msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V9.14.008.2026.06.04
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2026-06-04 18:19:09 +01:00
parent c80b45417f
commit ec3aca7fc8
119 changed files with 931 additions and 392 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/lib_arg_parser.sh
+71 -1
View File
@@ -21,6 +21,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# VAR_AGE_KEY
# VAR_ARCHITECTURE
# VAR_BUILD_LOG
# VAR_CISS_SECUREBOOT_PROFILE
# VAR_DROPBEAR_VERSION
# VAR_EARLY_DEBUG
# VAR_GITEA_RUNNER
@@ -44,6 +45,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# VAR_SIGNING_KEY
# VAR_SIGNING_KEY_FPR
# VAR_SIGNING_KEY_PASS
# VAR_SOPS_VERSION
# VAR_SSHFP
# VAR_SSHPORT
# VAR_SSHPUBKEY
@@ -51,7 +53,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# Arguments:
# None
# Returns:
# 0: on success
# ERR_ARG_MSMTCH: on failure
# ERR_ARG_MSMTCH: on failure
# ERR_CONTROL_CT: on failure
# ERR_DROPBEAR_V: on failure
@@ -67,6 +69,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# ERR_RENICE_PRI: on failure
# ERR_RGHT_PWD_F: on failure
# ERR_SPLASH_PNG: on failure
# ERR__SOPS__VER: on failure
# ERR__SSH__PORT: on failure
#######################################
arg_parser() {
@@ -235,6 +238,45 @@ arg_parser() {
fi
;;
--sops-version)
if [[ -n "${2-}" ]]; then
declare sops_version="${2#v}"
if [[ "${sops_version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
# shellcheck disable=SC2034
declare -gx VAR_SOPS_VERSION="${sops_version}"
shift 2
else
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
printf "\e[91m❌ ERROR: --sops-version MUST match '<MAJOR>.<MINOR>.<PATCH>' or 'v<MAJOR>.<MINOR>.<PATCH>'.\e[0m\n" >&2
read -r -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
# shellcheck disable=SC2154
exit "${ERR__SOPS__VER}"
fi
else
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
printf "\e[91m❌ ERROR: --sops-version MUST be provided with a semantic version.\e[0m\n" >&2
read -r -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
# shellcheck disable=SC2154
exit "${ERR__SOPS__VER}"
fi
;;
--sops-version=*)
declare sops_version="${1#*=}"
sops_version="${sops_version#v}"
if [[ "${sops_version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
# shellcheck disable=SC2034
declare -gx VAR_SOPS_VERSION="${sops_version}"
shift 1
else
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
printf "\e[91m❌ ERROR: --sops-version MUST match '<MAJOR>.<MINOR>.<PATCH>' or 'v<MAJOR>.<MINOR>.<PATCH>'.\e[0m\n" >&2
read -r -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
# shellcheck disable=SC2154
exit "${ERR__SOPS__VER}"
fi
;;
--jump-host)
if [[ -n "${2-}" && "${2}" != -* ]]; then
declare -i count=0
@@ -475,6 +517,34 @@ arg_parser() {
shift 2
;;
--secure-boot-profile)
if [[ -n "${2-}" && "${2,,}" =~ ^(debian-shim|ciss-uki)$ ]]; then
# shellcheck disable=SC2034
declare -gx VAR_CISS_SECUREBOOT_PROFILE="${2,,}"
shift 2
else
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
printf "\e[91m❌ Error: --secure-boot-profile MUST be 'debian-shim' or 'ciss-uki'. \e[0m\n" >&2
read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_ARG_MSMTCH}"
fi
;;
--secure-boot-profile=*)
declare profile="${1#*=}"
profile="${profile,,}"
if [[ "${profile}" =~ ^(debian-shim|ciss-uki)$ ]]; then
# shellcheck disable=SC2034
declare -gx VAR_CISS_SECUREBOOT_PROFILE="${profile}"
shift 1
else
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
printf "\e[91m❌ Error: --secure-boot-profile MUST be 'debian-shim' or 'ciss-uki'. \e[0m\n" >&2
read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_ARG_MSMTCH}"
fi
;;
--signing_ca=*)
# shellcheck disable=SC2034
declare -gx VAR_SIGNING_CA="${1#*=}"
lib/lib_check_hooks.sh
+5 -8
View File
@@ -13,7 +13,7 @@
guard_sourcing || return "${ERR_GUARD_SRCE}"
