V8.13.384.2025.11.06

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-06 19:59:22 +01:00
parent d436346343
commit ef87becefe
93 changed files with 2021 additions and 1229 deletions
--- a/.archive/.0000_lib_usage.sh
+++ b/.archive/.0000_lib_usage.sh
@@ -21,7 +21,7 @@ usage() {
  clear
  cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.13.296.2025.10.29\e[0m")
+$(echo -e "\e[92mMaster V8.13.384.2025.11.06\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
--- a/.archive/0002_verify_checksums.chroot
+++ b/.archive/0002_verify_checksums.chroot
@@ -0,0 +1,248 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 target="/usr/lib/live/boot/0030-verify-checksums"
 src="$(mktemp)"
 if [[ ! -d /usr/lib/live/boot ]]; then
  mkdir -p /usr/lib/live/boot
 fi
 cat << 'EOF' >| "${src}"
 #!/bin/sh
 # bashsupport disable=BP5007
 # shellcheck shell=sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: GPL-3.0-or-later
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Modified Version of the original file:
 ### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
 ### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
 #######################################
 # Modified checksum-integrity and authenticity-verification-script for continuing the boot process.
 # Globals:
 #   LIVE_BOOT_CMDLINE
 #   _TTY
 # Arguments:
 #   1: _MOUNTPOINT
 # Returns:
 #   0 : Successful verification
 #######################################
 Verify_checksums() {
  _MOUNTPOINT="${1}"
  _TTY="/dev/tty8"
  LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
  LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"
  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
    case "${_PARAMETER}" in
      live-boot.verify-checksums=* | verify-checksums=*)
        LIVE_VERIFY_CHECKSUMS="true"
        LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
        ;;
      live-boot.verify-checksums | verify-checksums)
        LIVE_VERIFY_CHECKSUMS="true"
        ;;
      live-boot.verify-checksums-signatures | verify-checksums-signatures)
        LIVE_VERIFY_CHECKSUMS_SIGNATURES="true"
        ;;
    esac
  done
  case "${LIVE_VERIFY_CHECKSUMS}" in
    true)
      :
      ;;
    *)
      return 0
      ;;
  esac
  # shellcheck disable=SC2164
  cd "${_MOUNTPOINT}"
  ### CDLB verification of script integrity itself -----------------------------------------------------------------------------
  if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
    log_begin_msg "Verifying integrity of '0030-verify-checksums' ..."
    printf "\n"
    CDLB_SCRIPT="$(basename "${0}")"
    CDLB_SHA="sha512"
    CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_ITEM="" CDLB_SIG_FILE=""
    for CDLB_ITEM in ${CDLB_SHA}; do
      CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_ITEM}"
      CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
      CDLB_CMD="${CDLB_ITEM}sum"
      printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}"
      if ! gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
        printf "Signature verification failed for: [%s]\n" "${CDLB_HASHFILE}"
        sleep 8
        # TODO: Remove debug mode
        # return 0
      else
        printf "Signature verification successful for: [%s]\n" "${CDLB_HASHFILE}"
      fi
      printf "Recomputing hash for: [%s]\n" "${CDLB_ITEM}"
      CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first rest || exit 1; printf '%s\n' "${first}"; })
      read -r CDLB_EXPECTED < "${CDLB_HASHFILE}"
      if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
        printf "Recomputed hash mismatch for: [%s]\n" "${CDLB_ITEM}"
        sleep 8
        # TODO: Remove debug mode
        # return 0
      fi
      printf "Hash verification successful for: [%s]\n" "${CDLB_ITEM}"
    done
    printf "Verifying integrity of '0030-verify-checksums' successfully completed. Proceeding."
    log_end_msg
    printf "\n"
  fi
  ### Checksum and checksum signature verification -----------------------------------------------------------------------------
  log_begin_msg "Verifying checksums"
  printf "\n"
  # shellcheck disable=SC2001
  for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
    # shellcheck disable=SC2060
    _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
    for _CHECKSUM in ${_CHECKSUMS}; do
      if [ -e "${_CHECKSUM}" ]; then
        printf "Found [%s] ...\n" "${_CHECKSUM}"
        if [ -e "/bin/${_DIGEST}sum" ]; then
          if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
            printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}"
            _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
            gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"
            _RETURN_PGP="${?}"
          else
            _RETURN_PGP="na"
          fi
          printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}"
          # shellcheck disable=SC2312
          grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
          _RETURN_SHA="${?}"
          # Stop after the first verification.
          break 2
        else
          printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum"
        fi
      fi
    done
  done
  log_end_msg
  case "${_RETURN_PGP},${_RETURN_SHA}" in
    0,0)
      log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds."
      sleep 8
      return 0
      ;;
    na,0)
      log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds."
      sleep 8
      return 0
      ;;
    *,0)
      panic "Verification of signature file failed while verification of checksum file successful."
