diff --git a/.archive/0010_dhcp_supersede.sh b/.archive/0010_dhcp_supersede.sh
index 5cd0c4f..214a0bb 100644
--- a/.archive/0010_dhcp_supersede.sh
+++ b/.archive/0010_dhcp_supersede.sh
@@ -107,7 +107,7 @@ options edns0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' successfully applied. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/.archive/generate_PRIVATE_trixie_0.yaml b/.archive/generate_PRIVATE_trixie_0.yaml
index 2d29921..a62defc 100644
--- a/.archive/generate_PRIVATE_trixie_0.yaml
+++ b/.archive/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06
name: 🔐 Generating a Private Live ISO TRIXIE.
diff --git a/.archive/generate_PRIVATE_trixie_1.yaml b/.archive/generate_PRIVATE_trixie_1.yaml
index bec406e..1f8b576 100644
--- a/.archive/generate_PRIVATE_trixie_1.yaml
+++ b/.archive/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06
name: 🔐 Generating a Private Live ISO TRIXIE.
diff --git a/.archive/generate_PUBLIC_iso.yaml b/.archive/generate_PUBLIC_iso.yaml
index d795d8f..015f4ae 100644
--- a/.archive/generate_PUBLIC_iso.yaml
+++ b/.archive/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06
name: 💙 Generating a PUBLIC Live ISO.
diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
index 74fb50e..be862a5 100644
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
attributes:
label: "Version"
description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
- placeholder: "e.g., Master V9.14.008.2026.06.04"
+ placeholder: "e.g., Master V9.14.016.2026.06.06"
validations:
required: true
diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile
index 268946b..9119f08 100644
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06
FROM debian:bookworm
diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml
index fa5dbfb..f079943 100644
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06
name: 🔁 Render README.md to README.html.
diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
index 1d01549..9e0d583 100644
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V9.14.008.2026.06.04
+ version: V9.14.016.2026.06.06
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/trigger/t_generate_PUBLIC.yaml b/.gitea/trigger/t_generate_PUBLIC.yaml
index 8a6c0e5..61bd308 100644
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V9.14.008.2026.06.04
+ version: V9.14.016.2026.06.06
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml
index 8a6c0e5..61bd308 100644
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V9.14.008.2026.06.04
+ version: V9.14.016.2026.06.06
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
index 4877a98..355f380 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06
name: 🔐 Generating a Private Live ISO TRIXIE.
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
index a8c1532..cacf3f5 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06
name: 🔐 Generating a Private Live ISO TRIXIE.
diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml
index 2bff21e..3b65c1b 100644
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06
name: 💙 Generating a PUBLIC Live ISO.
diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml
index fd469e3..9da7aca 100644
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06
# Gitea Workflow: Shell-Script Linting
#
diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml
index 22f262a..1d2e423 100644
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06
name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml
index cebd19c..83eae0e 100644
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06
name: 🔁 Render Graphviz Diagrams.
diff --git a/.version.properties b/.version.properties
index a8bb1a2..8b8a3cc 100644
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
properties_SPDX-PackageName="CISS.debian.live.builder"
properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V9.14.008.2026.06.04"
+properties_version="V9.14.016.2026.06.06"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx
index 74fc15b..ce28d63 100644
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
Created: 2025-05-07T12:00:00Z
Package: CISS.debian.live.builder
PackageName: CISS.debian.live.builder
-PackageVersion: Master V9.14.008.2026.06.04
+PackageVersion: Master V9.14.016.2026.06.06
PackageSupplier: Organization: Centurion Intelligence Consulting Agency
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
diff --git a/README.md b/README.md
index 31c40fa..dfcffab 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
gitea: none
include_toc: true
---
-[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
[](https://eupl.eu/1.2/en/)
[](https://opensource.org/license/eupl-1-2)
@@ -27,7 +27,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
**CISS.debian.live.builder — First of its own.**
**World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
@@ -175,7 +175,7 @@ installer toolchain.
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V9.14.008.2026.06.04`
+Example: `V9.14.016.2026.06.06`
`x.y.z` represents major (x), minor (y), and patch (z) version increments.
diff --git a/REPOSITORY.md b/REPOSITORY.md
index e0dac96..39f37e7 100644
--- a/REPOSITORY.md
+++ b/REPOSITORY.md
@@ -8,13 +8,13 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
# 2. Repository Structure
**Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder
**Branch:** `master`
-**Repository State:** Master Version **9.14**, Build **V9.14.008.2026.06.04** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.016.2026.06.06** (as of 2025-10-11)
## 3.1. Top-Level Layout
diff --git a/ciss.secureboot/private/README.md b/ciss.secureboot/private/README.md
index bf05503..d004fb7 100644
--- a/ciss.secureboot/private/README.md
+++ b/ciss.secureboot/private/README.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
# 2. CISS Secure Boot Private Material
diff --git a/ciss.secureboot/public/README.md b/ciss.secureboot/public/README.md
index 02255a3..278bfe2 100644
--- a/ciss.secureboot/public/README.md
+++ b/ciss.secureboot/public/README.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
# 2. CISS Secure Boot Public Material
diff --git a/ciss_live_builder.sh b/ciss_live_builder.sh
index 0f2ec73..7cd0e3d 100644
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -115,7 +115,7 @@ for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh ;
for arg in "$@"; do case "${arg,,}" in -d|--debug) . ./meta_sources_debug.sh; debugger "${@}";; esac; done
### ALL CHECKS DONE. READY TO START THE SCRIPT.
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
declare -grx VAR_SETUP="true"
### SECURING SECRETS ARTIFACTS.
@@ -216,6 +216,7 @@ if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n
### Updating Status of Dialog Gauge Bar.
if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
+
### Following the CISS Bash naming and ordering scheme:
trap 'trap_on_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT
trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
diff --git a/config/hooks/live/zzzz_ciss_uki_build.hook.binary b/config/hooks/live/zzzz_ciss_uki_build.hook.binary
index f3f63bd..58e376f 100644
--- a/config/hooks/live/zzzz_ciss_uki_build.hook.binary
+++ b/config/hooks/live/zzzz_ciss_uki_build.hook.binary
@@ -9,34 +9,41 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
+# shellcheck disable=SC2312
set -Ceuo pipefail
+# Final live-build binary hook for the CISS UKI build. When the ciss-uki Secure Boot profile is active, this hook selects the
+# complete kernel/initrd pair, reads the live kernel command line, optionally embeds separate early microcode, creates unsigned
+# and signed Unified Kernel Images with ukify, verifies the signed UKI with 'sbverify', writes a manifest, and refuses private
+# Secure Boot key material in build artifact paths.
+
#######################################
-# Prints failure message.
+# Prints a fatal error message and terminates the hook.
# Globals:
# None
# Arguments:
-# 1: Message to print
+# 1: Error message
# Returns:
-# 42: on failure
+# 42: always exits with failure
#######################################
die() {
- declare message="$1"
- printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ %s \e[0m\n" "${message}" >&2
+ declare message="${1}"
+ printf "\e[91m❌ %s \e[0m\n" "${message}" >&2
exit 42
}
#######################################
-# Checking command to execute for existence.
+# Checks whether a required command exists.
# Globals:
# None
# Arguments:
-# 1: Command
+# 1: Command name
# Returns:
# 0: on success
+# 42: if the command is missing
#######################################
require_command() {
- declare command_name="$1"
+ declare command_name="${1}"
command -v "${command_name}" >/dev/null 2>&1 || die "Required command not found: '${command_name}'."
@@ -44,18 +51,19 @@ require_command() {
}
#######################################
-# Checking file for existence.
+# Checks whether a required file exists.
