msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V9.14.008.2026.06.04
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2026-06-04 18:19:09 +01:00
parent c80b45417f
commit ec3aca7fc8
119 changed files with 931 additions and 392 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/lib_usage.sh
+18 -2
View File
@@ -39,13 +39,13 @@ usage() {
# shellcheck disable=SC2155
declare var_header=$(center "CDLB(1) CISS.debian.live.builder CDLB(1)" "${var_cols}")
# shellcheck disable=SC2155
declare var_footer=$(center "V9.14.004.2026.05.17 2026-05-13 CDLB(1)" "${var_cols}")
declare var_footer=$(center "V9.14.008.2026.06.04 2026-06-04 CDLB(1)" "${var_cols}")
{
echo -e "\e[1;97m${var_header}\e[0m"
echo
echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
echo -e "\e[92mMaster V9.14.004.2026.05.17\e[0m"
echo -e "\e[92mMaster V9.14.008.2026.06.04\e[0m"
echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
echo
echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m"
@@ -101,6 +101,14 @@ usage() {
echo " <./upgrades/dropbear/dropbear-<STRING>.tar.bz2>"
echo " If omitted defaults to VAR_DROPBEAR_VERSION from <./var/global.var.sh>."
echo
echo -e "\e[97m --sops-version <STRING> \e[0m"
echo " Selects the upstream SOPS release version used for the SOPS binary installed into the Live System."
echo " The value MUST be a semantic version such as '3.13.1'. A leading 'v' is accepted and normalized."
echo " The expected amd64 upstream asset is:"
echo " <https://github.com/getsops/sops/releases/download/v<STRING>/sops-v<STRING>.linux.amd64>"
echo " SOPS checksums are verified with Cosign using either Sigstore bundle mode or legacy split certificate/signature mode."
echo " If omitted defaults to VAR_SOPS_VERSION from <./var/global.var.sh>."
echo
echo -e "\e[97m --jump-host <IP | IP | ... > \e[0m"
echo " Provide up to 10 IPs for '/etc/host.allow' whitelisting of SSH access. Could be either IPv4 and / or IPv6 "
echo " addresses and / or CCDIR notation. If provided, than it MUST be a <SPACE> separated list."
@@ -147,6 +155,14 @@ usage() {
echo " MUST be placed in:"
echo " </dev/shm/cdlb_secrets/password.txt>"
echo
echo -e "\e[97m --secure-boot-profile <STRING> one of <debian-shim | ciss-uki> \e[0m"
echo " Selects the UEFI Secure Boot profile. Defaults to 'debian-shim'."
echo " 'debian-shim' keeps the Microsoft-signed Debian shim and signed GRUB path."
echo " 'ciss-uki' builds a CISS-signed UKI and installs it as 'EFI/BOOT/BOOTX64.EFI.'"
echo " The 'ciss-uki' profile requires:"
echo " <./ciss.secureboot/private/ciss-efi-image.key>"
echo " <./ciss.secureboot/public/ciss-efi-image.crt>"
echo
echo -e "\e[97m --signing_key=* and --signing_key_fpr=*. Optional: --signing_key_pass=* --signing_ca=* \e[0m"
echo " The GPG private keyring that should be used for signing artifacts such as checksum hashes and scripts is"
echo " specified via '--signing_key=*'. If the keyring is protected, then provide the passphrase in its own file."