      ;;
    na,*)
      panic "Verification of checksum file failed."
      ;;
  esac
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 # Copy and make executable
 install -m 0755 "${src}" "${target}"
 rm -f "${src}"
 unset target src
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9998_sources_list_bookworm.chroot
+++ b/config/hooks/live/9998_sources_list_bookworm.chroot
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.296.2025.10.29
+# Version Master V8.13.384.2025.11.06
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -72,11 +72,11 @@ jobs:
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
@@ -87,7 +87,7 @@ jobs:
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
@@ -242,6 +242,7 @@ jobs:
          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
          rm -f "$OUT"
          echo "Hook removed: $OUT"
          shred -fzu -n 5 /opt/config/authorized_keys
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
@@ -418,7 +419,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_0.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
--- a/.archive/generate_PRIVATE_trixie_1.yaml
+++ b/.archive/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.296.2025.10.29
+# Version Master V8.13.384.2025.11.06
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -35,10 +35,23 @@ jobs:
    container:
      image: debian:trixie
-    steps:
+    defaults:
-      - name: 🛠️ Basic Image Setup.
+      run:
        shell: bash
        working-directory: ${{ github.workspace }}
    steps:
      - name: ⏳ Waiting random time to desynchronize parallel workflows.
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
      - name: 🛠️ Basic Image Setup.
        run: |
          set -euo pipefail
          umask 0077
          export DEBIAN_FRONTEND=noninteractive
          apt-get update -qq
          apt-get upgrade -y
@@ -56,27 +69,23 @@ jobs:
            util-linux
      - name: ⚙️ Check GnuPG Version.
        shell: bash
        run: |
          gpg --version
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set -euo pipefail
-          var_wait=$(( RANDOM % 33 ))
+          umask 0077
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
@@ -87,44 +96,40 @@ jobs:
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
-      - name: 🛠️ Cleaning the workspace.
+      - name: ⚙️ Init GNUPGHOME.
        shell: bash
        run: |
-          git reset --hard
+          set -euo pipefail
-          git clean -fd
+          umask 0077
          GNUPGHOME="/dev/shm/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}.${GITHUB_RUN_ATTEMPT}"
          mkdir -p -m 700 "${GNUPGHOME}"
          echo "GNUPGHOME=${GNUPGHOME}" >> "${GITHUB_ENV}"
          echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf"
          gpgconf --reload gpg-agent || true
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
+        env:
          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
        run: |
          set -euo pipefail
-          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          umask 0077
-          export GNUPGHOME="$(pwd)/.gnupg"
+          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
-          mkdir -m 700 "${GNUPGHOME}"
+          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
          gpg --batch --import centurion-root.PUB.asc
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
@@ -132,15 +137,33 @@ jobs:
          git config gpg.format openpgp
      - name: ⚙️ Preparing the build environment.
        shell: bash
        run: |
          set -euo pipefail
-          mkdir -p /opt/config
+          umask 0077
-          mkdir -p /opt/livebuild
+          mkdir -p /opt/cdlb/secrets
-          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
+          mkdir -p /opt/cdlb/livebuild
-          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
+          install -m 0600 /dev/null /opt/cdlb/secrets/password.txt
-          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt
+          install -m 0600 /dev/null /opt/cdlb/secrets/authorized_keys
-          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys
+          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_ed25519_key
          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_ed25519_key.pub
          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_rsa_key
          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_rsa_key.pub
          install -m 0600 /dev/null /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial
          install -m 0600 /dev/null /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial.pub
          install -m 0600 /dev/null /opt/cdlb/secrets/keys.txt
          install -m 0600 /dev/null /opt/cdlb/secrets/luks.txt
          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}"               >| /opt/cdlb/secrets/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}"        >| /opt/cdlb/secrets/authorized_keys
          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}"     >| /opt/cdlb/secrets/ssh_host_ed25519_key
          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /opt/cdlb/secrets/ssh_host_ed25519_key.pub
          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}"         >| /opt/cdlb/secrets/ssh_host_rsa_key
          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}"     >| /opt/cdlb/secrets/ssh_host_rsa_key.pub
          echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}"           >| /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial
          echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial.pub
          echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /opt/cdlb/secrets/keys.txt
          echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /opt/cdlb/secrets/luks.txt
      - name: 🔧 Render live hook with secrets.
