V9.14.016.2026.06.06

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2026-06-06 14:39:12 +01:00
parent 83f6f8488c
commit e42fdff89b
77 changed files with 410 additions and 230 deletions
@@ -107,7 +107,7 @@ options edns0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' successfully applied. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06

 name: 💙 Generating a PUBLIC Live ISO.

@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V9.14.008.2026.06.04"
+      placeholder: "e.g., Master V9.14.016.2026.06.06"
    validations:
      required: true

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06

 FROM debian:bookworm

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06

 name: 🔁 Render README.md to README.html.

@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V9.14.008.2026.06.04
+  version: V9.14.016.2026.06.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V9.14.008.2026.06.04
+  version: V9.14.016.2026.06.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V9.14.008.2026.06.04
+  version: V9.14.016.2026.06.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06

 name: 💙 Generating a PUBLIC Live ISO.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06

 # Gitea Workflow: Shell-Script Linting
 #
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06

 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06

 name: 🔁 Render Graphviz Diagrams.

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V9.14.008.2026.06.04"
+properties_version="V9.14.016.2026.06.06"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V9.14.008.2026.06.04
+PackageVersion: Master V9.14.016.2026.06.06
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.008.2026.06.04-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.016.2026.06.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 **CISS.debian.live.builder — First of its own.**<br>
 **World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
@@ -175,7 +175,7 @@ installer toolchain.

 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.

-Example: `V9.14.008.2026.06.04`
+Example: `V9.14.016.2026.06.06`

 `x.y.z` represents major (x), minor (y), and patch (z) version increments.

@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 # 2. Repository Structure

 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **9.14**, Build **V9.14.008.2026.06.04** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.016.2026.06.06** (as of 2025-10-11)

 ## 3.1. Top-Level Layout

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 # 2. CISS Secure Boot Private Material

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 # 2. CISS Secure Boot Public Material

@@ -115,7 +115,7 @@ for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh   ;
 for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done

 ### ALL CHECKS DONE. READY TO START THE SCRIPT.
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
 declare -grx VAR_SETUP="true"

 ### SECURING SECRETS ARTIFACTS.
@@ -216,6 +216,7 @@ if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n

 ### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
+
 ### Following the CISS Bash naming and ordering scheme:
 trap 'trap_on_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT
 trap 'trap_on_err  "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
@@ -9,34 +9,41 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
+# shellcheck disable=SC2312
 set -Ceuo pipefail

+# Final live-build binary hook for the CISS UKI build. When the ciss-uki Secure Boot profile is active, this hook selects the
+# complete kernel/initrd pair, reads the live kernel command line, optionally embeds separate early microcode, creates unsigned
+# and signed Unified Kernel Images with ukify, verifies the signed UKI with 'sbverify', writes a manifest, and refuses private
+# Secure Boot key material in build artifact paths.
+
 #######################################
-# Prints failure message.
+# Prints a fatal error message and terminates the hook.
 # Globals:
 #   None
 # Arguments:
-#   1: Message to print
+#   1: Error message
 # Returns:
-#   42: on failure
+#   42: always exits with failure
 #######################################
 die() {
-  declare message="$1"
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ %s \e[0m\n" "${message}" >&2
+  declare message="${1}"
+  printf "\e[91m❌ %s \e[0m\n" "${message}" >&2
  exit 42
 }

 #######################################
-# Checking command to execute for existence.
+# Checks whether a required command exists.
 # Globals:
 #   None
 # Arguments:
-#   1: Command
+#   1: Command name
 # Returns:
 #   0: on success
+#   42: if the command is missing
 #######################################
 require_command() {
-  declare command_name="$1"
+  declare command_name="${1}"

  command -v "${command_name}" >/dev/null 2>&1 || die "Required command not found: '${command_name}'."

@@ -44,18 +51,19 @@ require_command() {
 }

 #######################################
-# Checking file for existence.
+# Checks whether a required file exists.
 # Globals:
 #   None
 # Arguments:
-#   1: /PATH/TO/FILE
-#   2: Description
+#   1: File path
+#   2: Human-readable file description
 # Returns:
 #   0: on success
+#   42: if the file is missing
 #######################################
 require_file() {
-  declare file_path="$1"
-  declare description="$2"
+  declare file_path="${1}"
+  declare description="${2}"

  [[ -f "${file_path}" ]] || die "Missing ${description}: '${file_path}'."

@@ -63,18 +71,19 @@ require_file() {
 }

 #######################################
-# Checking file for existence.
+# Reads the single LB_BOOTAPPEND_LIVE value from a live-build binary configuration file.
 # Globals:
 #   None
 # Arguments:
-#   1: /PATH/TO/FILE
-#   2: Description
+#   1: live-build binary configuration file
+#   2: Output variable name for the kernel command line
 # Returns:
 #   0: on success
+#   42: if the file is missing, the entry is ambiguous, or the value is empty
 #######################################
 read_bootappend_live() {
-  declare config_file="$1"
-  declare output_var="$2"
+  declare config_file="${1}"
+  declare output_var="${2}"
  declare -a matches=()
  declare value=""

@@ -99,10 +108,22 @@ read_bootappend_live() {
  return 0
 }

+#######################################
+# Collects kernel and initrd candidates from one artifact directory.
+# Globals:
+#   None
+# Arguments:
+#   1: Artifact directory
+#   2: Output variable name for the selected kernel path
+#   3: Output variable name for the selected initrd path
+# Returns:
+#   0: on success, including when the directory does not exist
+#   42: if more than one kernel or initrd candidate exists
+#######################################
 collect_artifacts_from_dir() {
-  declare artifact_dir="$1"
-  declare kernel_output_var="$2"
-  declare initrd_output_var="$3"
+  declare artifact_dir="${1}"
+  declare kernel_output_var="${2}"
+  declare initrd_output_var="${3}"
  declare -a kernels=()
  declare -a initrds=()