# Globals:
# None
# Arguments:
-# 1: /PATH/TO/FILE
-# 2: Description
+# 1: File path
+# 2: Human-readable file description
# Returns:
# 0: on success
+# 42: if the file is missing
#######################################
require_file() {
- declare file_path="$1"
- declare description="$2"
+ declare file_path="${1}"
+ declare description="${2}"
[[ -f "${file_path}" ]] || die "Missing ${description}: '${file_path}'."
@@ -63,18 +71,19 @@ require_file() {
}
#######################################
-# Checking file for existence.
+# Reads the single LB_BOOTAPPEND_LIVE value from a live-build binary configuration file.
# Globals:
# None
# Arguments:
-# 1: /PATH/TO/FILE
-# 2: Description
+# 1: live-build binary configuration file
+# 2: Output variable name for the kernel command line
# Returns:
# 0: on success
+# 42: if the file is missing, the entry is ambiguous, or the value is empty
#######################################
read_bootappend_live() {
- declare config_file="$1"
- declare output_var="$2"
+ declare config_file="${1}"
+ declare output_var="${2}"
declare -a matches=()
declare value=""
@@ -99,10 +108,22 @@ read_bootappend_live() {
return 0
}
+#######################################
+# Collects kernel and initrd candidates from one artifact directory.
+# Globals:
+# None
+# Arguments:
+# 1: Artifact directory
+# 2: Output variable name for the selected kernel path
+# 3: Output variable name for the selected initrd path
+# Returns:
+# 0: on success, including when the directory does not exist
+# 42: if more than one kernel or initrd candidate exists
+#######################################
collect_artifacts_from_dir() {
- declare artifact_dir="$1"
- declare kernel_output_var="$2"
- declare initrd_output_var="$3"
+ declare artifact_dir="${1}"
+ declare kernel_output_var="${2}"
+ declare initrd_output_var="${3}"
declare -a kernels=()
declare -a initrds=()
@@ -129,6 +150,17 @@ collect_artifacts_from_dir() {
return 0
}
+#######################################
+# Selects the kernel/initrd pair used to build the UKI.
+# Globals:
+# None
+# Arguments:
+# 1: Output variable name for the selected kernel path
+# 2: Output variable name for the selected initrd path
+# Returns:
+# 0: on success
+# 42: if no complete pair exists, the final pair is incomplete, or candidates are ambiguous
+#######################################
select_kernel_initrd_pair() {
declare kernel_output_var="$1"
declare initrd_output_var="$2"
@@ -140,7 +172,7 @@ select_kernel_initrd_pair() {
collect_artifacts_from_dir "binary/live" binary_kernel binary_initrd
if [[ -n "${binary_kernel}" && -n "${binary_initrd}" ]]; then
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] Using final binary/live kernel and initrd artifacts. \e[0m\n"
+ printf "\e[92m✅ Using final binary/live kernel and initrd artifacts. \e[0m\n"
printf -v "${kernel_output_var}" "%s" "${binary_kernel}"
printf -v "${initrd_output_var}" "%s" "${binary_initrd}"
return 0
@@ -150,11 +182,11 @@ select_kernel_initrd_pair() {
die "Incomplete binary/live kernel/initrd pair. Refusing to mix final and fallback artifacts."
fi
- printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ [WARN] No complete binary/live kernel/initrd pair found; checking chroot/boot fallback. \e[0m\n"
+ printf "\e[93m❌ No complete binary/live kernel/initrd pair found; checking chroot/boot fallback. \e[0m\n"
collect_artifacts_from_dir "chroot/boot" fallback_kernel fallback_initrd
if [[ -n "${fallback_kernel}" && -n "${fallback_initrd}" ]]; then
- printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ [WARN] Using chroot/boot fallback artifacts because binary/live has no complete pair. \e[0m\n"
+ printf "\e[93m❌ Using chroot/boot fallback artifacts because binary/live has no complete pair. \e[0m\n"
printf -v "${kernel_output_var}" "%s" "${fallback_kernel}"
printf -v "${initrd_output_var}" "%s" "${fallback_initrd}"
return 0
@@ -163,9 +195,20 @@ select_kernel_initrd_pair() {
die "No complete kernel/initrd pair found in binary/live or chroot/boot."
}
+#######################################
+# Finds an optional separate early microcode cpio next to the selected initrd.
+# Globals:
+# None
+# Arguments:
+# 1: Artifact directory
+# 2: Output variable name for the selected microcode cpio path
+# Returns:
+# 0: on success, including when no separate microcode cpio exists
+# 42: if more than one separate microcode cpio candidate exists
+#######################################
collect_optional_microcode() {
- declare artifact_dir="$1"
- declare output_var="$2"
+ declare artifact_dir="${1}"
+ declare output_var="${2}"
declare -a microcode_candidates=()
mapfile -d '' -t microcode_candidates < <(
@@ -181,6 +224,16 @@ collect_optional_microcode() {
return 0
}
+#######################################
+# Refuses private Secure Boot key material in generated artifact paths.
+# Globals:
+# None
+# Arguments:
+# None
+# Returns:
+# 0: on success
+# 42: if a private Secure Boot key is found below a guarded path
+#######################################
guard_private_key_leaks() {
declare -a guard_roots=(binary chroot config/includes.binary config/includes.chroot config/includes.installer)
declare guard_root=""
@@ -201,6 +254,22 @@ guard_private_key_leaks() {
return 0
}
+#######################################
+# Builds unsigned and signed CISS UKIs for the ciss-uki Secure Boot profile.
+# Globals:
+# PWD
+# VAR_CISS_SECUREBOOT_DIR
+# VAR_CISS_SECUREBOOT_EFI_CERT
+# VAR_CISS_SECUREBOOT_EFI_KEY
+# VAR_CISS_SECUREBOOT_PROFILE
+# VAR_HANDLER_BUILD_DIR
+# VAR_WORKDIR
+# Arguments:
+# None
+# Returns:
+# 0: on success or when the active Secure Boot profile does not require a CISS UKI
+# 42: on validation, artifact selection, UKI build, signing, or verification failure
+#######################################
main() {
declare profile="${VAR_CISS_SECUREBOOT_PROFILE:-debian-shim}"
declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
@@ -226,11 +295,11 @@ main() {
declare -a ukify_args=()
if [[ "${profile}" != "ciss-uki" ]]; then
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] Secure Boot profile '%s'; skipping CISS UKI build. \e[0m\n" "${profile}"
+ printf "\e[92m✅ Secure Boot profile '%s'; skipping CISS UKI build. \e[0m\n" "${profile}"
return 0
fi
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] Building CISS Secure Boot UKI ... \e[0m\n"
+ printf "\e[95m🧪 Building CISS Secure Boot UKI ... \e[0m\n"
cd "${build_dir}"
@@ -280,18 +349,18 @@ main() {
)
if [[ -n "${microcode_initrd}" ]]; then
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] Embedding separate early microcode cpio before normal initrd: '%s'. \e[0m\n" "${microcode_initrd}"
+ printf "\e[92m✅ Embedding separate early microcode cpio before normal initrd: '%s'. \e[0m\n" "${microcode_initrd}"
ukify_args+=(--initrd="${microcode_initrd}")
else
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] No separate early microcode cpio found; using normal initrd only. \e[0m\n"
+ printf "\e[92m✅ No separate early microcode cpio found; using normal initrd only. \e[0m\n"
fi
ukify_args+=(--initrd="${initrd_path}")
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] Creating unsigned UKI: '%s'. \e[0m\n" "${unsigned_uki}"
+ printf "\e[95m🧪 Creating unsigned UKI: '%s'. \e[0m\n" "${unsigned_uki}"
ukify "${ukify_args[@]}" --output="${unsigned_uki}"
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] Creating signed UKI: '%s'. \e[0m\n" "${signed_uki}"
+ printf "\e[95m🧪 Creating signed UKI: '%s'. \e[0m\n" "${signed_uki}"
ukify "${ukify_args[@]}" \
--secureboot-private-key="${secureboot_key}" \
--secureboot-certificate="${secureboot_cert}" \
@@ -316,8 +385,8 @@ main() {
sbverify --cert "${secureboot_cert}" "${signed_uki}"
} >| "${manifest}" 2>&1
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] UKI inspection and signature verification written to '%s'. \e[0m\n" "${manifest}"
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] CISS Secure Boot UKI build completed. \e[0m\n"
+ printf "\e[92m✅ UKI inspection and signature verification written to '%s'. \e[0m\n" "${manifest}"
+ printf "\e[92m✅ CISS Secure Boot UKI build completed. \e[0m\n"
return 0
}
diff --git a/config/hooks/live/zzzz_ciss_uki_install.hook.binary b/config/hooks/live/zzzz_ciss_uki_install.hook.binary
index e0d33cb..8e1ff7a 100644
--- a/config/hooks/live/zzzz_ciss_uki_install.hook.binary
+++ b/config/hooks/live/zzzz_ciss_uki_install.hook.binary
@@ -9,10 +9,29 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
+# shellcheck disable=SC2312
set -Ceuo pipefail
+# Final live-build binary hook for CISS UKI installation. When the ciss-uki Secure Boot profile is active, this hook selects
+# the single signed CISS UKI, rebuilds the FAT EFI boot image with it as EFI/BOOT/BOOTX64.EFI, verifies the installed copy,
+# mirrors it into the ISO EFI tree when available, writes an installation manifest, and refuses private Secure Boot key
+# material in build artifact paths.
