msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V9.14.008.2026.06.04
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2026-06-04 18:19:09 +01:00
parent c80b45417f
commit ec3aca7fc8
119 changed files with 931 additions and 392 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/DOCUMENTATION.md
+21 -5
View File
@@ -8,18 +8,18 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.004.2026.05.17<br>
**Build**: V9.14.008.2026.06.04<br>
# 2.1. Usage
````text
CDLB(1) CISS.debian.live.builder CDLB(1)
CISS.debian.live.builder from https://git.coresecret.dev/msw
Master V9.14.004.2026.05.17
Master V9.14.008.2026.06.04
A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025
(p) Centurion Press, 2024 - 2025
(c) Marc S. Weidner, 2018 - 2026
(p) Centurion Press, 2024 - 2026
./ciss_live_builder.sh <option>, where <option> is one or more of:
@@ -71,6 +71,14 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
<./upgrades/dropbear/dropbear-<STRING>.tar.bz2>
If omitted defaults to VAR_DROPBEAR_VERSION from <./var/global.var.sh>.
--sops-version <STRING>
Selects the upstream SOPS release version used for the SOPS binary installed into the Live System.
The value MUST be a semantic version such as '3.13.1'. A leading 'v' is accepted and normalized.
The expected amd64 upstream asset is:
<https://github.com/getsops/sops/releases/download/v<STRING>/sops-v<STRING>.linux.amd64>
SOPS checksums are verified with Cosign using either Sigstore bundle mode or legacy split certificate/signature mode.
If omitted defaults to VAR_SOPS_VERSION from <./var/global.var.sh>.
--jump-host <IP | IP | ... >
Provide up to 10 IPs for '/etc/host.allow' whitelisting of SSH access. Could be either IPv4 and / or IPv6
addresses and / or CCDIR notation. If provided, than it MUST be a <SPACE> separated list.
@@ -117,6 +125,14 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
MUST be placed in:
</dev/shm/cdlb_secrets/password.txt>
--secure-boot-profile <STRING> one of <debian-shim | ciss-uki>
Selects the UEFI Secure Boot profile. Defaults to 'debian-shim'.
'debian-shim' keeps the Microsoft-signed Debian shim and signed GRUB path.
'ciss-uki' builds a CISS-signed UKI and installs it as 'EFI/BOOT/BOOTX64.EFI'.
The 'ciss-uki' profile requires:
<./ciss.secureboot/private/ciss-efi-image.key>
<./ciss.secureboot/public/ciss-efi-image.crt>
--signing_key=* and --signing_key_fpr=*. Optional: --signing_key_pass=* --signing_ca=*
The GPG private keyring that should be used for signing artifacts such as checksum hashes and scripts is
specified via '--signing_key=*'. If the keyring is protected, then provide the passphrase in its own file.
@@ -152,7 +168,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
💷 Please consider donating to my work at:
🌐 https://coresecret.eu/spenden/
V9.14.004.2026.05.17 2025-11-06 CDLB(1)
V9.14.008.2026.06.04 2026-05-17 CDLB(1)
````
# 3. Booting