#######################################
# Check and apply 0755 Permissions on every '"${VAR_HANDLER_BUILD_DIR}"/./config/hooks/live/*.chroot'-file.
# Check and apply 0755 Permissions on every live-build hook file.
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
@@ -25,18 +25,15 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# ERR_UNCRITICAL: on failure
#######################################
x_hooks() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
declare ifs
ifs=$'\n\t'
printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
shopt -s nullglob
declare -a files=("${VAR_HANDLER_BUILD_DIR}"/config/hooks/live/*.chroot)
declare -a files=("${VAR_HANDLER_BUILD_DIR}"/config/hooks/live/*.chroot "${VAR_HANDLER_BUILD_DIR}"/config/hooks/live/*.hook.binary)
if (( ${#files[@]} == 0 )); then
printf "\e[91m❌ No '*.chroot' files found in '%s/config/hooks/live'. \e[0m\n" "${VAR_WORKDIR}" >&2
printf "\e[91m❌ No live-build hook files found in '%s/config/hooks/live'. \e[0m\n" "${VAR_WORKDIR}" >&2
exit "${ERR_UNCRITICAL}"
fi
@@ -51,7 +48,7 @@ x_hooks() {
shopt -u nullglob
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
lib/lib_check_pkgs.sh
+9 -2
View File
@@ -16,6 +16,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# Check for required Deb Packages to run the script.
# Globals:
# BASH_SOURCE
# VAR_CISS_SECUREBOOT_PROFILE
# VAR_HANDLER_AUTOBUILD
# Arguments:
# None
@@ -23,7 +24,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# 0: on success
#######################################
check_pkgs() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
apt-get update -qq > /dev/null 2>&1
@@ -69,7 +70,13 @@ check_pkgs() {
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
if [[ "${VAR_CISS_SECUREBOOT_PROFILE,,}" == "ciss-uki" ]]; then
apt-get install -y --no-install-recommends dosfstools mtools sbsigntool systemd-boot-efi systemd-ukify
fi
printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
lib/lib_lb_config_write_trixie.sh
+5 -5
View File
@@ -27,8 +27,8 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# 0: on success
#######################################
lb_config_write_trixie() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Writing new config ... \e[0m\n"
printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
printf "\e[95m🧪 Writing new config ... \e[0m\n"
# shellcheck disable=SC2164
cd "${VAR_HANDLER_BUILD_DIR}"
@@ -46,7 +46,7 @@ lb_config_write_trixie() {
--binary-image iso-hybrid \
--bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
--bootappend-live "boot=live ciss_iso_label=CISS.debian.live ciss_crypt_path=/live/ciss_rootfs.crypt components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
--bootloaders grub-efi \
--bootloaders grub-pc grub-efi \
--cache true \
--checksums sha512 sha384 sha256 \
--chroot-filesystem squashfs \
@@ -134,8 +134,8 @@ var/lib/initramfs-tools/*-amd64
EOF
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
printf "\e[92m✅ Writing new config done.\e[0m\n"
printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
lib/lib_primordial.sh
+39 -21
View File
@@ -13,13 +13,14 @@
guard_sourcing || return "${ERR_GUARD_SRCE}"