        shell: bash
@@ -153,6 +176,7 @@ jobs:
          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
          CISS_PHYS_AGE:       ${{ secrets.CISS_PHYS_AGE }}
          MSW_GPG_DEPLOY_BOT:  ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
        run: |
          set -Ceuo pipefail
          umask 077
@@ -164,6 +188,7 @@ jobs:
          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
          SOPS="${REPO_ROOT}/config/hooks/live/0860_sops.chroot"
          BINARY_CHECKSUMS="${REPO_ROOT}/scripts/usr/lib/live/build/binary_checksums.sh"
          if [[ ! -f "${TPL}" ]]; then
            echo "Template not found: ${TPL}"
@@ -180,6 +205,7 @@ jobs:
          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
          export CISS_PHYS_AGE="${CISS_PHYS_AGE//$'\r'/}"
          export MSW_GPG_DEPLOY_BOT="${MSW_GPG_DEPLOY_BOT//$'\r'/}"
          (
          cat << EOF >| "${ID_OUT}"
@@ -216,13 +242,21 @@ jobs:
          chmod 0755 "${OUT}"
-          #perl -0777 -i -pe '
+          perl -0777 -i -pe '
-          #  BEGIN {
+            BEGIN {
-          #    our $age = $ENV{CISS_PHYS_AGE} // q{};
+              our $age = $ENV{CISS_PHYS_AGE} // q{};
-          #  }
+            }
-          #  s/\{\{\s*secrets\.CISS_PHYS_AGE\s*\}\}/$age/g;
+            s/\{\{\s*secrets\.CISS_PHYS_AGE\s*\}\}/$age/g;
-          #' -- "${SOPS}"
+          ' -- "${SOPS}"
-          #chmod 0755 "${SOPS}"
+          chmod 0755 "${SOPS}"
          perl -0777 -i -pe '
            BEGIN {
              our $deploy = $ENV{MSW_GPG_DEPLOY_BOT} // q{};
            }
            s/\{\{\s*secrets\.MSW_GPG_DEPLOY_BOT\s*\}\}/$deploy/g;
          ' -- "${BINARY_CHECKSUMS}"
          chmod 0755 "${BINARY_CHECKSUMS}"
          echo "Hook rendered: ${OUT}"
@@ -237,19 +271,21 @@ jobs:
          ./ciss_live_builder.sh \
            --autobuild=6.16.3+deb13-amd64 \
            --architecture amd64 \
-            --build-directory /opt/livebuild \
+            --build-directory /opt/cdlb/livebuild \
            --cdi \
            --control "${timestamp}" \
            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
-            --root-password-file /opt/config/password.txt \
+            --root-password-file /opt/cdlb/secrets/password.txt \
            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
-            --ssh-pubkey /opt/config \
+            --ssh-pubkey /opt/cdlb/secrets \
            --sshfp \
            --trixie
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
          rm -f "$OUT"
          echo "Hook removed: $OUT"
          shred -fzu -n 5 /opt/cdlb/secrets/authorized_keys
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
@@ -297,11 +333,11 @@ jobs:
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
        run: |
          set -euo pipefail
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+          if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
@@ -318,11 +354,11 @@ jobs:
      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
        shell: bash
        run: |
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+          if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.296.2025.10.29
+# Version Master V8.13.384.2025.11.06
 name: 💙 Generating a PUBLIC Live ISO.