@@ -129,6 +150,17 @@ collect_artifacts_from_dir() {
  return 0
 }

+#######################################
+# Selects the kernel/initrd pair used to build the UKI.
+# Globals:
+#   None
+# Arguments:
+#   1: Output variable name for the selected kernel path
+#   2: Output variable name for the selected initrd path
+# Returns:
+#   0: on success
+#   42: if no complete pair exists, the final pair is incomplete, or candidates are ambiguous
+#######################################
 select_kernel_initrd_pair() {
  declare kernel_output_var="$1"
  declare initrd_output_var="$2"
@@ -140,7 +172,7 @@ select_kernel_initrd_pair() {
  collect_artifacts_from_dir "binary/live" binary_kernel binary_initrd

  if [[ -n "${binary_kernel}" && -n "${binary_initrd}" ]]; then
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] Using final binary/live kernel and initrd artifacts. \e[0m\n"
+    printf "\e[92m✅ Using final binary/live kernel and initrd artifacts. \e[0m\n"
    printf -v "${kernel_output_var}" "%s" "${binary_kernel}"
    printf -v "${initrd_output_var}" "%s" "${binary_initrd}"
    return 0
@@ -150,11 +182,11 @@ select_kernel_initrd_pair() {
    die "Incomplete binary/live kernel/initrd pair. Refusing to mix final and fallback artifacts."
  fi

-  printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ [WARN] No complete binary/live kernel/initrd pair found; checking chroot/boot fallback. \e[0m\n"
+  printf "\e[93m❌ No complete binary/live kernel/initrd pair found; checking chroot/boot fallback. \e[0m\n"
  collect_artifacts_from_dir "chroot/boot" fallback_kernel fallback_initrd

  if [[ -n "${fallback_kernel}" && -n "${fallback_initrd}" ]]; then
-    printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ [WARN] Using chroot/boot fallback artifacts because binary/live has no complete pair. \e[0m\n"
+    printf "\e[93m❌ Using chroot/boot fallback artifacts because binary/live has no complete pair. \e[0m\n"
    printf -v "${kernel_output_var}" "%s" "${fallback_kernel}"
    printf -v "${initrd_output_var}" "%s" "${fallback_initrd}"
    return 0
@@ -163,9 +195,20 @@ select_kernel_initrd_pair() {
  die "No complete kernel/initrd pair found in binary/live or chroot/boot."
 }

+#######################################
+# Finds an optional separate early microcode cpio next to the selected initrd.
+# Globals:
+#   None
+# Arguments:
+#   1: Artifact directory
+#   2: Output variable name for the selected microcode cpio path
+# Returns:
+#   0: on success, including when no separate microcode cpio exists
+#   42: if more than one separate microcode cpio candidate exists
+#######################################
 collect_optional_microcode() {
-  declare artifact_dir="$1"
-  declare output_var="$2"
+  declare artifact_dir="${1}"
+  declare output_var="${2}"
  declare -a microcode_candidates=()

  mapfile -d '' -t microcode_candidates < <(
@@ -181,6 +224,16 @@ collect_optional_microcode() {
  return 0
 }

+#######################################
+# Refuses private Secure Boot key material in generated artifact paths.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   42: if a private Secure Boot key is found below a guarded path
+#######################################
 guard_private_key_leaks() {
  declare -a guard_roots=(binary chroot config/includes.binary config/includes.chroot config/includes.installer)
  declare guard_root=""
@@ -201,6 +254,22 @@ guard_private_key_leaks() {
  return 0
 }

+#######################################
+# Builds unsigned and signed CISS UKIs for the ciss-uki Secure Boot profile.
+# Globals:
+#   PWD
+#   VAR_CISS_SECUREBOOT_DIR
+#   VAR_CISS_SECUREBOOT_EFI_CERT
+#   VAR_CISS_SECUREBOOT_EFI_KEY
+#   VAR_CISS_SECUREBOOT_PROFILE
+#   VAR_HANDLER_BUILD_DIR
+#   VAR_WORKDIR
+# Arguments:
+#   None
+# Returns:
+#   0: on success or when the active Secure Boot profile does not require a CISS UKI
+#   42: on validation, artifact selection, UKI build, signing, or verification failure
+#######################################
 main() {
  declare profile="${VAR_CISS_SECUREBOOT_PROFILE:-debian-shim}"
  declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
@@ -226,11 +295,11 @@ main() {
  declare -a ukify_args=()

  if [[ "${profile}" != "ciss-uki" ]]; then
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] Secure Boot profile '%s'; skipping CISS UKI build. \e[0m\n" "${profile}"
+    printf "\e[92m✅ Secure Boot profile '%s'; skipping CISS UKI build. \e[0m\n" "${profile}"
    return 0
  fi

-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] Building CISS Secure Boot UKI ... \e[0m\n"
+  printf "\e[95m🧪 Building CISS Secure Boot UKI ... \e[0m\n"

  cd "${build_dir}"

@@ -280,18 +349,18 @@ main() {
  )

  if [[ -n "${microcode_initrd}" ]]; then
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] Embedding separate early microcode cpio before normal initrd: '%s'. \e[0m\n" "${microcode_initrd}"
+    printf "\e[92m✅ Embedding separate early microcode cpio before normal initrd: '%s'. \e[0m\n" "${microcode_initrd}"
    ukify_args+=(--initrd="${microcode_initrd}")
  else
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] No separate early microcode cpio found; using normal initrd only. \e[0m\n"
+    printf "\e[92m✅ No separate early microcode cpio found; using normal initrd only. \e[0m\n"
  fi

  ukify_args+=(--initrd="${initrd_path}")

-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] Creating unsigned UKI: '%s'. \e[0m\n" "${unsigned_uki}"
+  printf "\e[95m🧪 Creating unsigned UKI: '%s'. \e[0m\n" "${unsigned_uki}"
  ukify "${ukify_args[@]}" --output="${unsigned_uki}"

-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] Creating signed UKI: '%s'. \e[0m\n" "${signed_uki}"
+  printf "\e[95m🧪 Creating signed UKI: '%s'. \e[0m\n" "${signed_uki}"
  ukify "${ukify_args[@]}" \
    --secureboot-private-key="${secureboot_key}" \
    --secureboot-certificate="${secureboot_cert}" \
@@ -316,8 +385,8 @@ main() {
    sbverify --cert "${secureboot_cert}" "${signed_uki}"
  } >| "${manifest}" 2>&1

