V8.13.296.2025.10.29

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-29 18:57:45 +01:00
parent 262a8d471c
commit edd23e5be5
29 changed files with 57 additions and 28 deletions
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 build:
-  counter: 1023
+  counter: 1024
  version: V8.13.296.2025.10.29
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/config/hooks/live/0000_basic_chroot_setup.chroot
+++ b/config/hooks/live/0000_basic_chroot_setup.chroot
@@ -196,7 +196,7 @@ generate_ciss_xdg_sh
 generate_ciss_xdg_tmp_sh
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive"
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get update -qq
 apt-get install -y --no-install-suggests libpam-systemd
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -54,7 +54,7 @@ grep_nic_driver_modules() {
 }
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive"
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y intel-microcode amd64-microcode
 # shellcheck disable=SC2155
--- a/config/hooks/live/0007_update_logrotate.chroot
+++ b/config/hooks/live/0007_update_logrotate.chroot
@@ -14,7 +14,7 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive"
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 rm -f         "/etc/logrotate.conf"
 cat << EOF >| "/etc/logrotate.conf"
--- a/config/hooks/live/0010_install_apparmor.chroot
+++ b/config/hooks/live/0010_install_apparmor.chroot
@@ -14,7 +14,7 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive"
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y --no-install-recommends apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra
 install -d /etc/systemd/system/apparmor.service.d
--- a/config/hooks/live/0080_keyboard_layout.chroot
+++ b/config/hooks/live/0080_keyboard_layout.chroot
@@ -22,7 +22,7 @@ BACKSPACE="guess"
 EOF
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive"
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 dpkg-reconfigure -f noninteractive keyboard-configuration
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
--- a/config/hooks/live/0090_jitterentropy.chroot
+++ b/config/hooks/live/0090_jitterentropy.chroot
@@ -14,7 +14,7 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive"
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y --no-install-recommends jitterentropy-rngd
 cd /root
--- a/config/hooks/live/0400_eza_install.chroot
+++ b/config/hooks/live/0400_eza_install.chroot
@@ -24,7 +24,7 @@ echo "deb [signed-by=/etc/apt/keyrings/gierens.gpg] http://deb.gierens.de stable
 chmod 644 /etc/apt/keyrings/gierens.gpg /etc/apt/sources.list.d/gierens.list
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive"
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get update -qq
 apt-get install -y eza
--- a/config/hooks/live/0800_lynis_setup.chroot
+++ b/config/hooks/live/0800_lynis_setup.chroot
@@ -17,7 +17,7 @@ curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --d
 echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive"
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get update -qq
 apt-get install -y lynis
 lynis show version
--- a/config/hooks/live/0810_chrony_setup.chroot
+++ b/config/hooks/live/0810_chrony_setup.chroot
@@ -16,7 +16,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 mkdir -p /var/log/chrony
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive"
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 export TZ="Etc/UTC"
 apt-get install -y adjtimex chrony tzdata
--- a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
+++ b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
@@ -14,7 +14,7 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive"
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && \
 apt-get install -y nodejs
--- a/config/hooks/live/0860_sops.chroot
+++ b/config/hooks/live/0860_sops.chroot
@@ -14,7 +14,7 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive"
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 SOPS_VER="v3.11.0"
 ARCH="$(dpkg --print-architecture)"
--- a/config/hooks/live/0865_yq.chroot
+++ b/config/hooks/live/0865_yq.chroot
@@ -14,7 +14,7 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive"
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/local/bin/yq && chmod +x /usr/local/bin/yq
--- a/config/hooks/live/9900_process_accounting.chroot
+++ b/config/hooks/live/9900_process_accounting.chroot
@@ -14,7 +14,7 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive"
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y acct
 if [[ ! -d /etc/systemd/system/multi-user.target.wants ]]; then
--- a/config/hooks/live/9970_remove_exim.chroot
+++ b/config/hooks/live/9970_remove_exim.chroot
@@ -14,7 +14,7 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive"
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 cd /etc
--- a/config/hooks/live/9980_usb_guard.chroot
+++ b/config/hooks/live/9980_usb_guard.chroot
@@ -14,7 +14,7 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive"
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y usbguard
 ### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
--- a/config/hooks/live/9990_final_purge.chroot
+++ b/config/hooks/live/9990_final_purge.chroot
@@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive"
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get update -qq
--- a/config/hooks/live/9993_aide.chroot