@@ -72,11 +72,11 @@ jobs:
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
@@ -87,7 +87,7 @@ jobs:
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
@@ -146,7 +146,7 @@ jobs:
        shell: bash
        run: |
          set -euo pipefail
-          sed -i '/^hardening_ssh.*/d' ciss_live_builder.sh
+          sed -i '/^hardening_ssh_tcp.*/d' ciss_live_builder.sh
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
@@ -337,7 +337,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PUBLIC_iso.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
--- a/.archive/icon.lib
+++ b/.archive/icon.lib
@@ -17,6 +17,10 @@
 🔑
 ✍️
 🖥️
 ⬆️
 ⏫
 🔼
 🆙
 🔄
 🔁
 🌌
@@ -32,6 +36,7 @@
 🧪
 📩
 📥
 📤
 📦
 📑
 📂
@@ -52,4 +57,7 @@
 ☢️
 ☣️
 •
 ☁️
 📡
 🛡️
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.archive/lib_lb_config_write.sh
+++ b/.archive/lib_lb_config_write.sh
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.296.2025.10.29"
+      placeholder: "e.g., Master V8.13.384.2025.11.06"
    validations:
      required: true
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.296.2025.10.29
+# Version Master V8.13.384.2025.11.06
 FROM debian:bookworm
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.296.2025.10.29
+# Version Master V8.13.384.2025.11.06
 name: 🔁 Render README.md to README.html.
@@ -38,11 +38,11 @@ jobs:
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
@@ -53,7 +53,7 @@ jobs:
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 build:
-  counter: 1024
+  counter: 1023
-  version: V8.13.296.2025.10.29
+  version: V8.13.384.2025.11.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.13.296.2025.10.29
+  version: V8.13.384.2025.11.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.296.2025.10.29
+# Version Master V8.13.384.2025.11.06
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -35,11 +35,31 @@ jobs:
    container:
      image: debian:trixie
-    steps:
+    defaults:
-      - name: 🛠️ Basic Image Setup.
+      run:
        shell: bash
        working-directory: ${{ github.workspace }}
    steps:
      - name: 🕑 Waiting random time to desynchronize parallel workflows.
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
      - name: 🔧 Basic Image Setup.
        run: |
          set -euo pipefail
          umask 0022
          echo "APT_LISTCHANGES_FRONTEND=none"  >> "${GITHUB_ENV}"
          echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}"
          echo "VAR_CDLB_INSIDE_RUNNER=true"    >> "${GITHUB_ENV}"
          export APT_LISTCHANGES_FRONTEND=none
          export DEBIAN_FRONTEND=noninteractive
          apt-get update -qq
          apt-get upgrade -y
          apt-get install -y --no-install-recommends \
@@ -56,27 +76,24 @@ jobs:
            util-linux
      - name: ⚙️ Check GnuPG Version.
        shell: bash
        run: |
          gpg --version
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set +x
          set -euo pipefail
-          var_wait=$(( RANDOM % 33 ))
+          umask 0077
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
@@ -87,173 +104,113 @@ jobs:
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
-      - name: 🛠️ Cleaning the workspace.
+      - name: ⚙️ Init GNUPGHOME.
        shell: bash
        run: |
-          git reset --hard
+          set +x
-          git clean -fd
+          set -euo pipefail
          umask 0077
          GNUPGHOME="/dev/shm/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}.${GITHUB_RUN_ATTEMPT}"
          # shellcheck disable=SC2174
          mkdir -p -m 0700 "${GNUPGHOME}"
          echo "GNUPGHOME=${GNUPGHOME}"  >> "${GITHUB_ENV}"
          echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf"
          gpgconf --reload gpg-agent || true
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
+        env:
          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
        run: |
          set +x
          set -euo pipefail
-          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          umask 0077
-          export GNUPGHOME="$(pwd)/.gnupg"
+          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
-          mkdir -m 700 "${GNUPGHOME}"
+          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
          gpg --batch --import centurion-root.PUB.asc
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set +x
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }}
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
          git config --get user.signingkey
      - name: ⚙️ Preparing the build environment.