+
declare TMP_DIR=""
+#######################################
+# Removes the temporary EFI image work directory if it is inside the expected Secure Boot output tree.
+# Globals:
+# PWD
+# TMP_DIR
+# VAR_HANDLER_BUILD_DIR
+# Arguments:
+# None
+# Returns:
+# 0: on success or when no temporary directory exists
+# 42: if the temporary directory is outside the expected cleanup root
+# non-zero: if removal of the expected temporary directory fails under strict mode
+#######################################
cleanup() {
declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
@@ -22,7 +41,7 @@ cleanup() {
rm -rf -- "${TMP_DIR}"
;;
*)
- printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ [FATAL] Refusing to clean unexpected temporary path: '%s'. \e[0m\n" "${TMP_DIR}" >&2
+ printf "\e[91m❌ Refusing to clean unexpected temporary path: '%s'. \e[0m\n" "${TMP_DIR}" >&2
return 42
;;
esac
@@ -30,14 +49,32 @@ cleanup() {
return 0
}
-trap cleanup EXIT
+#######################################
+# Prints a fatal error message and terminates the hook.
+# Globals:
+# None
+# Arguments:
+# 1: Error message
+# Returns:
+# 42: always exits with failure
+#######################################
die() {
declare message="$1"
- printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ [FATAL] %s \e[0m\n" "${message}" >&2
+ printf "\e[91m❌ %s \e[0m\n" "${message}" >&2
exit 42
}
+#######################################
+# Checks whether a required command exists.
+# Globals:
+# None
+# Arguments:
+# 1: Command name
+# Returns:
+# 0: on success
+# 42: if the command is missing
+#######################################
require_command() {
declare command_name="$1"
@@ -46,6 +83,17 @@ require_command() {
return 0
}
+#######################################
+# Checks whether a required file exists.
+# Globals:
+# None
+# Arguments:
+# 1: File path
+# 2: Human-readable file description
+# Returns:
+# 0: on success
+# 42: if the file is missing
+#######################################
require_file() {
declare file_path="$1"
declare description="$2"
@@ -55,6 +103,17 @@ require_file() {
return 0
}
+#######################################
+# Selects the single signed CISS UKI generated by the CISS UKI build hook.
+# Globals:
+# None
+# Arguments:
+# 1: CISS UKI output directory
+# 2: Output variable name for the selected signed UKI path
+# Returns:
+# 0: on success
+# 42: if the UKI directory is missing or does not contain exactly one signed UKI
+#######################################
select_signed_uki() {
declare uki_dir="$1"
declare output_var="$2"
@@ -73,6 +132,16 @@ select_signed_uki() {
return 0
}
+#######################################
+# Refuses private Secure Boot key material in generated artifact paths.
+# Globals:
+# None
+# Arguments:
+# None
+# Returns:
+# 0: on success
+# 42: if a private Secure Boot key is found below a guarded path
+#######################################
guard_private_key_leaks() {
declare -a guard_roots=(binary chroot config/includes.binary config/includes.chroot config/includes.installer)
declare guard_root=""
@@ -93,6 +162,17 @@ guard_private_key_leaks() {
return 0
}
+#######################################
+# Mirrors the signed UKI into the ISO EFI tree as the removable-media bootloader when that tree exists.
+# Globals:
+# None
+# Arguments:
+# 1: Signed UKI path
+# 2: Output variable name for the ISO EFI tree BOOTX64 path, or an empty value when no tree exists
+# Returns:
+# 0: on success, including when no ISO EFI tree exists
+# non-zero: if directory creation or file installation fails under strict mode
+#######################################
install_iso_tree_bootx64() {
declare signed_uki="$1"
declare output_var="$2"
@@ -109,9 +189,9 @@ install_iso_tree_bootx64() {
if [[ -n "${iso_tree_bootx64}" ]]; then
install -m 0644 "${signed_uki}" "${iso_tree_bootx64}"
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] Mirrored signed UKI into ISO EFI tree: '%s'. \e[0m\n" "${iso_tree_bootx64}"
+ printf "\e[92m✅ Mirrored signed UKI into ISO EFI tree: '%s'. \e[0m\n" "${iso_tree_bootx64}"
else
- printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ [WARN] No binary/EFI tree found; only EFI boot image was updated. \e[0m\n"
+ printf "\e[93m❌ No binary/EFI tree found; only EFI boot image was updated. \e[0m\n"
fi
printf -v "${output_var}" "%s" "${iso_tree_bootx64}"
@@ -119,6 +199,24 @@ install_iso_tree_bootx64() {
return 0
}
+#######################################
+# Installs the signed CISS UKI into the EFI boot image for the ciss-uki Secure Boot profile.
