@ -31,8 +31,6 @@ esac install -d -m 0755 "${DESTDIR}/etc/ciss/keys" install -d -m 0755 "${DESTDIR}/etc/initramfs-tools/conf.d" install -d -m 0755 "${DESTDIR}/etc/initramfs-tools/scripts/init-premount" -# TODO: Refactor with online signing -install -d -m 0755 "${DESTDIR}/etc/keys" install -d -m 0755 "${DESTDIR}/usr/bin" install -d -m 0755 "${DESTDIR}/usr/local/bin" install -d -m 0755 "${DESTDIR}/usr/sbin" @@ -129,22 +127,15 @@ fi install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf" printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/dropbear.conf %s/etc/dropbear/dropbear.conf] \n\e[0m" "${DESTDIR}" -# TODO: Update the scripts to be usable for upcoming Live ISO encryption -# TODO: Integrate online signing ### Install Dropbear 'cryptroot-unlock'-Wrapper -------------------------------------------------------------------------------- install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh "${DESTDIR}/usr/local/bin/unlock_wrapper.sh" printf "\e[92mSuccessfully executed: [install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh %s/usr/local/bin/unlock_wrapper.sh] \n\e[0m" "${DESTDIR}" -install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512 "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512" -printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512 %s/usr/local/bin/unlock_wrapper.sh.sha512] \n\e[0m" "${DESTDIR}" +install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512sum.txt "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512sum.txt" +printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512sum.txt %s/usr/local/bin/unlock_wrapper.sh.sha512sum.txt] \n\e[0m" "${DESTDIR}" -install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512.sig" -printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig %s/usr/local/bin/unlock_wrapper.sh.sha512.sig] \n\e[0m" "${DESTDIR}" - -# TODO: Refactor with online signing -### Install Dropbear GPG Signing Keys ------------------------------------------------------------------------------------------ -install -m 0444 /etc/initramfs-tools/files/unlock_wrapper_pubring.gpg "${DESTDIR}/etc/keys/unlock_wrapper_pubring.gpg" -printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper_pubring.gpg %s/etc/keys/unlock_wrapper_pubring.gpg] \n\e[0m" "${DESTDIR}" +install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512sum.txt.sig "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512sum.txt.sig" +printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512sum.txt.sig %s/usr/local/bin/unlock_wrapper.sh.sha512sum.txt.sig] \n\e[0m" "${DESTDIR}" ### Install Dropbear Banner ---------------------------------------------------------------------------------------------------- install -m 0444 /etc/banner "${DESTDIR}/etc/dropbear/banner" diff --git a/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums b/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums index 3dd7b9a..2714a56 100644 --- a/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums +++ b/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums @@ -1,5 +1,6 @@ #!/bin/sh # bashsupport disable=BP5007 +# shellcheck disable=SC2249 # shellcheck shell=sh # SPDX-Version: 3.0 diff --git a/lib/lib_gnupg.sh b/lib/lib_gnupg.sh index 03e2ebf..7002688 100644 --- a/lib/lib_gnupg.sh +++ b/lib/lib_gnupg.sh @@ -98,6 +98,7 @@ EOF install -d -m 0755 -o root -g root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys" install -d -m 0755 -o root -g root "${VAR_HANDLER_BUILD_DIR}/config/includes.binary" gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_KEY_FPR}.gpg" + gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/unlock_wrapper_pubring.gpg" gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.gpg" umask "${__umask}" diff --git a/lib/lib_primordial.sh b/lib/lib_primordial.sh index d8dfaa4..098987a 100644 --- a/lib/lib_primordial.sh +++ b/lib/lib_primordial.sh @@ -30,10 +30,13 @@ guard_sourcing || return "${ERR_GUARD_SRCE}" init_primordial() { printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" - declare var_dropbear_version="2025.88" + declare var_dropbear_version="2025.88" + declare var_unlock_wrapper="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/initramfs-tools/file/unlock_wrapper.sh" + install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/initramfs-tools/file" install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/build" install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear" + install -m 0444 "${VAR_WORKDIR}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2" \ "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2" install -m 0444 "${VAR_WORKDIR}/upgrades/dropbear/localoptions.h" \ @@ -41,6 +44,15 @@ init_primordial() { install -m 0444 "${VAR_WORKDIR}/config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear" \ "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear.file" + # shellcheck disable=SC2312 + sha512sum "${VAR_WORKDIR}/config/includes.chroot/etc/initramfs-tools/file/unlock_wrapper.sh" | awk '{print $1}' \ + >| "${var_unlock_wrapper}.sha512sum.txt" + + gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \ + --detach-sign --output "${var_unlock_wrapper}.sha512sum.txt.sig" "${var_unlock_wrapper}.sha512sum.txt" + + gpgv --keyring "${VAR_VERIFY_KEYRING}" "${var_unlock_wrapper}.sha512sum.txt.sig" "${var_unlock_wrapper}.sha512sum.txt" + ### Check for SOPS AGE key integration --------------------------------------------------------------------------------------- if [[ "${VAR_AGE,,}" == "true" ]]; then diff --git a/scripts/usr/lib/live/boot/0030-verify-checksums b/scripts/usr/lib/live/boot/0030-verify-checksums index 3dd7b9a..2714a56 100644 --- a/scripts/usr/lib/live/boot/0030-verify-checksums +++ b/scripts/usr/lib/live/boot/0030-verify-checksums @@ -1,5 +1,6 @@ #!/bin/sh # bashsupport disable=BP5007 +# shellcheck disable=SC2249 # shellcheck shell=sh # SPDX-Version: 3.0