-        shell: bash
+        run: |
          set +x
          set -euo pipefail
          umask 0077
          mkdir -p /dev/shm/cdlb_secrets
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}"               >| /dev/shm/cdlb_secrets/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}"        >| /dev/shm/cdlb_secrets/authorized_keys
          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}"     >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key
          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}"         >| /dev/shm/cdlb_secrets/ssh_host_rsa_key
          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}"     >| /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
          echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}"           >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
          echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
          echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /dev/shm/cdlb_secrets/keys.txt
          echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /dev/shm/cdlb_secrets/luks.txt
          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}"       >| /dev/shm/cdlb_secrets/signing_key.asc
          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}"  >| /dev/shm/cdlb_secrets/signing_key_pass.txt
      - name: 🔧 Starting CISS.debian.live.builder. This may take about an hour ...
        run: |
          set -euo pipefail
-          mkdir -p /opt/config
+          chmod 0700 ciss_live_builder.sh
          mkdir -p /opt/livebuild
          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys
      - name: 🔧 Render live hook with secrets.
        shell: bash
        working-directory: ${{ github.workspace }}
        env:
          ED25519_PRIV:        ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
          ED25519_PUB:         ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
          RSA_PRIV:            ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
          CISS_PHYS_AGE:       ${{ secrets.CISS_PHYS_AGE }}
        run: |
          set -Ceuo pipefail
          umask 077
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
          SOPS="${REPO_ROOT}/config/hooks/live/0860_sops.chroot"
          if [[ ! -f "${TPL}" ]]; then
            echo "Template not found: ${TPL}"
            echo "::group::Tree of config/hooks/live"
            ls -la "${REPO_ROOT}/config/hooks/live" || true
            echo "::endgroup::"
            exit 2
          fi
          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
          export RSA_PUB="${RSA_PUB//$'\r'/}"
          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
          export CISS_PHYS_AGE="${CISS_PHYS_AGE//$'\r'/}"
          (
          cat << EOF >| "${ID_OUT}"
          ${CISS_PRIMORDIAL}
          EOF
          ) && chmod 0600 "${ID_OUT}"
          if [[ -f "${ID_OUT}" ]]; then
            echo "Written: ${ID_OUT}"
          else
            echo "Error: ${ID_OUT} not written."
          fi
          (
          cat << EOF >| "${ID_OUT_PUB}"
          ${CISS_PRIMORDIAL_PUB}
          EOF
          ) && chmod 0600 "${ID_OUT_PUB}"
          if [[ -f "${ID_OUT_PUB}" ]]; then
            echo "Written: ${ID_OUT_PUB}"
          else
            echo "Error: ${ID_OUT_PUB} not written."
          fi
          perl -0777 -pe '
            BEGIN{
              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
            }
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
          ' "${TPL}" > "${OUT}"
          chmod 0755 "${OUT}"
          perl -0777 -i -pe '
            BEGIN {
              our $age = $ENV{CISS_PHYS_AGE} // q{};
            }
            s/\{\{\s*secrets\.CISS_PHYS_AGE\s*\}\}/$age/g;
          ' -- "${SOPS}"
          chmod 0755 "${SOPS}"
          echo "Hook rendered: ${OUT}"
      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
        shell: bash
        working-directory: ${{ github.workspace }}
        run: |
          set -euo pipefail
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
          ./ciss_live_builder.sh \
            --autobuild=6.16.3+deb13-amd64 \
            --architecture amd64 \
-            --build-directory /opt/livebuild \
+            --build-directory /opt/cdlb \
            --cdi \
            --control "${timestamp}" \
            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
-            --root-password-file /opt/config/password.txt \
+            --root-password-file /dev/shm/cdlb_secrets/password.txt \
            --signing_key=signing_key.asc \
            --signing_key_fpr="${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }}" \
            --signing_key_pass=signing_key_pass.txt \
            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
-            --ssh-pubkey /opt/config \
+            --ssh-pubkey /dev/shm/cdlb_secrets \
            --sshfp \
            --trixie
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
-          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
+          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
-          rm -f "$OUT"
+          rm -f "${OUT}"
-          echo "Hook removed: $OUT"
+          echo "Hook removed: ${OUT}"
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
@@ -263,83 +220,106 @@ jobs:
          SHARE_SUBDIR=""
          echo "📥 Get directory listing via PROPFIND ..."
-          curl -s \
+
-          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -X PROPFIND \
          -H "Depth: 1" \
          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -o propfind_public.xml
          echo "📥 Filter .iso files from the PROPFIND response ..."