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] UKI inspection and signature verification written to '%s'. \e[0m\n" "${manifest}"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] CISS Secure Boot UKI build completed. \e[0m\n"
+  printf "\e[92m✅ UKI inspection and signature verification written to '%s'. \e[0m\n" "${manifest}"
+  printf "\e[92m✅ CISS Secure Boot UKI build completed. \e[0m\n"

  return 0
 }
@@ -9,10 +9,29 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
+# shellcheck disable=SC2312
 set -Ceuo pipefail

+# Final live-build binary hook for CISS UKI installation. When the ciss-uki Secure Boot profile is active, this hook selects
+# the single signed CISS UKI, rebuilds the FAT EFI boot image with it as EFI/BOOT/BOOTX64.EFI, verifies the installed copy,
+# mirrors it into the ISO EFI tree when available, writes an installation manifest, and refuses private Secure Boot key
+# material in build artifact paths.
+
 declare TMP_DIR=""

+#######################################
+# Removes the temporary EFI image work directory if it is inside the expected Secure Boot output tree.
+# Globals:
+#   PWD
+#   TMP_DIR
+#   VAR_HANDLER_BUILD_DIR
+# Arguments:
+#   None
+# Returns:
+#   0: on success or when no temporary directory exists
+#   42: if the temporary directory is outside the expected cleanup root
+#   non-zero: if removal of the expected temporary directory fails under strict mode
+#######################################
 cleanup() {
  declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"

@@ -22,7 +41,7 @@ cleanup() {
        rm -rf -- "${TMP_DIR}"
        ;;
      *)
-        printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ [FATAL] Refusing to clean unexpected temporary path: '%s'. \e[0m\n" "${TMP_DIR}" >&2
+        printf "\e[91m❌ Refusing to clean unexpected temporary path: '%s'. \e[0m\n" "${TMP_DIR}" >&2
        return 42
        ;;
    esac
@@ -30,14 +49,32 @@ cleanup() {

  return 0
 }
-trap cleanup EXIT

+#######################################
+# Prints a fatal error message and terminates the hook.
+# Globals:
+#   None
+# Arguments:
+#   1: Error message
+# Returns:
+#   42: always exits with failure
+#######################################
 die() {
  declare message="$1"
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ [FATAL] %s \e[0m\n" "${message}" >&2
+  printf "\e[91m❌ %s \e[0m\n" "${message}" >&2
  exit 42
 }

+#######################################
+# Checks whether a required command exists.
+# Globals:
+#   None
+# Arguments:
+#   1: Command name
+# Returns:
+#   0: on success
+#   42: if the command is missing
+#######################################
 require_command() {
  declare command_name="$1"

@@ -46,6 +83,17 @@ require_command() {
  return 0
 }

+#######################################
+# Checks whether a required file exists.
+# Globals:
+#   None
+# Arguments:
+#   1: File path
+#   2: Human-readable file description
+# Returns:
+#   0: on success
+#   42: if the file is missing
+#######################################
 require_file() {
  declare file_path="$1"
  declare description="$2"
@@ -55,6 +103,17 @@ require_file() {
  return 0
 }

+#######################################
+# Selects the single signed CISS UKI generated by the CISS UKI build hook.
+# Globals:
+#   None
+# Arguments:
+#   1: CISS UKI output directory
+#   2: Output variable name for the selected signed UKI path
+# Returns:
+#   0: on success
+#   42: if the UKI directory is missing or does not contain exactly one signed UKI
+#######################################
 select_signed_uki() {
  declare uki_dir="$1"
  declare output_var="$2"
@@ -73,6 +132,16 @@ select_signed_uki() {
  return 0
 }

+#######################################
+# Refuses private Secure Boot key material in generated artifact paths.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   42: if a private Secure Boot key is found below a guarded path
+#######################################
 guard_private_key_leaks() {
  declare -a guard_roots=(binary chroot config/includes.binary config/includes.chroot config/includes.installer)
  declare guard_root=""
@@ -93,6 +162,17 @@ guard_private_key_leaks() {
  return 0
 }

+#######################################
+# Mirrors the signed UKI into the ISO EFI tree as the removable-media bootloader when that tree exists.
+# Globals:
+#   None
+# Arguments:
+#   1: Signed UKI path
+#   2: Output variable name for the ISO EFI tree BOOTX64 path, or an empty value when no tree exists
+# Returns:
+#   0: on success, including when no ISO EFI tree exists
+#   non-zero: if directory creation or file installation fails under strict mode
+#######################################
 install_iso_tree_bootx64() {
  declare signed_uki="$1"
  declare output_var="$2"
@@ -109,9 +189,9 @@ install_iso_tree_bootx64() {

  if [[ -n "${iso_tree_bootx64}" ]]; then
    install -m 0644 "${signed_uki}" "${iso_tree_bootx64}"
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] Mirrored signed UKI into ISO EFI tree: '%s'. \e[0m\n" "${iso_tree_bootx64}"
+    printf "\e[92m✅ Mirrored signed UKI into ISO EFI tree: '%s'. \e[0m\n" "${iso_tree_bootx64}"
  else
-    printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ [WARN] No binary/EFI tree found; only EFI boot image was updated. \e[0m\n"
+    printf "\e[93m❌ No binary/EFI tree found; only EFI boot image was updated. \e[0m\n"
  fi

  printf -v "${output_var}" "%s" "${iso_tree_bootx64}"
@@ -119,6 +199,24 @@ install_iso_tree_bootx64() {
  return 0
 }

+#######################################
+# Installs the signed CISS UKI into the EFI boot image for the ciss-uki Secure Boot profile.
+# Globals:
+#   PWD
+#   SOURCE_DATE_EPOCH
+#   TMP_DIR
+#   VAR_CISS_SECUREBOOT_DIR
+#   VAR_CISS_SECUREBOOT_EFI_CERT
+#   VAR_CISS_SECUREBOOT_PROFILE
+#   VAR_HANDLER_BUILD_DIR
+#   VAR_WORKDIR
+# Arguments:
+#   None
+# Returns:
+#   0: on success or when the active Secure Boot profile does not require CISS UKI installation
+#   42: on explicit validation, comparison, or signature verification failure
+#   non-zero: if an external tool, installation command, or manifest write fails under strict mode
+#######################################
 main() {
  declare profile="${VAR_CISS_SECUREBOOT_PROFILE:-debian-shim}"
  declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
@@ -142,11 +240,11 @@ main() {
  declare volid=""

  if [[ "${profile}" != "ciss-uki" ]]; then
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] Secure Boot profile '%s'; skipping CISS UKI EFI installation. \e[0m\n" "${profile}"
+    printf "\e[92m✅ Secure Boot profile '%s'; skipping CISS UKI EFI installation. \e[0m\n" "${profile}"
    return 0
  fi