+++ b/config/hooks/live/9993_aide.chroot
@@ -14,7 +14,7 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive"
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y aide > /dev/null 2>&1
 cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
--- a/config/hooks/live/9996_auditd.chroot
+++ b/config/hooks/live/9996_auditd.chroot
@@ -26,7 +26,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 cd /root
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive"
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y auditd
 cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
--- a/config/hooks/live/9997_debsums.chroot
+++ b/config/hooks/live/9997_debsums.chroot
@@ -16,7 +16,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 cd /root
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive"
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y --no-install-recommends debsums
 cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak
--- a/config/hooks/live/9998_sources_list_trixie.chroot
+++ b/config/hooks/live/9998_sources_list_trixie.chroot
@@ -14,7 +14,7 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive"
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
--- a/config/hooks/live/9999_yyyy_logrotate.chroot
+++ b/config/hooks/live/9999_yyyy_logrotate.chroot
@@ -34,7 +34,7 @@ declare -ar ary_logrotate=(
 declare     var_file="" var_log=""
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive"
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 for var_log in "${ary_logrotate[@]}"; do
--- a/config/includes.chroot/etc/ciss/keys/0x8733B021_public.asc
+++ b/config/includes.chroot/etc/ciss/keys/0x8733B021_public.asc
@@ -0,0 +1,18 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mDMEaDcItBYJKwYBBAHaRw8BAQdAFyGLpFASTiK4vBgycV2wjb3ZaNqhjZ33E1ir
 MiU98Fu0LE1hcmMgUy4gV2VpZG5lciBCT1QgPG1zdytib3RAY29yZXNlY3JldC5k
 ZXY+iJkEExYIAEEWIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaDcItAIbAwUJCKVq
 fAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRA85KY4hzOwIVOoAQD9WXoh
 Isjs4q7RCAtCXXWO4y4p8Dmn1AjCRN07vBYskQEAu/LjJYpjC553SnLPEN2PjZBt
 pNkwp/fMg2oigxRkygyI1AUQFggAVCIhBW/TwxZOreRiASSn6MzNd4l1ywe1QKfL
 3kbW7jRInWnCBQJoNwjMBYMIpYaAJBSAAAAAAA0ADnJlbUBnbnVwZy5vcmdDZW50
 dXJpb24sQ0lDQQAA3TABxjNpYGUWhvt6x3h688F1KJfeWrrMetflFZBA3UzoIAAg
 SltgMYRnCzpZFGnQILKgj9jyakwckxFLAAHHY/I0Fxmc5ujfkGScUhUKPhruVT2x
 w4aHogEuE9Ebu94JuvBQX3+RlHjG+47qG7bmAT81E47Hih0AuDgEaDcItBIKKwYB
 BAGXVQEFAQEHQOKAnInWn3Wy1fUJJD7bycrXEx6SoLejW5/0jGIG2VdGAwEIB4h+
 BBgWCAAmFiEEqmJzzDShs+vWn8hwPOSmOIczsCEFAmg3CLQCGwwFCQilanwACgkQ
 POSmOIczsCHztAEA2AWCPQ8V8hNdEBvYHwRye8Q9FJO7IyciwwpjH1nOBLMBAJS2
 OSrjMYBFaumow950s7T2d7BEpnxJBtCwfuF+RwgI
 =QwhF
 -----END PGP PUBLIC KEY BLOCK-----
--- a/config/includes.chroot/etc/ciss/keys/0x8733B021_public.gpg
+++ b/config/includes.chroot/etc/ciss/keys/0x8733B021_public.gpg
--- a/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.asc
+++ b/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.asc
@@ -0,0 +1,13 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mDMEaCxYpRYJKwYBBAHaRw8BAQdAr9mRwJ44x3qirCRbE+qjgwBDzZLVkKXvC4UI
 AHxvyMK0JE1hcmMgUy4gV2VpZG5lciA8bXN3QGNvcmVzZWNyZXQuZGV2PoiZBBMW
 CABBFiEEh/wgoINpSv+4MwEbhAKZkeYuhPgFAmgsWKUCGwMFCQiwGosFCwkIBwIC
 IgIGFQoJCAsCBBYCAwECHgcCF4AACgkQhAKZkeYuhPhWnQEAulGegHfBva0ezN5/
 VVqLqDVTe+etr3crCcxKpj8gg7wA/3OfkCvgPht18OoIQbR1IA7jDBSOKvY8OfcR
 1632dZIIuDgEaCxYpRIKKwYBBAGXVQEFAQEHQP34OGSMdCMM8Ku/QY7NC81xbL0h
 kOFdDGlKlA865+kpAwEIB4h+BBgWCAAmFiEEh/wgoINpSv+4MwEbhAKZkeYuhPgF
 AmgsWKUCGwwFCQiwGosACgkQhAKZkeYuhPhnjgD+IHh9XhE+s3VB3ItDIgtT9gTA
 S8ET80dQcFmFGYfjs/oBALmXXxceE+aSd2VO6dumqhtzWCGE7S52/50hxRgLsi8G
 =C3ox
 -----END PGP PUBLIC KEY BLOCK-----
--- a/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.gpg
+++ b/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.gpg
--- a/config/package-lists/live.list.common.chroot
+++ b/config/package-lists/live.list.common.chroot
@@ -35,7 +35,6 @@ console-setup
 cosign
 cpuid
 cryptsetup
 cryptsetup-initramfs
 cryptsetup-nuke-password
 curl
 debconf
@@ -53,7 +52,6 @@ dmsetup
 dnsviz
 dosfstools
 dpkg-dev
 dropbear-initramfs
 e2fsprogs
 efibootmgr
 expect
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -14,7 +14,7 @@ include_toc: true
 ## V8.13.296.2025.10.29
 * **Changed**: ``lockdown=confidentiality`` -> ``lockdown=integrity``
-* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - clamav, clamav-daemon // + cryptsetup-initramfs, dropbear-initramfs
+* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - clamav, clamav-daemon
 * **Removed**: [9985_clamav.chroot](../.archive/9985_clamav.chroot)
 ## V8.13.294.2025.10.28
--- a/lib/lib_lb_config_write_trixie.sh
+++ b/lib/lib_lb_config_write_trixie.sh
@@ -116,9 +116,9 @@ lb_config_write_trixie() {
  ### Installing PGP Public Keys for signature verification.
-  mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys"
+  #mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys"
-  install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/0x8733B021_public.gpg"
+  #install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/0x8733B021_public.gpg"
-  install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.gpg"
+  #install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.gpg"
  #### Installing PGP Private Deploy Key for signature creation
  #mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/cdlb/private_keys"