#######################################
# Integrates CISS dropbear and SOPS Age Key and CISS and PhysNet primordial SSH identity files.
# Integrates CISS dropbear, SOPS version, SOPS Age Key, and CISS and PhysNet primordial SSH identity files.
# Globals:
# BASH_SOURCE
# VAR_AGE
# VAR_AGE_KEY
# VAR_DROPBEAR_VERSION
# VAR_HANDLER_BUILD_DIR
# VAR_SOPS_VERSION
# VAR_SSHFP
# VAR_TMP_SECRET
# VAR_WORKDIR
@@ -27,28 +28,40 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# None
# Returns:
# 0: on success
# ERR_DROPBEAR_V: on failure
# ERR__SOPS__VER: on failure
#######################################
init_primordial() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
### Prepare CISS dropbear integration ----------------------------------------------------------------------------------------
declare var_dropbear_version="${VAR_DROPBEAR_VERSION}"
declare var_dropbear_tar="${VAR_WORKDIR}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
# shellcheck disable=SC2153,SC2154
declare var_sops_version="${VAR_SOPS_VERSION#v}"
if [[ ! "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]]; then
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
printf "\e[91m❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
return "${ERR_DROPBEAR_V}"
fi
if [[ ! -r "${var_dropbear_tar}" ]]; then
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Dropbear tarball not found: [%s] \e[0m\n" "${var_dropbear_tar}" >&2
printf "\e[91m❌ ERROR: Dropbear tarball not found: [%s] \e[0m\n" "${var_dropbear_tar}" >&2
return "${ERR_DROPBEAR_V}"
fi
if [[ ! "${var_sops_version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
printf "\e[91m❌ ERROR: Invalid SOPS version: [%s] \e[0m\n" "${var_sops_version}" >&2
# shellcheck disable=SC2154
return "${ERR__SOPS__VER}"
fi
install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/initramfs-tools/files"
install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/build"
install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear"
@@ -57,6 +70,10 @@ init_primordial() {
>| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear.env"
chmod 0444 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear.env"
printf 'CISS_SOPS_VERSION="%s"\n' "${var_sops_version}" \
>| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/sops.env"
chmod 0444 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/sops.env"
install -m 0444 "${var_dropbear_tar}" \
"${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
install -m 0444 "${VAR_WORKDIR}/upgrades/dropbear/localoptions.h" \
@@ -88,7 +105,7 @@ init_primordial() {
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
@@ -129,7 +146,7 @@ normalize_ssh_key_file() {
### Remove only '\r', keep everything else as-is.
if ! tr -d '\r' < "${var_key_file}" >| "${var_tmp_file}"; then
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed to normalize CRLF: [%s] \e[0m\n" "${var_key_file}"
printf "\e[91m❌ Failed to normalize CRLF: [%s] \e[0m\n" "${var_key_file}"
rm -f "${var_tmp_file}"
return "${ERR_SANITIZING}"
@@ -153,7 +170,7 @@ normalize_ssh_key_file() {
### Always: fingerprint check (works for private and public keys).
if ! ssh-keygen -lf "${var_key_file}" >/dev/null; then
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed check ssh-keygen -lf: [%s] \e[0m\n" "${var_key_file}"
printf "\e[91m❌ Failed check ssh-keygen -lf: [%s] \e[0m\n" "${var_key_file}"
return "${ERR_SANITIZING}"
fi
@@ -163,7 +180,7 @@ normalize_ssh_key_file() {
if ! ssh-keygen -yf "${var_key_file}" >/dev/null; then
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed check ssh-keygen -yf: [%s] \e[0m\n" "${var_key_file}"
printf "\e[91m❌ Failed check ssh-keygen -yf: [%s] \e[0m\n" "${var_key_file}"
return "${ERR_SANITIZING}"
fi
@@ -194,21 +211,22 @@ readonly -f normalize_ssh_key_file
# ERR_SANITIZING: on failure
#######################################
normalize_ssh_keys_in_dir() {
declare var_key_dir="" var_key_file="" _old_nullglob="" _old_dotglob="" _old_failglob=""
declare var_key_dir="" var_key_file=""
declare -i old_nullglob=0 old_dotglob=0 old_failglob=0
var_key_dir="$1"