-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] Installing CISS signed UKI into EFI boot image ... \e[0m\n"
+  printf "\e[95m🧪 Installing CISS signed UKI into EFI boot image ... \e[0m\n"

  cd "${build_dir}"

@@ -191,7 +289,7 @@ main() {
  fi
  printf -v volid "%08x" "$((source_epoch % 4294967296))"

-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] Rebuilding EFI boot image with signed UKI as EFI/BOOT/BOOTX64.EFI. \e[0m\n"
+  printf "\e[95m🧪 Rebuilding EFI boot image with signed UKI as EFI/BOOT/BOOTX64.EFI. \e[0m\n"
  mkfs.msdos -C "${tmp_img}" "${blocks}" -i "${volid}" >/dev/null
  mmd -i "${tmp_img}" "::EFI"
  mmd -i "${tmp_img}" "::EFI/BOOT"
@@ -237,12 +335,13 @@ main() {
    sbverify --cert "${secureboot_cert}" "${extracted_uki}"
  } >| "${manifest}" 2>&1

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] EFI image installation verification written to '%s'. \e[0m\n" "${manifest}"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ [INFO] CISS signed UKI installed as EFI/BOOT/BOOTX64.EFI. \e[0m\n"
+  printf "\e[92m✅ EFI image installation verification written to '%s'. \e[0m\n" "${manifest}"
+  printf "\e[92m✅ CISS signed UKI installed as EFI/BOOT/BOOTX64.EFI. \e[0m\n"

  return 0
 }

 main "$@"
+cleanup
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06

 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06

 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.008.2026.06.04
+# Version Master V9.14.016.2026.06.06

 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-declare -gr VERSION="Master V9.14.008.2026.06.04"
+declare -gr VERSION="Master V9.14.016.2026.06.06"

 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh

 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V9.14.008.2026.06.04 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V9.14.016.2026.06.06 at: 10:18:37.9542
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 # 2. DNSSEC Status

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 # 2. Haveged Audit on Netcup RS 2000 G11

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 # 2. Lynis Audit:

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 # 2. SSH Audit by ssh-audit.com

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 # 2. TLS Audit:
 ````text
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 # 2. Hardened Kernel Boot Parameters

@@ -8,12 +8,19 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 # 2. Changelog

+## V9.14.016.2026.06.06
+* **Changed**: [zzzz_ciss_uki_build.hook.binary](../config/hooks/live/zzzz_ciss_uki_build.hook.binary)
+* **Changed**: [zzzz_ciss_uki_install.hook.binary](../config/hooks/live/zzzz_ciss_uki_install.hook.binary)
+* **Changed**: [lib_secureboot_profile.sh](../lib/lib_secureboot_profile.sh)
+
 ## V9.14.008.2026.06.04
-tba
+* **Added**: [zzzz_ciss_uki_build.hook.binary](../config/hooks/live/zzzz_ciss_uki_build.hook.binary)
+* **Added**: [zzzz_ciss_uki_install.hook.binary](../config/hooks/live/zzzz_ciss_uki_install.hook.binary)
+* **Added**: [lib_secureboot_profile.sh](../lib/lib_secureboot_profile.sh)

 ## V9.14.004.2026.05.17
 * **Added**: [AGENTS.md](../AGENTS.md)
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 # 2. Centurion Net - Developer Branch Overview

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 # 2. Contributing / participating

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 # 2. Credits

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 # 2. Download the latest PUBLIC CISS.debian.live.ISO

@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 # 2.1. Usage
 ````text
                        CDLB(1)                        CISS.debian.live.builder                        CDLB(1)

 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V9.14.008.2026.06.04
+Master V9.14.016.2026.06.06
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.

 (c) Marc S. Weidner, 2018 - 2026
@@ -168,7 +168,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/