+# Globals:
+# PWD
+# SOURCE_DATE_EPOCH
+# TMP_DIR
+# VAR_CISS_SECUREBOOT_DIR
+# VAR_CISS_SECUREBOOT_EFI_CERT
+# VAR_CISS_SECUREBOOT_PROFILE
+# VAR_HANDLER_BUILD_DIR
+# VAR_WORKDIR
+# Arguments:
+# None
+# Returns:
+# 0: on success or when the active Secure Boot profile does not require CISS UKI installation
+# 42: on explicit validation, comparison, or signature verification failure
+# non-zero: if an external tool, installation command, or manifest write fails under strict mode
+#######################################
main() {
declare profile="${VAR_CISS_SECUREBOOT_PROFILE:-debian-shim}"
declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
@@ -142,11 +240,11 @@ main() {
declare volid=""
if [[ "${profile}" != "ciss-uki" ]]; then
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] Secure Boot profile '%s'; skipping CISS UKI EFI installation. \e[0m\n" "${profile}"
+ printf "\e[92m✅ Secure Boot profile '%s'; skipping CISS UKI EFI installation. \e[0m\n" "${profile}"
return 0
fi
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] Installing CISS signed UKI into EFI boot image ... \e[0m\n"
+ printf "\e[95m🧪 Installing CISS signed UKI into EFI boot image ... \e[0m\n"
cd "${build_dir}"
@@ -191,7 +289,7 @@ main() {
fi
printf -v volid "%08x" "$((source_epoch % 4294967296))"
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] Rebuilding EFI boot image with signed UKI as EFI/BOOT/BOOTX64.EFI. \e[0m\n"
+ printf "\e[95m🧪 Rebuilding EFI boot image with signed UKI as EFI/BOOT/BOOTX64.EFI. \e[0m\n"
mkfs.msdos -C "${tmp_img}" "${blocks}" -i "${volid}" >/dev/null
mmd -i "${tmp_img}" "::EFI"
mmd -i "${tmp_img}" "::EFI/BOOT"
@@ -237,12 +335,13 @@ main() {
sbverify --cert "${secureboot_cert}" "${extracted_uki}"
} >| "${manifest}" 2>&1
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] EFI image installation verification written to '%s'. \e[0m\n" "${manifest}"
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] CISS signed UKI installed as EFI/BOOT/BOOTX64.EFI. \e[0m\n"
+ printf "\e[92m✅ EFI image installation verification written to '%s'. \e[0m\n" "${manifest}"
+ printf "\e[92m✅ CISS signed UKI installed as EFI/BOOT/BOOTX64.EFI. \e[0m\n"
return 0
}
main "$@"
+cleanup
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/config/includes.chroot/etc/ssh/ssh_known_hosts b/config/includes.chroot/etc/ssh/ssh_known_hosts
index 5984e35..4790590 100644
--- a/config/includes.chroot/etc/ssh/ssh_known_hosts
+++ b/config/includes.chroot/etc/ssh/ssh_known_hosts
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06
[git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
[git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config
index 525caa9..669b9ab 100644
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06
### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
diff --git a/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened
index 9ec38f8..bec0065 100644
--- a/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened
@@ -11,7 +11,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06
### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/
diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
index 4efa887..27c2dcf 100644
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V9.14.008.2026.06.04"
+declare -gr VERSION="Master V9.14.016.2026.06.06"
### VERY EARLY CHECK FOR DEBUGGING
if [[ $* == *" --debug "* ]]; then
diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg
index c259736..a4dcf76 100644
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
# Please consider donating to my work at: https://coresecret.eu/spenden/
###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V9.14.008.2026.06.04 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V9.14.016.2026.06.06 at: 10:18:37.9542
diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md
index 3a25566..36233f0 100644
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
# 2. DNSSEC Status
diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md
index a26c71c..7245a79 100644
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
# 2. Haveged Audit on Netcup RS 2000 G11
diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md
index 4eb6ffb..290b72e 100644
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
# 2. Lynis Audit:
diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md
index 546c81e..7ae707b 100644
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
# 2. SSH Audit by ssh-audit.com
diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md
index b6fe5b1..5a3f164 100644
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
# 2. TLS Audit:
````text
diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md
index df0aff9..761221d 100644
--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
# 2. Hardened Kernel Boot Parameters
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index b0fd7af..94cdad7 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,12 +8,19 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
# 2. Changelog
+## V9.14.016.2026.06.06
+* **Changed**: [zzzz_ciss_uki_build.hook.binary](../config/hooks/live/zzzz_ciss_uki_build.hook.binary)
+* **Changed**: [zzzz_ciss_uki_install.hook.binary](../config/hooks/live/zzzz_ciss_uki_install.hook.binary)
+* **Changed**: [lib_secureboot_profile.sh](../lib/lib_secureboot_profile.sh)
+
## V9.14.008.2026.06.04
-tba
+* **Added**: [zzzz_ciss_uki_build.hook.binary](../config/hooks/live/zzzz_ciss_uki_build.hook.binary)
+* **Added**: [zzzz_ciss_uki_install.hook.binary](../config/hooks/live/zzzz_ciss_uki_install.hook.binary)
+* **Added**: [lib_secureboot_profile.sh](../lib/lib_secureboot_profile.sh)
## V9.14.004.2026.05.17
* **Added**: [AGENTS.md](../AGENTS.md)
diff --git a/docs/CNET.md b/docs/CNET.md
index 3d72506..04b146a 100644
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
# 2. Centurion Net - Developer Branch Overview
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index 40909dd..18c05fb 100644
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
# 2. Contributing / participating
diff --git a/docs/CREDITS.md b/docs/CREDITS.md
index 892d360..a8a29a4 100644
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
# 2. Credits
diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md
index 3b6a4d5..5fab688 100644
--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
# 2. Download the latest PUBLIC CISS.debian.live.ISO
diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md
index fa48cc5..912f403 100644
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,14 +8,14 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
# 2.1. Usage
````text
CDLB(1) CISS.debian.live.builder CDLB(1)
CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V9.14.008.2026.06.04
+Master V9.14.016.2026.06.06
A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
(c) Marc S. Weidner, 2018 - 2026
@@ -168,7 +168,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
💷 Please consider donating to my work at:
🌐 https://coresecret.eu/spenden/
- V9.14.008.2026.06.04 2026-05-17 CDLB(1)
+ V9.14.016.2026.06.06 2026-05-17 CDLB(1)
````
# 3. Booting
diff --git a/docs/MAN_CISS_ISO_BOOT_CHAIN.md b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
index 30d7f0a..7073289 100644
--- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md
+++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
# 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)
diff --git a/docs/MAN_SSH_Host_Key_Policy.md b/docs/MAN_SSH_Host_Key_Policy.md
index b49feaa..6daf3d4 100644
--- a/docs/MAN_SSH_Host_Key_Policy.md
+++ b/docs/MAN_SSH_Host_Key_Policy.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
# 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer
diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md
index 9d7b67b..bc7b1f8 100644
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
# 2. Resources
diff --git a/docs/documentation/30-ciss-hardening.conf.md b/docs/documentation/30-ciss-hardening.conf.md
index 18f01e9..5fbb3cd 100644
--- a/docs/documentation/30-ciss-hardening.conf.md
+++ b/docs/documentation/30-ciss-hardening.conf.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
# 2. ``30-ciss-hardening.conf``
diff --git a/docs/documentation/90-ciss-local.hardened.md b/docs/documentation/90-ciss-local.hardened.md
index c2e788d..b4fd766 100644
--- a/docs/documentation/90-ciss-local.hardened.md
+++ b/docs/documentation/90-ciss-local.hardened.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
# 2. ``90-ciss-local.hardened``
diff --git a/docs/documentation/ciss_live_builder.sh.md b/docs/documentation/ciss_live_builder.sh.md
index c997a9c..a3f8967 100644
--- a/docs/documentation/ciss_live_builder.sh.md
+++ b/docs/documentation/ciss_live_builder.sh.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.008.2026.06.04
+**Build**: V9.14.016.2026.06.06
# 2. ``ciss_live_builder.sh``
diff --git a/lib/lib_arg_parser.sh b/lib/lib_arg_parser.sh
index ec9a4cc..be6c5b7 100644
--- a/lib/lib_arg_parser.sh
+++ b/lib/lib_arg_parser.sh
@@ -238,45 +238,6 @@ arg_parser() {
fi
;;
- --sops-version)
- if [[ -n "${2-}" ]]; then
- declare sops_version="${2#v}"
- if [[ "${sops_version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
- # shellcheck disable=SC2034
- declare -gx VAR_SOPS_VERSION="${sops_version}"
- shift 2
- else
- if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
