From e37270365192c99dfcafae3f46d9bce30ef2b15018a3b93e02b4167867128db0 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Mon, 10 Nov 2025 20:11:42 +0100 Subject: [PATCH] V8.13.404.2025.11.10 Signed-off-by: Marc S. Weidner --- .../initramfs-tools/files/unlock_wrapper.sh | 4 ++-- .../files/unlock_wrapper.sh.sha512 | 1 - .../files/unlock_wrapper.sh.sha512.sig | Bin 119 -> 0 bytes .../files/unlock_wrapper_pubring.gpg | Bin 432 -> 0 bytes .../hooks/9999_ciss_debian_live_builder.sh | 17 ++++------------- .../usr/lib/live/boot/0030-verify-checksums | 1 + lib/lib_gnupg.sh | 1 + lib/lib_primordial.sh | 14 +++++++++++++- .../usr/lib/live/boot/0030-verify-checksums | 1 + 9 files changed, 22 insertions(+), 17 deletions(-) delete mode 100644 config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512 delete mode 100644 config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig delete mode 100644 config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_pubring.gpg diff --git a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh index 743b6f9..7c8d925 100644 --- a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh +++ b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh @@ -376,13 +376,13 @@ verify_script() { for item in "${algo[@]}"; do - hashfile="${dir}/${script}.${item}" + hashfile="${dir}/${script}.${item}sum.txt" sigfile="${hashfile}.sig" cmd="${item}sum" color_echo "${MAG}" "๐Ÿ” Verifying signature of: [${hashfile}]" - if ! gpgv --keyring /etc/keys/unlock_wrapper_pubring.gpg "${sigfile}" "${hashfile}"; then + if ! gpgv --keyring /etc/ciss/keys/unlock_wrapper_pubring.gpg "${sigfile}" "${hashfile}"; then color_echo "${RED}" "โœ˜ Signature verification failed for: [${hashfile}]" color_echo "${RED}" "โœ˜ System Power Off in 3 seconds." diff --git a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512 b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512 deleted file mode 100644 index 704aaa3..0000000 --- a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512 +++ /dev/null @@ -1 +0,0 @@ -2d90783e0ffba3c6972b3a0d5335cca4a37c03b417f43b62b082a83734d4e4148390ac22509e68d63aaca11baf4fb081747f83347eab08176fb647e5445372f6 diff --git a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig deleted file mode 100644 index 2cf5fb8cb0e3cbff711eedb37b3d8da4854552b3afc954006abafd647c2c3fcb..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 119 zcmeAuWnmEGV2~A4WNH7Su%J29>;Dd8M(Gx&nG>JswftaZ%6K%DpMi^004AdPkCCBS zCanI_!&wKE?#%O!k6#tB<&}_Tws%zi_CWiKTl5(W8UFA~%IXI7`7-6*ezr2PFvCS> Um9WkPa}mu~Tx&{2ezYM3BO|-R`kNCE%(FONwP=k>wD7CN%?!?GCtaPe^gVYg z2SZK%i9=gdd=rb36@v8?!c#L-@=}WwY;uds9g_2lQj1fQi&9JUQc}z8I%cv6i*YbG ziYcc5P)y>My$-&OVq{PG~%EigS z&BP+c#LUPf$Ic|)z`(^R0MivVmyuyt;Jk+NgL~J?ow-*Z8r8kRG`RZt+V$nyoM*h2 z*()^fVfbG>e}eV{JL%F7uQ(jHlq&E&<`L=B`etMKUGVzaZ>5tsc36OYEyM-(_4H6i zR*<*<{;){tDN*M6uzJ5^-&yXng*kf_Cp?Vh$@H4SZ}t48CNm=kdq*9M1kh7z1U$t9 z@f5Pl)B70yDOA+P3EFKgb-dHIW| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_KEY_FPR}.gpg" + gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/unlock_wrapper_pubring.gpg" gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.gpg" umask "${__umask}" diff --git a/lib/lib_primordial.sh b/lib/lib_primordial.sh index d8dfaa4..098987a 100644 --- a/lib/lib_primordial.sh +++ b/lib/lib_primordial.sh @@ -30,10 +30,13 @@ guard_sourcing || return "${ERR_GUARD_SRCE}" init_primordial() { printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" - declare var_dropbear_version="2025.88" + declare var_dropbear_version="2025.88" + declare var_unlock_wrapper="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/initramfs-tools/file/unlock_wrapper.sh" + install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/initramfs-tools/file" install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/build" install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear" + install -m 0444 "${VAR_WORKDIR}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2" \ "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2" install -m 0444 "${VAR_WORKDIR}/upgrades/dropbear/localoptions.h" \ @@ -41,6 +44,15 @@ init_primordial() { install -m 0444 "${VAR_WORKDIR}/config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear" \ "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear.file" + # shellcheck disable=SC2312 + sha512sum "${VAR_WORKDIR}/config/includes.chroot/etc/initramfs-tools/file/unlock_wrapper.sh" | awk '{print $1}' \ + >| "${var_unlock_wrapper}.sha512sum.txt" + + gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \ + --detach-sign --output "${var_unlock_wrapper}.sha512sum.txt.sig" "${var_unlock_wrapper}.sha512sum.txt" + + gpgv --keyring "${VAR_VERIFY_KEYRING}" "${var_unlock_wrapper}.sha512sum.txt.sig" "${var_unlock_wrapper}.sha512sum.txt" + ### Check for SOPS AGE key integration --------------------------------------------------------------------------------------- if [[ "${VAR_AGE,,}" == "true" ]]; then diff --git a/scripts/usr/lib/live/boot/0030-verify-checksums b/scripts/usr/lib/live/boot/0030-verify-checksums index 3dd7b9a..2714a56 100644 --- a/scripts/usr/lib/live/boot/0030-verify-checksums +++ b/scripts/usr/lib/live/boot/0030-verify-checksums @@ -1,5 +1,6 @@ #!/bin/sh # bashsupport disable=BP5007 +# shellcheck disable=SC2249 # shellcheck shell=sh # SPDX-Version: 3.0