-                        V9.14.008.2026.06.04                        2026-05-17                         CDLB(1)
+                        V9.14.016.2026.06.06                        2026-05-17                         CDLB(1)
 ````

 # 3. Booting
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 # 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 # 2. Resources

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 # 2. ``30-ciss-hardening.conf``

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 # 2. ``90-ciss-local.hardened``

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.008.2026.06.04<br>
+**Build**: V9.14.016.2026.06.06<br>

 # 2. ``ciss_live_builder.sh``

@@ -238,45 +238,6 @@ arg_parser() {
          fi
          ;;

-        --sops-version)
-          if [[ -n "${2-}" ]]; then
-            declare sops_version="${2#v}"
-            if [[ "${sops_version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-              # shellcheck disable=SC2034
-              declare -gx VAR_SOPS_VERSION="${sops_version}"
-              shift 2
-            else
-              if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
-              printf "\e[91m❌ ERROR: --sops-version MUST match '<MAJOR>.<MINOR>.<PATCH>' or 'v<MAJOR>.<MINOR>.<PATCH>'.\e[0m\n" >&2
-              read -r -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
-              # shellcheck disable=SC2154
-              exit "${ERR__SOPS__VER}"
-            fi
-          else
-            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
-            printf "\e[91m❌ ERROR: --sops-version MUST be provided with a semantic version.\e[0m\n" >&2
-            read -r -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
-            # shellcheck disable=SC2154
-            exit "${ERR__SOPS__VER}"
-          fi
-          ;;
-
-        --sops-version=*)
-          declare sops_version="${1#*=}"
-          sops_version="${sops_version#v}"
-          if [[ "${sops_version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            # shellcheck disable=SC2034
-            declare -gx VAR_SOPS_VERSION="${sops_version}"
-            shift 1
-          else
-            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
-            printf "\e[91m❌ ERROR: --sops-version MUST match '<MAJOR>.<MINOR>.<PATCH>' or 'v<MAJOR>.<MINOR>.<PATCH>'.\e[0m\n" >&2
-            read -r -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
-            # shellcheck disable=SC2154
-            exit "${ERR__SOPS__VER}"
-          fi
-          ;;
-
        --jump-host)
          if [[ -n "${2-}" && "${2}" != -* ]]; then
            declare -i count=0
@@ -571,6 +532,45 @@ arg_parser() {
          shift 1
          ;;

+        --sops-version)
+          if [[ -n "${2-}" ]]; then
+            declare sops_version="${2#v}"
+            if [[ "${sops_version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+              # shellcheck disable=SC2034
+              declare -gx VAR_SOPS_VERSION="${sops_version}"
+              shift 2
+            else
+              if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+              printf "\e[91m❌ ERROR: --sops-version MUST match '<MAJOR>.<MINOR>.<PATCH>' or 'v<MAJOR>.<MINOR>.<PATCH>'.\e[0m\n" >&2
+              read -r -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+              # shellcheck disable=SC2154
+              exit "${ERR__SOPS__VER}"
+            fi
+          else
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            printf "\e[91m❌ ERROR: --sops-version MUST be provided with a semantic version.\e[0m\n" >&2
+            read -r -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            # shellcheck disable=SC2154
+            exit "${ERR__SOPS__VER}"
+          fi
+          ;;
+
+        --sops-version=*)
+          declare sops_version="${1#*=}"
+          sops_version="${sops_version#v}"
+          if [[ "${sops_version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            # shellcheck disable=SC2034
+            declare -gx VAR_SOPS_VERSION="${sops_version}"
+            shift 1
+          else
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            printf "\e[91m❌ ERROR: --sops-version MUST match '<MAJOR>.<MINOR>.<PATCH>' or 'v<MAJOR>.<MINOR>.<PATCH>'.\e[0m\n" >&2
+            read -r -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            # shellcheck disable=SC2154
+            exit "${ERR__SOPS__VER}"
+          fi
+          ;;
+
        --ssh-port)
          if [[ -n "${2-}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then

@@ -27,7 +27,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 arg_priority_check() {
  declare var=""

-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"

  ### Check if nice PRIORITY is set and adjust nice priority.
  if [[ "${VAR_HANDLER_PRIORITY:-}" -ne 0 ]]; then
@@ -36,11 +36,11 @@ arg_priority_check() {

      renice "${VAR_HANDLER_PRIORITY}" -p "$$"
      var=$(ps -o ni= -p $$) > /dev/null 2>&1
-      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New renice value: %s\e[0m\n" "${var}"
+      printf "\e[92m✅ New renice value: %s\e[0m\n" "${var}"

    else

-      printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ renice not installed (util-linux) \e[0m\n"
+      printf "\e[93m❌ renice not installed (util-linux) \e[0m\n"

    fi

@@ -53,17 +53,17 @@ arg_priority_check() {

      ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
      var=$(ionice -p $$) > /dev/null 2>&1
-      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New ionice value: %s\e[0m\n" "${var}"
+      printf "\e[92m✅ New ionice value: %s\e[0m\n" "${var}"

    else

-      printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ionice not installed (util-linux) \e[0m\n"
+      printf "\e[93m❌ ionice not installed (util-linux) \e[0m\n"

    fi

  fi

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

  return 0
 }
@@ -26,7 +26,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   0: on success
 #######################################
 cdi() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"

  if [[ "${VAR_HANDLER_CDI}" == "true" ]]; then

@@ -67,7 +67,7 @@ EOF

  fi

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

  return 0
 }
@@ -25,27 +25,27 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   0: on success
 #######################################
 change_splash() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"

  if [[ ${VAR_HANDLER_SPLASH} == "club" ]]; then

-    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'club.png' selected ...\e[0m\n"
+    printf "\e[95m🧪 Grub Splash 'club.png' selected ...\e[0m\n"
    cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
    cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
    cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'club.png' selected done. \e[0m\n"
+    printf "\e[92m✅ Grub Splash 'club.png' selected done. \e[0m\n"

  elif [[ ${VAR_HANDLER_SPLASH} == "hexagon" ]]; then

-    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'hexagon.png' selected ...\e[0m\n"
+    printf "\e[95m🧪 Grub Splash 'hexagon.png' selected ...\e[0m\n"
    cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
    cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
    cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'hexagon.png' selected done. \e[0m\n"
+    printf "\e[92m✅ Grub Splash 'hexagon.png' selected done. \e[0m\n"

  fi

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

  return 0
 }
@@ -24,13 +24,13 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   0: on success
 #######################################