          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
            echo "💡 Old ISO files found and deleted :"
            while IFS= read -r href; do
              FILE_URL="${NC_BASE}${href}"
              echo "  Delete: ${FILE_URL}"
-              if curl -s \
+
-                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+              if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
-                  -X DELETE "${FILE_URL}"; then
+
                echo "    ✅ Successfully deleted: $(basename "${href}")"
              else
                echo "    ❌ Error: $(basename "${href}") could not be deleted"
-              fi
+
            done < public_iso_list.txt
          else
            echo "💡 No old ISO files found to delete."
              fi
-      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+            done < public_iso_list.txt
-        shell: bash
+
          else
            echo "💡 No old ISO files found to delete."
          fi
      - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
        run: |
          set -euo pipefail
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
          if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
-          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+
          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}"
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
          else
            echo "❌ Uploading the new ISO failed."
            exit 1
          fi
      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
        shell: bash
        run: |
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+          if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
          touch "${VAR_ISO_FILE_SHA512}"
          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
          touch "${SIGNATURE_FILE}"
-          export GNUPGHOME="$(pwd)/.gnupg"
+
-          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+          gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -365,7 +345,6 @@ jobs:
          EOF
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -374,12 +353,10 @@ jobs:
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
@@ -391,8 +368,7 @@ jobs:
          git status
          git log --oneline -n 5
-      - name: 🛠️ Restore stashed changes.
+      - name: 🔧 Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -401,7 +377,6 @@ jobs:
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -410,16 +385,17 @@ jobs:
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
@@ -427,7 +403,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_1.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
@@ -443,10 +419,10 @@ jobs:
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.296.2025.10.29
+# Version Master V8.13.384.2025.11.06
 # Gitea Workflow: Shell-Script Linting
 #
@@ -49,11 +49,11 @@ jobs:
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
@@ -64,7 +64,7 @@ jobs:
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
@@ -316,7 +316,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-linter_char_scripts.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🛡️ Shell Script Linting [skip ci]
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.296.2025.10.29
+# Version Master V8.13.384.2025.11.06
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
@@ -41,11 +41,11 @@ jobs:
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
@@ -56,7 +56,7 @@ jobs:
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
@@ -193,7 +193,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dnssec-status.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🛡️ Auto-Generate DNSSEC Status [skip ci]
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.296.2025.10.29
+# Version Master V8.13.384.2025.11.06
 name: 🔁 Render Graphviz Diagrams.
@@ -42,11 +42,11 @@ jobs:
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
@@ -57,7 +57,7 @@ jobs:
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
@@ -186,7 +186,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dot-to-png.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🔁 Auto-Generate PNG from *.dot. [skip ci]
--- a/.pubkey/marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc
+++ b/.pubkey/marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc
@@ -0,0 +1,21 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mEkFaQzeVBYAAAA/AytlcQHGPz+Tku/rFh5KSbHE465pYWjWOWSl26vKCk5HNMX6
 y2MGyUUbm5tVYHymp3EYbRBS8dJ+qKCKrzyAtDJNYXJjIFMuIFdlaWRuZXIgREVQ
 TE9ZIDxtc3crZGVwbG95QGNvcmVzZWNyZXQuZGV2PojNBRMWCABNIiEFmAiaRyzP
 RgHNUdfHCV02U1KW6hS43pIZhyPE3GBuj3YFAmkM3lQCGwMFCQfPlNwFCwkIBwIC
 IgIGFQoJCAsCBBYCAwECHgcCF4AAAA+GAcduwdOub1yMWc0o5e1qdkI/8Pv9jqYF
 P46Ko2UU24Q3AaYC5oBFyD4sKf4ojosYovs4fzrZCXqbH4ABxi0kmYEUZT11L+Ex