- printf "\e[91m❌ ERROR: --sops-version MUST match '..' or 'v..'.\e[0m\n" >&2
- read -r -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
- # shellcheck disable=SC2154
- exit "${ERR__SOPS__VER}"
- fi
- else
- if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
- printf "\e[91m❌ ERROR: --sops-version MUST be provided with a semantic version.\e[0m\n" >&2
- read -r -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
- # shellcheck disable=SC2154
- exit "${ERR__SOPS__VER}"
- fi
- ;;
-
- --sops-version=*)
- declare sops_version="${1#*=}"
- sops_version="${sops_version#v}"
- if [[ "${sops_version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
- # shellcheck disable=SC2034
- declare -gx VAR_SOPS_VERSION="${sops_version}"
- shift 1
- else
- if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
- printf "\e[91m❌ ERROR: --sops-version MUST match '..' or 'v..'.\e[0m\n" >&2
- read -r -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
- # shellcheck disable=SC2154
- exit "${ERR__SOPS__VER}"
- fi
- ;;
-
--jump-host)
if [[ -n "${2-}" && "${2}" != -* ]]; then
declare -i count=0
@@ -571,6 +532,45 @@ arg_parser() {
shift 1
;;
+ --sops-version)
+ if [[ -n "${2-}" ]]; then
+ declare sops_version="${2#v}"
+ if [[ "${sops_version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+ # shellcheck disable=SC2034
+ declare -gx VAR_SOPS_VERSION="${sops_version}"
+ shift 2
+ else
+ if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+ printf "\e[91m❌ ERROR: --sops-version MUST match '..' or 'v..'.\e[0m\n" >&2
+ read -r -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+ # shellcheck disable=SC2154
+ exit "${ERR__SOPS__VER}"
+ fi
+ else
+ if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+ printf "\e[91m❌ ERROR: --sops-version MUST be provided with a semantic version.\e[0m\n" >&2
+ read -r -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+ # shellcheck disable=SC2154
+ exit "${ERR__SOPS__VER}"
+ fi
+ ;;
+
+ --sops-version=*)
+ declare sops_version="${1#*=}"
+ sops_version="${sops_version#v}"
+ if [[ "${sops_version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+ # shellcheck disable=SC2034
+ declare -gx VAR_SOPS_VERSION="${sops_version}"
+ shift 1
+ else
+ if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+ printf "\e[91m❌ ERROR: --sops-version MUST match '..' or 'v..'.\e[0m\n" >&2
+ read -r -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+ # shellcheck disable=SC2154
+ exit "${ERR__SOPS__VER}"
+ fi
+ ;;
+
--ssh-port)
if [[ -n "${2-}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then
diff --git a/lib/lib_arg_priority_check.sh b/lib/lib_arg_priority_check.sh
index 6586d16..d50e620 100644
--- a/lib/lib_arg_priority_check.sh
+++ b/lib/lib_arg_priority_check.sh
@@ -27,7 +27,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
arg_priority_check() {
declare var=""
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
### Check if nice PRIORITY is set and adjust nice priority.
if [[ "${VAR_HANDLER_PRIORITY:-}" -ne 0 ]]; then
@@ -36,11 +36,11 @@ arg_priority_check() {
renice "${VAR_HANDLER_PRIORITY}" -p "$$"
var=$(ps -o ni= -p $$) > /dev/null 2>&1
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New renice value: %s\e[0m\n" "${var}"
+ printf "\e[92m✅ New renice value: %s\e[0m\n" "${var}"
else
- printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ renice not installed (util-linux) \e[0m\n"
+ printf "\e[93m❌ renice not installed (util-linux) \e[0m\n"
fi
@@ -53,17 +53,17 @@ arg_priority_check() {
ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
var=$(ionice -p $$) > /dev/null 2>&1
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New ionice value: %s\e[0m\n" "${var}"
+ printf "\e[92m✅ New ionice value: %s\e[0m\n" "${var}"
else
- printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ionice not installed (util-linux) \e[0m\n"
+ printf "\e[93m❌ ionice not installed (util-linux) \e[0m\n"
fi
fi
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
diff --git a/lib/lib_cdi.sh b/lib/lib_cdi.sh
index d363da9..061ccc5 100644
--- a/lib/lib_cdi.sh
+++ b/lib/lib_cdi.sh
@@ -26,7 +26,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# 0: on success
#######################################
cdi() {
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ "${VAR_HANDLER_CDI}" == "true" ]]; then
@@ -67,7 +67,7 @@ EOF
fi
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
diff --git a/lib/lib_change_splash.sh b/lib/lib_change_splash.sh
index 974818c..f787a29 100644
--- a/lib/lib_change_splash.sh
+++ b/lib/lib_change_splash.sh
@@ -25,27 +25,27 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# 0: on success
#######################################
change_splash() {
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ ${VAR_HANDLER_SPLASH} == "club" ]]; then
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'club.png' selected ...\e[0m\n"
+ printf "\e[95m🧪 Grub Splash 'club.png' selected ...\e[0m\n"
cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'club.png' selected done. \e[0m\n"
+ printf "\e[92m✅ Grub Splash 'club.png' selected done. \e[0m\n"
elif [[ ${VAR_HANDLER_SPLASH} == "hexagon" ]]; then
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'hexagon.png' selected ...\e[0m\n"
+ printf "\e[95m🧪 Grub Splash 'hexagon.png' selected ...\e[0m\n"
cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'hexagon.png' selected done. \e[0m\n"
+ printf "\e[92m✅ Grub Splash 'hexagon.png' selected done. \e[0m\n"
fi
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
diff --git a/lib/lib_check_dhcp.sh b/lib/lib_check_dhcp.sh
index dda494a..a0b21ce 100644
--- a/lib/lib_check_dhcp.sh
+++ b/lib/lib_check_dhcp.sh
@@ -24,13 +24,13 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# 0: on success
#######################################
check_dhcp() {
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ ${VAR_HANDLER_DHCP} -eq 1 ]]; then
chmod +x "${VAR_WORKDIR}/scripts/0010_dhcp_supersede.sh" && "${VAR_WORKDIR}/scripts/0010_dhcp_supersede.sh"
fi
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
diff --git a/lib/lib_check_secrets.sh b/lib/lib_check_secrets.sh
index 90b3ffb..e82448d 100644
--- a/lib/lib_check_secrets.sh
+++ b/lib/lib_check_secrets.sh
@@ -23,7 +23,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# 0: on success
#######################################
x_remove() {
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
declare _old_nullglob="" _old_dotglob=""
@@ -54,7 +54,7 @@ x_remove() {
eval "${_old_nullglob}" 2>/dev/null || true
eval "${_old_dotglob}" 2>/dev/null || true
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
diff --git a/lib/lib_ciss_signatures.sh b/lib/lib_ciss_signatures.sh
index f49f620..2e4189e 100644
--- a/lib/lib_ciss_signatures.sh
+++ b/lib/lib_ciss_signatures.sh
@@ -30,7 +30,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# 0: on success
#######################################
ciss_signatures() {
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
declare -ar _ary_target=(
"/etc/initramfs-tools/files/unlock_wrapper.sh"
@@ -58,7 +58,7 @@ ciss_signatures() {
done
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
diff --git a/lib/lib_ciss_upgrades_boot.sh b/lib/lib_ciss_upgrades_boot.sh
index 0acd0ea..d60442e 100644
--- a/lib/lib_ciss_upgrades_boot.sh
+++ b/lib/lib_ciss_upgrades_boot.sh
@@ -29,7 +29,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# 0: on success
#######################################
ciss_upgrades_boot() {
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/attestation/${VAR_SIGNING_KEY_FPR}.gpg"
@@ -66,7 +66,7 @@ ciss_upgrades_boot() {
[[ -e "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" ]] && \
rm -f "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
diff --git a/lib/lib_ciss_upgrades_build.sh b/lib/lib_ciss_upgrades_build.sh
index 05a6cde..9189409 100644
--- a/lib/lib_ciss_upgrades_build.sh
+++ b/lib/lib_ciss_upgrades_build.sh
@@ -23,7 +23,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# 0: on success
#######################################
ciss_upgrades_build() {
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
### CISS 0030-ciss-verify-checksums override. --------------------------------------------------------------------------------
if [[ -e /usr/lib/live/boot/0030-verify-checksums ]]; then
@@ -66,7 +66,7 @@ ciss_upgrades_build() {
rm -f /usr/lib/live/build/binary_rootfs
install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/lib/live/build/binary_rootfs.sh" /usr/lib/live/build/binary_rootfs
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
diff --git a/lib/lib_copy_integrity.sh b/lib/lib_copy_integrity.sh
index c25bc4b..ff4c93a 100644
--- a/lib/lib_copy_integrity.sh
+++ b/lib/lib_copy_integrity.sh
@@ -35,7 +35,7 @@ copy_db() {
else
- printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ '%s' NOT successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[91m❌ '%s' NOT successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
fi
}
diff --git a/lib/lib_gnupg.sh b/lib/lib_gnupg.sh
index 4d8e3ef..21aaf11 100644
--- a/lib/lib_gnupg.sh
+++ b/lib/lib_gnupg.sh
@@ -37,7 +37,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# ERR_GPG__AGENT: on failure
#######################################
init_gnupg() {
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ "${VAR_SIGNER}" == "true" ]]; then