 check_dhcp() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"

  if [[ ${VAR_HANDLER_DHCP} -eq 1 ]]; then
    chmod +x "${VAR_WORKDIR}/scripts/0010_dhcp_supersede.sh" && "${VAR_WORKDIR}/scripts/0010_dhcp_supersede.sh"
  fi

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

  return 0
 }
@@ -23,7 +23,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   0: on success
 #######################################
 x_remove() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"

  declare _old_nullglob="" _old_dotglob=""

@@ -54,7 +54,7 @@ x_remove() {
  eval "${_old_nullglob}" 2>/dev/null || true
  eval "${_old_dotglob}"  2>/dev/null || true

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

  return 0
 }
@@ -30,7 +30,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   0: on success
 #######################################
 ciss_signatures() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"

  declare -ar _ary_target=(
    "/etc/initramfs-tools/files/unlock_wrapper.sh"
@@ -58,7 +58,7 @@ ciss_signatures() {

  done

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

  return 0
 }
@@ -29,7 +29,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   0: on success
 #######################################
 ciss_upgrades_boot() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"

  gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/attestation/${VAR_SIGNING_KEY_FPR}.gpg"

@@ -66,7 +66,7 @@ ciss_upgrades_boot() {
  [[ -e "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" ]] && \
    rm -f "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

  return 0
 }
@@ -23,7 +23,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   0: on success
 #######################################
 ciss_upgrades_build() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"

  ### CISS 0030-ciss-verify-checksums override. --------------------------------------------------------------------------------
  if [[ -e /usr/lib/live/boot/0030-verify-checksums ]]; then
@@ -66,7 +66,7 @@ ciss_upgrades_build() {
  rm -f /usr/lib/live/build/binary_rootfs
  install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/lib/live/build/binary_rootfs.sh" /usr/lib/live/build/binary_rootfs

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

  return 0
 }
@@ -35,7 +35,7 @@ copy_db() {

  else

-    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ '%s' NOT successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+    printf "\e[91m❌ '%s' NOT successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

  fi
 }
@@ -37,7 +37,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   ERR_GPG__AGENT: on failure
 #######################################
 init_gnupg() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"

  if [[ "${VAR_SIGNER}" == "true" ]]; then

@@ -47,7 +47,7 @@ init_gnupg() {
    ### Avoid collision with Gitea runner workflows.
    if [[ "${VAR_CDLB_INSIDE_RUNNER}" != "true" ]]; then

-      printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔐 VAR_CDLB_INSIDE_RUNNER: [%s] \e[0m\n" "${VAR_CDLB_INSIDE_RUNNER}"
+      printf "\e[93m🔐 VAR_CDLB_INSIDE_RUNNER: [%s] \e[0m\n" "${VAR_CDLB_INSIDE_RUNNER}"

      declare -grx GNUPGHOME="${VAR_WORKDIR}/cdlb_$$_gnupg"

@@ -61,14 +61,14 @@ EOF

      if ! gpgconf --launch gpg-agent 2>&1; then

-        printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed to launch gpg-agent. \e[0m\n"
+        printf "\e[91m❌ Failed to launch gpg-agent. \e[0m\n"
        return "${ERR_GPG__AGENT}"

      fi

    else

-      printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔐 VAR_CDLB_INSIDE_RUNNER: [%s] leaving GNUPGHOME untouched.\e[0m\n" "${VAR_CDLB_INSIDE_RUNNER}"
+      printf "\e[93m🔐 VAR_CDLB_INSIDE_RUNNER: [%s] leaving GNUPGHOME untouched.\e[0m\n" "${VAR_CDLB_INSIDE_RUNNER}"

    fi

@@ -89,7 +89,7 @@ EOF

    if ! gpg --batch --yes --pinentry-mode=loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --import "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"; then

-      printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed to import signing key. \e[0m\n"
+      printf "\e[91m❌ Failed to import signing key. \e[0m\n"
      return "${ERR_GPG__AGENT}"

    fi
@@ -105,7 +105,7 @@ EOF

      if ! gpg --batch --import "${VAR_TMP_SECRET}/${VAR_SIGNING_CA}"; then

-        printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed to import CA public key. \e[0m\n"
+        printf "\e[91m❌ Failed to import CA public key. \e[0m\n"
        return "${ERR_GPG__AGENT}"

      fi
@@ -128,7 +128,7 @@ EOF

  fi

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

  return 0
 }
@@ -24,16 +24,16 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   0: on success
 #######################################
 hardening_root_pw() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"

  if [[ -z ${VAR_HASHED_PWD} ]]; then

-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Root Password for Console set, skipping root password hook.\e[0m\n"
+    printf "\e[92m✅ No Root Password for Console set, skipping root password hook.\e[0m\n"
    return 0

  fi

-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Setup Root Password for Console ... \e[0m\n"
+  printf "\e[95m🧪 Setup Root Password for Console ... \e[0m\n"

  declare cfg_dir="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/live"
  declare dropin_dir="${cfg_dir}/config.conf.d"
@@ -82,9 +82,9 @@ EOF
  #touch "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
  #chmod -x "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setup Root Password for Console done. \e[0m\n"
+  printf "\e[92m✅ Setup Root Password for Console done. \e[0m\n"

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

  return 0
 }
@@ -24,7 +24,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   0: on success
 #######################################
 hardening_ssh_tcp() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"

  if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
    declare allowed=""
@@ -90,7 +90,7 @@ ALL: ALL
 EOF
  fi

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

  return 0
 }
@@ -30,13 +30,13 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   0: on success
 #######################################
 hardening_ultra() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"

  # shellcheck disable=SC2164
  cd "${VAR_WORKDIR}"

  ### ./config/bootloaders -----------------------------------------------------------------------------------------------------
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/bootloaders ... \e[0m\n"
+  printf "\e[95m🧪 Copying ./config/bootloaders ... \e[0m\n"

  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" ]]; then

@@ -49,11 +49,11 @@ hardening_ultra() {

  fi

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/bootloaders done.\e[0m\n"
+  printf "\e[92m✅ Copying ./config/bootloaders done.\e[0m\n"


  ### ./config/includes.binary -------------------------------------------------------------------------------------------------
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.binary ... \e[0m\n"
+  printf "\e[95m🧪 Copying ./config/includes.binary ... \e[0m\n"

  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.binary" ]]; then

@@ -66,11 +66,11 @@ hardening_ultra() {

  fi

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.binary done.\e[0m\n"
+  printf "\e[92m✅ Copying ./config/includes.binary done.\e[0m\n"


  ### ./config/includes.chroot -------------------------------------------------------------------------------------------------
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot ... \e[0m\n"