 AfiwNvJBCzlcvLzdK7A+ZBDgdaV5pybSN4/ZnUKkUSzZV/6odcVM2LtqkbAHAIjU
 BRAWCABUIiEFb9PDFk6t5GIBJKfozM13iXXLB7VAp8veRtbuNEidacIFAmkM3vEF
 gwfP84AkFIAAAAAADQAOcmVtQGdudXBnLm9yZ0NlbnR1cmlvbixDSUNBAACKBAHI
 5t3aZSnSERrnAZ3rwxItsTB9KeTVdtRnpxyZ7leBf4987ECcfwDDozkDGFo2cJwg
 eKPRloMif1eAAcjOdUXeunlNBTlPlyOBk0ukWT5SgVeZUl5bsNRgJWu7MoNiT9vQ
 M7gJjlyYcVoMZ47G7TA9Z+goJwC4TAVpDN5UEgAAAEIDK2VvAcCPfkOJzBvvplco
 PXb8jg4AsJXU10wHSucHMdR2R26+IJTCAYU6d3O47wTBr6QFc5HRgDZcf6FngQMB
 CgmIsgUYFggAMiIhBZgImkcsz0YBzVHXxwldNlNSluoUuN6SGYcjxNxgbo92BQJp
 DN5UAhsMBQkHz5TcAABuDQHI5Zp2rsRwc0WR0WaaQOIFh7KdL7x3dHljJ5u2m6Zc
 pzmlnZGuCTe0BmVzECJhq7Yqi+ajENbWOc+AAcUbToifr1VvbgZgUDtA+f2IlHRM
 ovaAOH5ED+DHy6OjEmBG43ZIPQbsbD4td5VIZoi+f6npZrhXNQA=
 =Q67G
 -----END PGP PUBLIC KEY BLOCK-----
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.296.2025.10.29"
+properties_version="V8.13.384.2025.11.06"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.296.2025.10.29
+PackageVersion: Master V8.13.384.2025.11.06
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.296.2025.10.29-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.384.2025.11.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.296.2025.10.29<br>
+**Build**: V8.13.384.2025.11.06<br>
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -151,7 +151,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V8.13.296.2025.10.29`
+Example: `V8.13.384.2025.11.06`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
@@ -533,7 +533,7 @@ preview it or run it.
            ### Private Key
            echo "${{ secrets.CHANGE_ME }}" >| ~/.ssh/id_ed25519
-            chmod 600 ~/.ssh/id_ed25519
+            chmod 0600 ~/.ssh/id_ed25519
  #...
        ### https://github.com/actions/checkout/issues/1843
        - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
--- a/REPOSITORY.md
+++ b/REPOSITORY.md
@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.296.2025.10.29<br>
+**Build**: V8.13.384.2025.11.06<br>
 # 2.1. Repository Structure
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.296.2025.10.29** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.384.2025.11.06** (as of 2025-10-11)
 ## 2.2. Top-Level Layout
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -22,23 +22,19 @@
 ### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES.
 # shellcheck disable=SC2155
 declare -agx  ARY_PARAM_ARRAY=("$@")                                     # Arguments passed to script as an array.
 declare -girx VAR_START_TIME="${SECONDS}"                                # Start time of script execution.
 declare -grx  VAR_PARAM_COUNT="$#"                                       # Arguments passed to script.
 declare -grx  VAR_PARAM_STRNG="$*"                                       # Arguments passed to script as string.
 declare -ag   ARY_PARAM_ARRAY=("$@")                                     # Arguments passed to script as an array.
 declare -grx  VAR_SETUP_FILE="${0##*/}"                                  # 'ciss_debian_live_builder.sh'
-declare -grx  VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)"          # '/opt/git/CISS.debian.live.builder'
+declare -grx  VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/root/git/CISS.debian.live.builder/ciss_debian_live_builder.sh'
-declare -grx  VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/opt/git/CISS.debian.live.builder/ciss_debian_live_builder.sh'
+declare -grx  VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)"          # '/root/git/CISS.debian.live.builder'
-# shellcheck disable=SC2155
+declare -grx  VAR_TMP_SECRET="/dev/shm/cdlb_secrets"                     # Fixed tmpfs path to store securely build artifacts.
-declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
+declare -grx  VAR_WORKDIR="$(dirname "${VAR_SETUP_FULL}")"               # '/root/git/CISS.debian.live.builder'
 # shellcheck disable=SC2155
 declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
 # shellcheck disable=SC2155
 declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 ### PRELIMINARY CHECKS.
 ### No ash, dash, ksh, sh.
-# shellcheck disable=2292
+# shellcheck disable=SC2292
 [ -z "${BASH_VERSINFO[0]}" ] && {
  . ./var/global.var.sh
  printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2
@@ -60,7 +56,7 @@ declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 }
 ### Check to be not called by sh.
-# shellcheck disable=2312
+# shellcheck disable=SC2312
 [[ $(kill -l | grep -c SIG) -eq 0 ]] && {
  . ./var/global.var.sh
  printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2
@@ -95,30 +91,29 @@ declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
  exit 1
 }
-### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT()
+### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT().