@@ -47,7 +47,7 @@ init_gnupg() {
### Avoid collision with Gitea runner workflows.
if [[ "${VAR_CDLB_INSIDE_RUNNER}" != "true" ]]; then
- printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔐 VAR_CDLB_INSIDE_RUNNER: [%s] \e[0m\n" "${VAR_CDLB_INSIDE_RUNNER}"
+ printf "\e[93m🔐 VAR_CDLB_INSIDE_RUNNER: [%s] \e[0m\n" "${VAR_CDLB_INSIDE_RUNNER}"
declare -grx GNUPGHOME="${VAR_WORKDIR}/cdlb_$$_gnupg"
@@ -61,14 +61,14 @@ EOF
if ! gpgconf --launch gpg-agent 2>&1; then
- printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed to launch gpg-agent. \e[0m\n"
+ printf "\e[91m❌ Failed to launch gpg-agent. \e[0m\n"
return "${ERR_GPG__AGENT}"
fi
else
- printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔐 VAR_CDLB_INSIDE_RUNNER: [%s] leaving GNUPGHOME untouched.\e[0m\n" "${VAR_CDLB_INSIDE_RUNNER}"
+ printf "\e[93m🔐 VAR_CDLB_INSIDE_RUNNER: [%s] leaving GNUPGHOME untouched.\e[0m\n" "${VAR_CDLB_INSIDE_RUNNER}"
fi
@@ -89,7 +89,7 @@ EOF
if ! gpg --batch --yes --pinentry-mode=loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --import "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"; then
- printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed to import signing key. \e[0m\n"
+ printf "\e[91m❌ Failed to import signing key. \e[0m\n"
return "${ERR_GPG__AGENT}"
fi
@@ -105,7 +105,7 @@ EOF
if ! gpg --batch --import "${VAR_TMP_SECRET}/${VAR_SIGNING_CA}"; then
- printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed to import CA public key. \e[0m\n"
+ printf "\e[91m❌ Failed to import CA public key. \e[0m\n"
return "${ERR_GPG__AGENT}"
fi
@@ -128,7 +128,7 @@ EOF
fi
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
diff --git a/lib/lib_hardening_root_pw.sh b/lib/lib_hardening_root_pw.sh
index 9b95974..ba2e99b 100644
--- a/lib/lib_hardening_root_pw.sh
+++ b/lib/lib_hardening_root_pw.sh
@@ -24,16 +24,16 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# 0: on success
#######################################
hardening_root_pw() {
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ -z ${VAR_HASHED_PWD} ]]; then
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Root Password for Console set, skipping root password hook.\e[0m\n"
+ printf "\e[92m✅ No Root Password for Console set, skipping root password hook.\e[0m\n"
return 0
fi
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Setup Root Password for Console ... \e[0m\n"
+ printf "\e[95m🧪 Setup Root Password for Console ... \e[0m\n"
declare cfg_dir="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/live"
declare dropin_dir="${cfg_dir}/config.conf.d"
@@ -82,9 +82,9 @@ EOF
#touch "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
#chmod -x "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setup Root Password for Console done. \e[0m\n"
+ printf "\e[92m✅ Setup Root Password for Console done. \e[0m\n"
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
diff --git a/lib/lib_hardening_ssh_tcp.sh b/lib/lib_hardening_ssh_tcp.sh
index bd94236..2c91a6f 100644
--- a/lib/lib_hardening_ssh_tcp.sh
+++ b/lib/lib_hardening_ssh_tcp.sh
@@ -24,7 +24,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# 0: on success
#######################################
hardening_ssh_tcp() {
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
declare allowed=""
@@ -90,7 +90,7 @@ ALL: ALL
EOF
fi
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
diff --git a/lib/lib_hardening_ultra.sh b/lib/lib_hardening_ultra.sh
index 25ba12a..a21de7b 100644
--- a/lib/lib_hardening_ultra.sh
+++ b/lib/lib_hardening_ultra.sh
@@ -30,13 +30,13 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# 0: on success
#######################################
hardening_ultra() {
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
# shellcheck disable=SC2164
cd "${VAR_WORKDIR}"
### ./config/bootloaders -----------------------------------------------------------------------------------------------------
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/bootloaders ... \e[0m\n"
+ printf "\e[95m🧪 Copying ./config/bootloaders ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" ]]; then
@@ -49,11 +49,11 @@ hardening_ultra() {
fi
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/bootloaders done.\e[0m\n"
+ printf "\e[92m✅ Copying ./config/bootloaders done.\e[0m\n"
### ./config/includes.binary -------------------------------------------------------------------------------------------------
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.binary ... \e[0m\n"
+ printf "\e[95m🧪 Copying ./config/includes.binary ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.binary" ]]; then
@@ -66,11 +66,11 @@ hardening_ultra() {
fi
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.binary done.\e[0m\n"
+ printf "\e[92m✅ Copying ./config/includes.binary done.\e[0m\n"
### ./config/includes.chroot -------------------------------------------------------------------------------------------------
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot ... \e[0m\n"
+ printf "\e[95m🧪 Copying ./config/includes.chroot ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
@@ -87,13 +87,13 @@ hardening_ultra() {
fi
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot done.\e[0m\n"
+ printf "\e[92m✅ Copying ./config/includes.chroot done.\e[0m\n"
### ./config/hooks/early -----------------------------------------------------------------------------------------------------
if [[ -d "${VAR_WORKDIR}/config/hooks/early" ]]; then
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/early ... \e[0m\n"
+ printf "\e[95m🧪 Copying ./config/hooks/early ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/early" ]]; then
@@ -106,13 +106,13 @@ hardening_ultra() {
fi
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/early done.\e[0m\n"
+ printf "\e[92m✅ Copying ./config/hooks/early done.\e[0m\n"
fi
### ./config/hooks/live ------------------------------------------------------------------------------------------------------
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n"
+ printf "\e[95m🧪 Copying ./config/hooks/live ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
@@ -125,11 +125,11 @@ hardening_ultra() {
fi
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n"
+ printf "\e[92m✅ Copying ./config/hooks/live done.\e[0m\n"
### ./config/package-lists ---------------------------------------------------------------------------------------------------
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/package-lists ... \e[0m\n"
+ printf "\e[95m🧪 Copying ./config/package-lists ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/package-lists" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/package-lists"
fi
@@ -145,7 +145,7 @@ hardening_ultra() {
declare arch_comment="# arm64 specific packages"
;;
*)
- printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Unsupported architecture '%s'.\e[0m\n" "${VAR_ARCHITECTURE}"
+ printf "\e[91m❌ Unsupported architecture '%s'.\e[0m\n" "${VAR_ARCHITECTURE}"
exit 1
;;
esac
@@ -173,12 +173,12 @@ hardening_ultra() {
print
}
' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" >| temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/package-lists done.\e[0m\n"
+ printf "\e[92m✅ Copying ./config/package-lists done.\e[0m\n"
### Updating SSH Keys, Ports -------------------------------------------------------------------------------------------------
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating SSH Keys, Ports ... \e[0m\n"
+ printf "\e[95m🧪 Updating SSH Keys, Ports ... \e[0m\n"
### ./config/includes.chroot/root/.ssh ---------------------------------------------------------------------------------------
install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
@@ -212,7 +212,7 @@ hardening_ultra() {
if [[ -z "${line}" ]]; then
- printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
+ printf "\e[91m❌'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
exit 1
fi
@@ -229,13 +229,13 @@ hardening_ultra() {
fi
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating SSH Keys, Ports done. \e[0m\n"
+ printf "\e[92m✅ Updating SSH Keys, Ports done. \e[0m\n"
### ./config/includes.chroot/etc/hosts. --------------------------------------------------------------------------------------
if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 SSH Hardening Ultra ... \e[0m\n"
+ printf "\e[95m🧪 SSH Hardening Ultra ... \e[0m\n"
mv "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
mv "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
@@ -243,7 +243,7 @@ hardening_ultra() {
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow"
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny"
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ SSH Hardening Ultra done.\e[0m\n"
+ printf "\e[92m✅ SSH Hardening Ultra done.\e[0m\n"
fi
@@ -251,7 +251,7 @@ hardening_ultra() {
### ./config/hooks/live/9950_hardening_fail2ban.chroot -----------------------------------------------------------------------
if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"
+ printf "\e[95m🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"
# Join array entries with spaces, preserving any newlines
declare ips="${ARY_HANDLER_JUMPHOST[*]}"
@@ -265,19 +265,19 @@ hardening_ultra() {
# Perform an in-place replacement of IGNORE_IP_MUST_BE_SET with the cleaned list
sed -i -E "/^[[:space:]]*ignoreip[[:space:]]*=/ s|IGNORE_IP_MUST_BE_SET|${flat_ips}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating fail2ban Jumphosts IPs done. \e[0m\n"
+ printf "\e[92m✅ Updating fail2ban Jumphosts IPs done. \e[0m\n"
else
- printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 No jump hosts configured, removing placeholder ... \e[0m\n"
+ printf "\e[93m🧪 No jump hosts configured, removing placeholder ... \e[0m\n"
sed -i 's/IGNORE_IP_MUST_BE_SET//g' "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Placeholder removed. \e[0m\n"
+ printf "\e[92m✅ Placeholder removed. \e[0m\n"
fi
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
diff --git a/lib/lib_lb_build_start.sh b/lib/lib_lb_build_start.sh
index d914e62..deed932 100644
--- a/lib/lib_lb_build_start.sh
+++ b/lib/lib_lb_build_start.sh
@@ -27,7 +27,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
lb_build_start() {
declare -i var_build_rc=""
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔨 Start Build... Log file: %s \e[0m\n" "${VAR_BUILD_LOG}"
+ printf "\e[95m🔨 Start Build... Log file: %s \e[0m\n" "${VAR_BUILD_LOG}"
# shellcheck disable=SC2164
cd "${VAR_WORKDIR}"
diff --git a/lib/lib_lb_config_start.sh b/lib/lib_lb_config_start.sh
index a08e2fa..d07f48e 100644
--- a/lib/lib_lb_config_start.sh
+++ b/lib/lib_lb_config_start.sh
@@ -23,14 +23,14 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# 0: on success
#######################################
lb_config_start() {
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ ! -d ${VAR_HANDLER_BUILD_DIR} ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}"
# shellcheck disable=SC2164
cd "${VAR_HANDLER_BUILD_DIR}"
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' created. \e[0m\n" "${VAR_HANDLER_BUILD_DIR}"
+ printf "\e[92m✅ '%s' created. \e[0m\n" "${VAR_HANDLER_BUILD_DIR}"
else
@@ -44,7 +44,7 @@ lb_config_start() {
# shellcheck disable=SC2164
cd "${VAR_HANDLER_BUILD_DIR}"
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Deleting former config, binary and cache ... \e[0m\n"
+ printf "\e[95m🧪 Deleting former config, binary and cache ... \e[0m\n"
lb clean --binary --cache --purge --source
@@ -54,11 +54,11 @@ lb_config_start() {
fi
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Deleting former config, binary and cache done.\e[0m\n"
+ printf "\e[92m✅ Deleting former config, binary and cache done.\e[0m\n"
fi
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
diff --git a/lib/lib_lb_config_write_trixie.sh b/lib/lib_lb_config_write_trixie.sh
index b60b2c7..e75e3fa 100644
--- a/lib/lib_lb_config_write_trixie.sh
+++ b/lib/lib_lb_config_write_trixie.sh
@@ -134,7 +134,7 @@ var/lib/initramfs-tools/*-amd64
EOF
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
- printf "\e[92m✅ Writing new config done.\e[0m\n"
+ printf "\e[92m✅ Writing new config done. \e[0m\n"
printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
diff --git a/lib/lib_note_target.sh b/lib/lib_note_target.sh
index 95f8bc5..6ceace5 100644
--- a/lib/lib_note_target.sh
+++ b/lib/lib_note_target.sh
@@ -29,7 +29,7 @@
# 0: on success
#######################################
note_target() {
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
cat << EOF >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ciss-debian-live-builder.txt"
################################################################################
@@ -77,7 +77,7 @@ export CDLB_SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH}"
EOF
chmod 0444 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ciss-debian-live-builder.env"
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
diff --git a/lib/lib_primordial.sh b/lib/lib_primordial.sh
index 1078117..5eda14f 100644
--- a/lib/lib_primordial.sh
+++ b/lib/lib_primordial.sh
@@ -253,4 +253,5 @@ normalize_ssh_keys_in_dir() {
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f normalize_ssh_keys_in_dir
+
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/lib/lib_provider_netcup.sh b/lib/lib_provider_netcup.sh
index 86e02cd..21cc993 100644
--- a/lib/lib_provider_netcup.sh
+++ b/lib/lib_provider_netcup.sh
@@ -27,7 +27,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
provider_netcup() {
if "${VAR_HANDLER_NETCUP_IPV6}"; then
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
declare handler_netcup_ipv6_string="${ARY_HANDLER_NETCUP_IPV6[*]}"
@@ -79,7 +79,7 @@ UseHostname=no
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
fi
diff --git a/lib/lib_run_analysis.sh b/lib/lib_run_analysis.sh
index 26e7ef8..c7314eb 100644
--- a/lib/lib_run_analysis.sh
+++ b/lib/lib_run_analysis.sh
@@ -107,11 +107,12 @@ run_analysis() {
printf "\e[97m🔐 SHA256SUM : %s \e[0m\n" "${sha_sum}"
printf "\e[92m----------------------------------------------------------------------------------------\e[0m\n"
printf "\e[97m📅 Analysis Time : %s \e[0m\n" "${time}"
