V8.13.404.2025.11.10
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m5s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m5s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -376,13 +376,13 @@ verify_script() {
|
|||||||
|
|
||||||
for item in "${algo[@]}"; do
|
for item in "${algo[@]}"; do
|
||||||
|
|
||||||
hashfile="${dir}/${script}.${item}"
|
hashfile="${dir}/${script}.${item}sum.txt"
|
||||||
sigfile="${hashfile}.sig"
|
sigfile="${hashfile}.sig"
|
||||||
cmd="${item}sum"
|
cmd="${item}sum"
|
||||||
|
|
||||||
color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]"
|
color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]"
|
||||||
|
|
||||||
if ! gpgv --keyring /etc/keys/unlock_wrapper_pubring.gpg "${sigfile}" "${hashfile}"; then
|
if ! gpgv --keyring /etc/ciss/keys/unlock_wrapper_pubring.gpg "${sigfile}" "${hashfile}"; then
|
||||||
|
|
||||||
color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
|
color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
|
||||||
color_echo "${RED}" "✘ System Power Off in 3 seconds."
|
color_echo "${RED}" "✘ System Power Off in 3 seconds."
|
||||||
|
|||||||
@@ -1 +0,0 @@
|
|||||||
2d90783e0ffba3c6972b3a0d5335cca4a37c03b417f43b62b082a83734d4e4148390ac22509e68d63aaca11baf4fb081747f83347eab08176fb647e5445372f6
|
|
||||||
Binary file not shown.
Binary file not shown.
@@ -31,8 +31,6 @@ esac
|
|||||||
install -d -m 0755 "${DESTDIR}/etc/ciss/keys"
|
install -d -m 0755 "${DESTDIR}/etc/ciss/keys"
|
||||||
install -d -m 0755 "${DESTDIR}/etc/initramfs-tools/conf.d"
|
install -d -m 0755 "${DESTDIR}/etc/initramfs-tools/conf.d"
|
||||||
install -d -m 0755 "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
|
install -d -m 0755 "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
|
||||||
# TODO: Refactor with online signing
|
|
||||||
install -d -m 0755 "${DESTDIR}/etc/keys"
|
|
||||||
install -d -m 0755 "${DESTDIR}/usr/bin"
|
install -d -m 0755 "${DESTDIR}/usr/bin"
|
||||||
install -d -m 0755 "${DESTDIR}/usr/local/bin"
|
install -d -m 0755 "${DESTDIR}/usr/local/bin"
|
||||||
install -d -m 0755 "${DESTDIR}/usr/sbin"
|
install -d -m 0755 "${DESTDIR}/usr/sbin"
|
||||||
@@ -129,22 +127,15 @@ fi
|
|||||||
install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
|
install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
|
||||||
printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/dropbear.conf %s/etc/dropbear/dropbear.conf] \n\e[0m" "${DESTDIR}"
|
printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/dropbear.conf %s/etc/dropbear/dropbear.conf] \n\e[0m" "${DESTDIR}"
|
||||||
|
|
||||||
# TODO: Update the scripts to be usable for upcoming Live ISO encryption
|
|
||||||
# TODO: Integrate online signing
|
|
||||||
### Install Dropbear 'cryptroot-unlock'-Wrapper --------------------------------------------------------------------------------
|
### Install Dropbear 'cryptroot-unlock'-Wrapper --------------------------------------------------------------------------------
|
||||||
install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh "${DESTDIR}/usr/local/bin/unlock_wrapper.sh"
|
install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh "${DESTDIR}/usr/local/bin/unlock_wrapper.sh"
|
||||||
printf "\e[92mSuccessfully executed: [install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh %s/usr/local/bin/unlock_wrapper.sh] \n\e[0m" "${DESTDIR}"
|
printf "\e[92mSuccessfully executed: [install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh %s/usr/local/bin/unlock_wrapper.sh] \n\e[0m" "${DESTDIR}"
|
||||||
|
|
||||||
install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512 "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512"
|
install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512sum.txt "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512sum.txt"
|
||||||
printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512 %s/usr/local/bin/unlock_wrapper.sh.sha512] \n\e[0m" "${DESTDIR}"
|
printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512sum.txt %s/usr/local/bin/unlock_wrapper.sh.sha512sum.txt] \n\e[0m" "${DESTDIR}"
|
||||||
|
|
||||||
install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512.sig"
|
install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512sum.txt.sig "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512sum.txt.sig"
|
||||||
printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig %s/usr/local/bin/unlock_wrapper.sh.sha512.sig] \n\e[0m" "${DESTDIR}"
|
printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512sum.txt.sig %s/usr/local/bin/unlock_wrapper.sh.sha512sum.txt.sig] \n\e[0m" "${DESTDIR}"
|
||||||
|
|
||||||
# TODO: Refactor with online signing
|
|
||||||
### Install Dropbear GPG Signing Keys ------------------------------------------------------------------------------------------
|