+  printf "\e[95m🧪 Copying ./config/includes.chroot ... \e[0m\n"

  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then

@@ -87,13 +87,13 @@ hardening_ultra() {

  fi

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot done.\e[0m\n"
+  printf "\e[92m✅ Copying ./config/includes.chroot done.\e[0m\n"


  ### ./config/hooks/early -----------------------------------------------------------------------------------------------------
  if [[ -d "${VAR_WORKDIR}/config/hooks/early" ]]; then

-    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/early ... \e[0m\n"
+    printf "\e[95m🧪 Copying ./config/hooks/early ... \e[0m\n"

    if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/early" ]]; then

@@ -106,13 +106,13 @@ hardening_ultra() {

    fi

-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/early done.\e[0m\n"
+    printf "\e[92m✅ Copying ./config/hooks/early done.\e[0m\n"

  fi


  ### ./config/hooks/live ------------------------------------------------------------------------------------------------------
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n"
+  printf "\e[95m🧪 Copying ./config/hooks/live ... \e[0m\n"

  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then

@@ -125,11 +125,11 @@ hardening_ultra() {

  fi

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n"
+  printf "\e[92m✅ Copying ./config/hooks/live done.\e[0m\n"


  ### ./config/package-lists ---------------------------------------------------------------------------------------------------
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/package-lists ... \e[0m\n"
+  printf "\e[95m🧪 Copying ./config/package-lists ... \e[0m\n"
  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/package-lists" ]]; then
    mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/package-lists"
  fi
@@ -145,7 +145,7 @@ hardening_ultra() {
      declare arch_comment="# arm64 specific packages"
      ;;
    *)
-      printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Unsupported architecture '%s'.\e[0m\n" "${VAR_ARCHITECTURE}"
+      printf "\e[91m❌ Unsupported architecture '%s'.\e[0m\n" "${VAR_ARCHITECTURE}"
      exit 1
      ;;
  esac
@@ -173,12 +173,12 @@ hardening_ultra() {
    print
    }
    ' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" >| temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/package-lists done.\e[0m\n"
+  printf "\e[92m✅ Copying ./config/package-lists done.\e[0m\n"



  ### Updating SSH Keys, Ports -------------------------------------------------------------------------------------------------
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating SSH Keys, Ports ... \e[0m\n"
+  printf "\e[95m🧪 Updating SSH Keys, Ports ... \e[0m\n"

  ### ./config/includes.chroot/root/.ssh ---------------------------------------------------------------------------------------
  install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
@@ -212,7 +212,7 @@ hardening_ultra() {

    if [[ -z "${line}" ]]; then

-      printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
+      printf "\e[91m❌'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
      exit 1

    fi
@@ -229,13 +229,13 @@ hardening_ultra() {

  fi

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating SSH Keys, Ports done. \e[0m\n"
+  printf "\e[92m✅ Updating SSH Keys, Ports done. \e[0m\n"


  ### ./config/includes.chroot/etc/hosts. --------------------------------------------------------------------------------------
  if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then

-    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 SSH Hardening Ultra ... \e[0m\n"
+    printf "\e[95m🧪 SSH Hardening Ultra ... \e[0m\n"

    mv "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
    mv "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
@@ -243,7 +243,7 @@ hardening_ultra() {
    chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow"
    chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny"

-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ SSH Hardening Ultra done.\e[0m\n"
+    printf "\e[92m✅ SSH Hardening Ultra done.\e[0m\n"

  fi

@@ -251,7 +251,7 @@ hardening_ultra() {
  ### ./config/hooks/live/9950_hardening_fail2ban.chroot -----------------------------------------------------------------------
  if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then

-    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"
+    printf "\e[95m🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"

    # Join array entries with spaces, preserving any newlines
    declare ips="${ARY_HANDLER_JUMPHOST[*]}"
@@ -265,19 +265,19 @@ hardening_ultra() {
    # Perform an in-place replacement of IGNORE_IP_MUST_BE_SET with the cleaned list
    sed -i -E "/^[[:space:]]*ignoreip[[:space:]]*=/ s|IGNORE_IP_MUST_BE_SET|${flat_ips}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"

-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating fail2ban Jumphosts IPs done. \e[0m\n"
+    printf "\e[92m✅ Updating fail2ban Jumphosts IPs done. \e[0m\n"

  else

-    printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 No jump hosts configured, removing placeholder ... \e[0m\n"
+    printf "\e[93m🧪 No jump hosts configured, removing placeholder ... \e[0m\n"

    sed -i 's/IGNORE_IP_MUST_BE_SET//g' "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"

-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Placeholder removed. \e[0m\n"
+    printf "\e[92m✅ Placeholder removed. \e[0m\n"

  fi

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

  return 0
 }
@@ -27,7 +27,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 lb_build_start() {
  declare -i var_build_rc=""

-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔨 Start Build... Log file: %s \e[0m\n" "${VAR_BUILD_LOG}"
+  printf "\e[95m🔨 Start Build... Log file: %s \e[0m\n" "${VAR_BUILD_LOG}"

  # shellcheck disable=SC2164
  cd "${VAR_WORKDIR}"
@@ -23,14 +23,14 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   0: on success
 #######################################
 lb_config_start() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"

  if [[ ! -d ${VAR_HANDLER_BUILD_DIR} ]]; then

    mkdir -p "${VAR_HANDLER_BUILD_DIR}"
    # shellcheck disable=SC2164
    cd "${VAR_HANDLER_BUILD_DIR}"
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' created. \e[0m\n" "${VAR_HANDLER_BUILD_DIR}"
+    printf "\e[92m✅ '%s' created. \e[0m\n" "${VAR_HANDLER_BUILD_DIR}"

  else

@@ -44,7 +44,7 @@ lb_config_start() {
    # shellcheck disable=SC2164
    cd "${VAR_HANDLER_BUILD_DIR}"

-    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Deleting former config, binary and cache ... \e[0m\n"
+    printf "\e[95m🧪 Deleting former config, binary and cache ... \e[0m\n"

    lb clean --binary --cache --purge --source

@@ -54,11 +54,11 @@ lb_config_start() {

    fi

-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Deleting former config, binary and cache done.\e[0m\n"
+    printf "\e[92m✅ Deleting former config, binary and cache done.\e[0m\n"

  fi

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

  return 0
 }
@@ -134,7 +134,7 @@ var/lib/initramfs-tools/*-amd64
 EOF
  chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"

-  printf "\e[92m✅ Writing new config done.\e[0m\n"
+  printf "\e[92m✅ Writing new config done. \e[0m\n"
  printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

  return 0
@@ -29,7 +29,7 @@
 #   0: on success
 #######################################
 note_target() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"

  cat << EOF >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ciss-debian-live-builder.txt"
 ################################################################################