- printf "\e[92m✅ Analysis completed.\e[0m\n"
+ printf "\e[92m✅ Analysis completed. \e[0m\n"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f run_analysis
+
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/lib/lib_sanitizer.sh b/lib/lib_sanitizer.sh
index ffd4928..185aa67 100644
--- a/lib/lib_sanitizer.sh
+++ b/lib/lib_sanitizer.sh
@@ -142,4 +142,5 @@ sanitize_shell_literal() {
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f sanitize_shell_literal
+
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/lib/lib_secureboot_profile.sh b/lib/lib_secureboot_profile.sh
index c558578..6958448 100644
--- a/lib/lib_secureboot_profile.sh
+++ b/lib/lib_secureboot_profile.sh
@@ -9,7 +9,6 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# shellcheck disable=SC2154,SC2312
guard_sourcing || return "${ERR_GUARD_SRCE}"
@@ -41,6 +40,7 @@ secureboot_profile_guard_private_keys() {
continue
fi
+ # shellcheck disable=SC2312
while IFS= read -r -d '' private_file; do
printf "\e[91m❌ Refusing private Secure Boot key inside build artifact path: '%s'. \e[0m\n" "${private_file}" >&2
@@ -74,8 +74,8 @@ readonly -f secureboot_profile_guard_private_keys
secureboot_profile_apply() {
declare profile="${VAR_CISS_SECUREBOOT_PROFILE,,}"
declare hooks_dir="${VAR_HANDLER_BUILD_DIR}/config/hooks/live"
- declare build_uki_hook="${hooks_dir}/zzzz_ciss_build_uki.hook.binary"
- declare install_uki_hook="${hooks_dir}/9910-ciss-install-uki-into-efi-img.hook.binary"
+ declare build_uki_hook="${hooks_dir}/zzzz_ciss_uki_build.hook.binary"
+ declare install_uki_hook="${hooks_dir}/zzzz_ciss_uki_install.hook.binary"
declare secureboot_dir="${VAR_WORKDIR}/ciss.secureboot"
declare secureboot_key="${secureboot_dir}/private/ciss-efi-image.key"
declare secureboot_cert="${secureboot_dir}/public/ciss-efi-image.crt"
@@ -141,4 +141,5 @@ secureboot_profile_apply() {
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f secureboot_profile_apply
+
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/lib/lib_update_microcode.sh b/lib/lib_update_microcode.sh
index 43963b0..a9ea175 100644
--- a/lib/lib_update_microcode.sh
+++ b/lib/lib_update_microcode.sh
@@ -22,7 +22,7 @@
# 0: on success
#######################################
update_microcode() {
- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ "${VAR_ARCHITECTURE,,}" == "amd64" ]]; then
@@ -33,7 +33,7 @@ EOF
fi
- printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+ printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh
index c7626cf..0d3fe6d 100644
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -39,13 +39,13 @@ usage() {
# shellcheck disable=SC2155
declare var_header=$(center "CDLB(1) CISS.debian.live.builder CDLB(1)" "${var_cols}")
# shellcheck disable=SC2155
- declare var_footer=$(center "V9.14.008.2026.06.04 2026-06-04 CDLB(1)" "${var_cols}")
+ declare var_footer=$(center "V9.14.016.2026.06.06 2026-06-04 CDLB(1)" "${var_cols}")
{
echo -e "\e[1;97m${var_header}\e[0m"
echo
echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
- echo -e "\e[92mMaster V9.14.008.2026.06.04\e[0m"
+ echo -e "\e[92mMaster V9.14.016.2026.06.06\e[0m"
echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
echo
echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m"
@@ -101,14 +101,6 @@ usage() {
echo " <./upgrades/dropbear/dropbear-.tar.bz2>"
echo " If omitted defaults to VAR_DROPBEAR_VERSION from <./var/global.var.sh>."
echo
- echo -e "\e[97m --sops-version \e[0m"
- echo " Selects the upstream SOPS release version used for the SOPS binary installed into the Live System."
- echo " The value MUST be a semantic version such as '3.13.1'. A leading 'v' is accepted and normalized."
- echo " The expected amd64 upstream asset is:"
- echo " /sops-v.linux.amd64>"
- echo " SOPS checksums are verified with Cosign using either Sigstore bundle mode or legacy split certificate/signature mode."
- echo " If omitted defaults to VAR_SOPS_VERSION from <./var/global.var.sh>."
- echo
echo -e "\e[97m --jump-host \e[0m"
echo " Provide up to 10 IPs for '/etc/host.allow' whitelisting of SSH access. Could be either IPv4 and / or IPv6 "
echo " addresses and / or CCDIR notation. If provided, than it MUST be a separated list."
@@ -171,6 +163,14 @@ usage() {
echo " Change '*' to your desired files / fingerprint. Files MUST be placed in:"
echo " "
echo
+ echo -e "\e[97m --sops-version \e[0m"
+ echo " Selects the upstream SOPS release version used for the SOPS binary installed into the Live System."
+ echo " The value MUST be a semantic version such as '3.13.1'. A leading 'v' is accepted and normalized."
+ echo " The expected amd64 upstream asset is:"
+ echo " /sops-v.linux.amd64>"
+ echo " SOPS checksums are verified with Cosign using either Sigstore bundle mode or legacy split certificate/signature mode."
+ echo " If omitted defaults to VAR_SOPS_VERSION from <./var/global.var.sh>."
+ echo
echo -e "\e[97m --sshfp \e[0m"
echo " Desired SSH id-files that should be incorporated in '/root/.ssh/id*'."
echo " Desired SSH host-files that should be incorporated in '/etc/ssh/ssh_host_*'."
diff --git a/scripts/0010_dhcp_supersede.sh b/scripts/0010_dhcp_supersede.sh
index f955945..3899834 100644
--- a/scripts/0010_dhcp_supersede.sh
+++ b/scripts/0010_dhcp_supersede.sh
@@ -62,7 +62,7 @@ UseNTP=no
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' successfully applied. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/scripts/0100_centurion_dns.sh b/scripts/0100_centurion_dns.sh
index 8906626..60af7de 100644
--- a/scripts/0100_centurion_dns.sh
+++ b/scripts/0100_centurion_dns.sh
@@ -45,7 +45,7 @@ fi
EOF
chmod +x "${HANDLER_BUILD_DIR}"/config/includes.binary/hooks/live-bottom/10-set-resolvconf
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' successfully applied. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/scripts/usr/local/sbin/9999_cdi_starter.sh b/scripts/usr/local/sbin/9999_cdi_starter.sh
index ea01225..73002df 100644
--- a/scripts/usr/local/sbin/9999_cdi_starter.sh
+++ b/scripts/usr/local/sbin/9999_cdi_starter.sh
@@ -130,7 +130,7 @@ main() {
touch "${var_log}"
- printf "CISS.debian.installer Master V9.14.008.2026.06.04 is up! \n" >> "${var_log}"
+ printf "CISS.debian.installer Master V9.14.016.2026.06.06 is up! \n" >> "${var_log}"
### Sleep a moment to settle boot artifacts.
sleep 8
@@ -209,7 +209,7 @@ main() {
### Timeout reached without acceptable semaphore.
logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
- printf "CISS.debian.installer Master V9.14.008.2026.06.04: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+ printf "CISS.debian.installer Master V9.14.016.2026.06.06: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
exit 0
}
diff --git a/var/early.var.sh b/var/early.var.sh
index 35912e8..907d181 100644
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
declare -grx VAR_HOST="$(uname -n)"
declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V9.14.008.2026.06.04"
+declare -grx VAR_VERSION="Master V9.14.016.2026.06.06"
declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
# Print $4 and $5; include $6 only if it exists
out = $4