|
||||||
install -m 0444 /etc/initramfs-tools/files/unlock_wrapper_pubring.gpg "${DESTDIR}/etc/keys/unlock_wrapper_pubring.gpg"
|
|
||||||
printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper_pubring.gpg %s/etc/keys/unlock_wrapper_pubring.gpg] \n\e[0m" "${DESTDIR}"
|
|
||||||
|
|
||||||
### Install Dropbear Banner ----------------------------------------------------------------------------------------------------
|
### Install Dropbear Banner ----------------------------------------------------------------------------------------------------
|
||||||
install -m 0444 /etc/banner "${DESTDIR}/etc/dropbear/banner"
|
install -m 0444 /etc/banner "${DESTDIR}/etc/dropbear/banner"
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
# bashsupport disable=BP5007
|
# bashsupport disable=BP5007
|
||||||
|
# shellcheck disable=SC2249
|
||||||
# shellcheck shell=sh
|
# shellcheck shell=sh
|
||||||
|
|
||||||
# SPDX-Version: 3.0
|
# SPDX-Version: 3.0
|
||||||
|
|||||||
@@ -98,6 +98,7 @@ EOF
|
|||||||
install -d -m 0755 -o root -g root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys"
|
install -d -m 0755 -o root -g root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys"
|
||||||
install -d -m 0755 -o root -g root "${VAR_HANDLER_BUILD_DIR}/config/includes.binary"
|
install -d -m 0755 -o root -g root "${VAR_HANDLER_BUILD_DIR}/config/includes.binary"
|
||||||
gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_KEY_FPR}.gpg"
|
gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_KEY_FPR}.gpg"
|
||||||
|
gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/unlock_wrapper_pubring.gpg"
|
||||||
gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.gpg"
|
gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.gpg"
|
||||||
|
|
||||||
umask "${__umask}"
|
umask "${__umask}"
|
||||||
|
|||||||
@@ -30,10 +30,13 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
|
|||||||
init_primordial() {
|
init_primordial() {
|
||||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
|
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
|
||||||
|
|
||||||
declare var_dropbear_version="2025.88"
|
declare var_dropbear_version="2025.88"
|
||||||
|
declare var_unlock_wrapper="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/initramfs-tools/file/unlock_wrapper.sh"
|
||||||
|
|
||||||
|
install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/initramfs-tools/file"
|
||||||
install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/build"
|
install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/build"
|
||||||
install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear"
|
install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear"
|
||||||
|
|
||||||
install -m 0444 "${VAR_WORKDIR}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2" \
|
install -m 0444 "${VAR_WORKDIR}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2" \
|
||||||
"${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
|
"${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
|
||||||
install -m 0444 "${VAR_WORKDIR}/upgrades/dropbear/localoptions.h" \
|
install -m 0444 "${VAR_WORKDIR}/upgrades/dropbear/localoptions.h" \
|
||||||
@@ -41,6 +44,15 @@ init_primordial() {
|
|||||||
install -m 0444 "${VAR_WORKDIR}/config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
|
install -m 0444 "${VAR_WORKDIR}/config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
|
||||||
"${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear.file"
|
"${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear.file"
|
||||||
|
|
||||||
|
# shellcheck disable=SC2312
|
||||||
|
sha512sum "${VAR_WORKDIR}/config/includes.chroot/etc/initramfs-tools/file/unlock_wrapper.sh" | awk '{print $1}' \
|
||||||
|
>| "${var_unlock_wrapper}.sha512sum.txt"
|
||||||
|
|
||||||
|
gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
|
||||||
|
--detach-sign --output "${var_unlock_wrapper}.sha512sum.txt.sig" "${var_unlock_wrapper}.sha512sum.txt"
|
||||||
|
|
||||||
|
gpgv --keyring "${VAR_VERIFY_KEYRING}" "${var_unlock_wrapper}.sha512sum.txt.sig" "${var_unlock_wrapper}.sha512sum.txt"
|
||||||
|
|
||||||
### Check for SOPS AGE key integration ---------------------------------------------------------------------------------------
|
### Check for SOPS AGE key integration ---------------------------------------------------------------------------------------
|
||||||
if [[ "${VAR_AGE,,}" == "true" ]]; then
|
if [[ "${VAR_AGE,,}" == "true" ]]; then
|
||||||
|
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
# bashsupport disable=BP5007
|
# bashsupport disable=BP5007
|
||||||
|
# shellcheck disable=SC2249
|
||||||
# shellcheck shell=sh
|
# shellcheck shell=sh
|
||||||
|
|
||||||
# SPDX-Version: 3.0
|
# SPDX-Version: 3.0
|
||||||
|
|||||||
Reference in New Issue
Block a user