### Enable nullglob/dotglob, disable failglob for safe globbing.
_old_nullglob="$(shopt -p nullglob || true)"
_old_dotglob="$( shopt -p dotglob || true)"
_old_failglob="$(shopt -p failglob || true)"
shopt -q nullglob && old_nullglob=1
shopt -q dotglob && old_dotglob=1
shopt -q failglob && old_failglob=1
shopt -s nullglob dotglob
shopt -u failglob
if [[ ! -d "${var_key_dir}" ]]; then
eval "${_old_nullglob}" 2>/dev/null || true
eval "${_old_dotglob}" 2>/dev/null || true
eval "${_old_failglob}" 2>/dev/null || true
if (( old_nullglob )); then shopt -s nullglob; else shopt -u nullglob; fi
if (( old_dotglob )); then shopt -s dotglob; else shopt -u dotglob; fi
if (( old_failglob )); then shopt -s failglob; else shopt -u failglob; fi
return 0
fi
@@ -218,17 +236,17 @@ normalize_ssh_keys_in_dir() {
[[ -e "${var_key_file}" ]] || continue
if ! normalize_ssh_key_file "${var_key_file}"; then
eval "${_old_nullglob}" 2>/dev/null || true
eval "${_old_dotglob}" 2>/dev/null || true
eval "${_old_failglob}" 2>/dev/null || true
if (( old_nullglob )); then shopt -s nullglob; else shopt -u nullglob; fi
if (( old_dotglob )); then shopt -s dotglob; else shopt -u dotglob; fi
if (( old_failglob )); then shopt -s failglob; else shopt -u failglob; fi
return "${ERR_SANITIZING}"
fi
done
eval "${_old_nullglob}" 2>/dev/null || true
eval "${_old_dotglob}" 2>/dev/null || true
eval "${_old_failglob}" 2>/dev/null || true
if (( old_nullglob )); then shopt -s nullglob; else shopt -u nullglob; fi
if (( old_dotglob )); then shopt -s dotglob; else shopt -u dotglob; fi
if (( old_failglob )); then shopt -s failglob; else shopt -u failglob; fi
return 0
}
lib/lib_usage.sh
+18 -2
View File
@@ -39,13 +39,13 @@ usage() {
# shellcheck disable=SC2155
declare var_header=$(center "CDLB(1) CISS.debian.live.builder CDLB(1)" "${var_cols}")
# shellcheck disable=SC2155
declare var_footer=$(center "V9.14.004.2026.05.17 2026-05-13 CDLB(1)" "${var_cols}")
declare var_footer=$(center "V9.14.008.2026.06.04 2026-06-04 CDLB(1)" "${var_cols}")
{
echo -e "\e[1;97m${var_header}\e[0m"
echo
echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
echo -e "\e[92mMaster V9.14.004.2026.05.17\e[0m"
echo -e "\e[92mMaster V9.14.008.2026.06.04\e[0m"
echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
echo
echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m"
@@ -101,6 +101,14 @@ usage() {
echo " <./upgrades/dropbear/dropbear-<STRING>.tar.bz2>"
echo " If omitted defaults to VAR_DROPBEAR_VERSION from <./var/global.var.sh>."
echo
echo -e "\e[97m --sops-version <STRING> \e[0m"
echo " Selects the upstream SOPS release version used for the SOPS binary installed into the Live System."
echo " The value MUST be a semantic version such as '3.13.1'. A leading 'v' is accepted and normalized."
echo " The expected amd64 upstream asset is:"
echo " <https://github.com/getsops/sops/releases/download/v<STRING>/sops-v<STRING>.linux.amd64>"
echo " SOPS checksums are verified with Cosign using either Sigstore bundle mode or legacy split certificate/signature mode."
echo " If omitted defaults to VAR_SOPS_VERSION from <./var/global.var.sh>."
echo
echo -e "\e[97m --jump-host <IP | IP | ... > \e[0m"
echo " Provide up to 10 IPs for '/etc/host.allow' whitelisting of SSH access. Could be either IPv4 and / or IPv6 "
echo " addresses and / or CCDIR notation. If provided, than it MUST be a <SPACE> separated list."
@@ -147,6 +155,14 @@ usage() {
echo " MUST be placed in:"
echo " </dev/shm/cdlb_secrets/password.txt>"
echo
echo -e "\e[97m --secure-boot-profile <STRING> one of <debian-shim | ciss-uki> \e[0m"
echo " Selects the UEFI Secure Boot profile. Defaults to 'debian-shim'."
echo " 'debian-shim' keeps the Microsoft-signed Debian shim and signed GRUB path."
echo " 'ciss-uki' builds a CISS-signed UKI and installs it as 'EFI/BOOT/BOOTX64.EFI.'"
echo " The 'ciss-uki' profile requires:"
echo " <./ciss.secureboot/private/ciss-efi-image.key>"
echo " <./ciss.secureboot/public/ciss-efi-image.crt>"
echo
echo -e "\e[97m --signing_key=* and --signing_key_fpr=*. Optional: --signing_key_pass=* --signing_ca=* \e[0m"
echo " The GPG private keyring that should be used for signing artifacts such as checksum hashes and scripts is"
echo " specified via '--signing_key=*'. If the keyring is protected, then provide the passphrase in its own file."