@@ -77,7 +77,7 @@ export CDLB_SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH}"
 EOF
  chmod 0444 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ciss-debian-live-builder.env"

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

  return 0
 }
@@ -253,4 +253,5 @@ normalize_ssh_keys_in_dir() {
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f normalize_ssh_keys_in_dir
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -27,7 +27,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 provider_netcup() {
  if "${VAR_HANDLER_NETCUP_IPV6}"; then

-    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+    printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"

    declare handler_netcup_ipv6_string="${ARY_HANDLER_NETCUP_IPV6[*]}"

@@ -79,7 +79,7 @@ UseHostname=no
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF

-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+    printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

  fi

@@ -107,11 +107,12 @@ run_analysis() {
  printf "\e[97m🔐 SHA256SUM         : %s \e[0m\n" "${sha_sum}"
  printf "\e[92m----------------------------------------------------------------------------------------\e[0m\n"
  printf "\e[97m📅 Analysis Time     : %s \e[0m\n" "${time}"
-  printf "\e[92m✅ Analysis completed.\e[0m\n"
+  printf "\e[92m✅ Analysis completed.    \e[0m\n"

  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f run_analysis
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -142,4 +142,5 @@ sanitize_shell_literal() {
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f sanitize_shell_literal
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -9,7 +9,6 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# shellcheck disable=SC2154,SC2312

 guard_sourcing || return "${ERR_GUARD_SRCE}"

@@ -41,6 +40,7 @@ secureboot_profile_guard_private_keys() {
      continue
    fi

+    # shellcheck disable=SC2312
    while IFS= read -r -d '' private_file; do

      printf "\e[91m❌ Refusing private Secure Boot key inside build artifact path: '%s'. \e[0m\n" "${private_file}" >&2
@@ -74,8 +74,8 @@ readonly -f secureboot_profile_guard_private_keys
 secureboot_profile_apply() {
  declare profile="${VAR_CISS_SECUREBOOT_PROFILE,,}"
  declare hooks_dir="${VAR_HANDLER_BUILD_DIR}/config/hooks/live"
-  declare build_uki_hook="${hooks_dir}/zzzz_ciss_build_uki.hook.binary"
-  declare install_uki_hook="${hooks_dir}/9910-ciss-install-uki-into-efi-img.hook.binary"
+  declare build_uki_hook="${hooks_dir}/zzzz_ciss_uki_build.hook.binary"
+  declare install_uki_hook="${hooks_dir}/zzzz_ciss_uki_install.hook.binary"
  declare secureboot_dir="${VAR_WORKDIR}/ciss.secureboot"
  declare secureboot_key="${secureboot_dir}/private/ciss-efi-image.key"
  declare secureboot_cert="${secureboot_dir}/public/ciss-efi-image.crt"
@@ -141,4 +141,5 @@ secureboot_profile_apply() {
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f secureboot_profile_apply
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -22,7 +22,7 @@
 #   0: on success
 #######################################
 update_microcode() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"

  if [[ "${VAR_ARCHITECTURE,,}" == "amd64" ]]; then

@@ -33,7 +33,7 @@ EOF

  fi

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+  printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

  return 0
 }
@@ -39,13 +39,13 @@ usage() {
  # shellcheck disable=SC2155
  declare var_header=$(center "CDLB(1)                        CISS.debian.live.builder                        CDLB(1)" "${var_cols}")
  # shellcheck disable=SC2155
-  declare var_footer=$(center "V9.14.008.2026.06.04                        2026-06-04                         CDLB(1)" "${var_cols}")
+  declare var_footer=$(center "V9.14.016.2026.06.06                        2026-06-04                         CDLB(1)" "${var_cols}")

  {
    echo -e "\e[1;97m${var_header}\e[0m"
    echo
    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V9.14.008.2026.06.04\e[0m"
+    echo -e "\e[92mMaster V9.14.016.2026.06.06\e[0m"
    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
    echo
    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m"
@@ -101,14 +101,6 @@ usage() {
    echo "    <./upgrades/dropbear/dropbear-<STRING>.tar.bz2>"
    echo "    If omitted defaults to VAR_DROPBEAR_VERSION from <./var/global.var.sh>."
    echo
-    echo -e "\e[97m  --sops-version <STRING> \e[0m"
-    echo "    Selects the upstream SOPS release version used for the SOPS binary installed into the Live System."
-    echo "    The value MUST be a semantic version such as '3.13.1'. A leading 'v' is accepted and normalized."
-    echo "    The expected amd64 upstream asset is:"
-    echo "    <https://github.com/getsops/sops/releases/download/v<STRING>/sops-v<STRING>.linux.amd64>"
-    echo "    SOPS checksums are verified with Cosign using either Sigstore bundle mode or legacy split certificate/signature mode."
-    echo "    If omitted defaults to VAR_SOPS_VERSION from <./var/global.var.sh>."
-    echo
    echo -e "\e[97m  --jump-host <IP | IP | ... > \e[0m"
    echo "    Provide up to 10 IPs for '/etc/host.allow' whitelisting of SSH access. Could be either IPv4 and / or IPv6 "
    echo "    addresses and / or CCDIR notation. If provided, than it MUST be a <SPACE> separated list."
@@ -171,6 +163,14 @@ usage() {
    echo "    Change '*' to your desired files / fingerprint. Files MUST be placed in:"
    echo "    </dev/shm/cdlb_secrets>"
    echo
+    echo -e "\e[97m  --sops-version <STRING> \e[0m"
+    echo "    Selects the upstream SOPS release version used for the SOPS binary installed into the Live System."
+    echo "    The value MUST be a semantic version such as '3.13.1'. A leading 'v' is accepted and normalized."
+    echo "    The expected amd64 upstream asset is:"
+    echo "    <https://github.com/getsops/sops/releases/download/v<STRING>/sops-v<STRING>.linux.amd64>"
+    echo "    SOPS checksums are verified with Cosign using either Sigstore bundle mode or legacy split certificate/signature mode."
+    echo "    If omitted defaults to VAR_SOPS_VERSION from <./var/global.var.sh>."
+    echo
    echo -e "\e[97m  --sshfp \e[0m"
    echo "    Desired SSH id-files that should be incorporated in '/root/.ssh/id*'."
    echo "    Desired SSH host-files that should be incorporated in '/etc/ssh/ssh_host_*'."
@@ -62,7 +62,7 @@ UseNTP=no
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' successfully applied. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -45,7 +45,7 @@ fi
 EOF
 chmod +x "${HANDLER_BUILD_DIR}"/config/includes.binary/hooks/live-bottom/10-set-resolvconf

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' successfully applied. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -130,7 +130,7 @@ main() {
  touch "${var_log}"


-  printf "CISS.debian.installer Master V9.14.008.2026.06.04 is up! \n" >> "${var_log}"
+  printf "CISS.debian.installer Master V9.14.016.2026.06.06 is up! \n" >> "${var_log}"

  ### Sleep a moment to settle boot artifacts.
  sleep 8
@@ -209,7 +209,7 @@ main() {

  ### Timeout reached without acceptable semaphore.
  logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.installer Master V9.14.008.2026.06.04: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.installer Master V9.14.016.2026.06.06: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"

  exit 0
 }
@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V9.14.008.2026.06.04"
+declare -grx VAR_VERSION="Master V9.14.016.2026.06.06"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
  # Print $4 and $5; include $6 only if it exists
  out = $4