 . ./var/early.var.sh
 . ./lib/lib_guard_sourcing.sh
 . ./lib/lib_source_guard.sh
 source_guard "./lib/lib_git_var.sh"
-### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG
+### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG.
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh   ; contact; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh     ; usage  ; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh   ; version; exit 0;; esac; done
 ### ALL CHECKS DONE. READY TO START THE SCRIPT
 source_guard "./var/bash.var.sh"
 check_git
 for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done
 declare -gx VAR_SETUP="true"
-### SOURCING VARIABLES
+### ALL CHECKS DONE. READY TO START THE SCRIPT.
 find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/secret" -type f -exec chmod 0400 {} +
 declare -grx VAR_SETUP="true"
 ### SOURCING VARIABLES.
 [[ "${VAR_SETUP}" == true ]] && {
  source_guard "./var/bash.var.sh"
  source_guard "./var/color.var.sh"
  source_guard "./var/global.var.sh"
 }
-### SOURCING LIBRARIES
+### SOURCING LIBRARIES.
 [[ "${VAR_SETUP}" == true ]] && {
  source_guard "./lib/lib_arg_parser.sh"
  source_guard "./lib/lib_arg_priority_check.sh"
@@ -132,19 +127,21 @@ declare -gx VAR_SETUP="true"
  source_guard "./lib/lib_check_provider.sh"
  source_guard "./lib/lib_check_stats.sh"
  source_guard "./lib/lib_check_var.sh"
-  source_guard "./lib/lib_ciss_upgrades.sh"
+  source_guard "./lib/lib_ciss_upgrades_boot.sh"
  source_guard "./lib/lib_ciss_upgrades_build.sh"
  source_guard "./lib/lib_clean_screen.sh"
  source_guard "./lib/lib_clean_up.sh"
  source_guard "./lib/lib_copy_integrity.sh"
  source_guard "./lib/lib_gnupg.sh"
  source_guard "./lib/lib_hardening_root_pw.sh"
-  source_guard "./lib/lib_hardening_ssh.sh"
+  source_guard "./lib/lib_hardening_ssh_tcp.sh"
  source_guard "./lib/lib_hardening_ultra.sh"
  source_guard "./lib/lib_helper_ip.sh"
  source_guard "./lib/lib_lb_build_start.sh"
  source_guard "./lib/lib_lb_config_start.sh"
  source_guard "./lib/lib_lb_config_write.sh"
  source_guard "./lib/lib_lb_config_write_trixie.sh"
  source_guard "./lib/lib_note_target.sh"
  source_guard "./lib/lib_primordial.sh"
  source_guard "./lib/lib_provider_netcup.sh"
  source_guard "./lib/lib_run_analysis.sh"
  source_guard "./lib/lib_sanitizer.sh"
@@ -154,7 +151,7 @@ declare -gx VAR_SETUP="true"
  source_guard "./lib/lib_usage.sh"
 }
-### ADVISORY LOCK
+### ADVISORY LOCK.
 exec 127>/var/lock/ciss_live_builder.lock || {
  printf "\e[91m❌ Cannot open lockfile for writing! Bye... \e[0m\n" >&2
  exit "${ERR_FLOCK_WRTG}"
@@ -165,97 +162,92 @@ if ! flock -x -n 127; then
  exit "${ERR_FLOCK_COLL}"
 fi
-### CHECK FOR AUTOBUILD MODE
+### CHECK FOR AUTOBUILD MODE.
 for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -gx VAR_HANDLER_AUTOBUILD="true"; declare -gx VAR_KERNEL="${arg#*=}";; esac; done; unset arg
 for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *) PATH="${PATH}:${dir}" ;; esac; done; export PATH; unset dir
-### CHECKING REQUIRED PACKAGES
+### CHECKING REQUIRED PACKAGES.
 check_pkgs
-### DIALOG OUTPUT FOR INITIALIZATION
+### DIALOG OUTPUT FOR INITIALIZATION.
 if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen; fi
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
 ### Following the CISS Bash naming and ordering scheme:
 trap 'trap_on_exit "$?"' EXIT
 trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
 arg_check "$@"
 declare -ar  ARY_ARG_SANITIZED=("$@")
-declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
+declare -grx VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
 arg_parser "$@"
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
 clean_ip
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
-### Turn off Dialog Wrapper
+### Turn off the dialog wrapper.
 if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
-### MAIN Program
+### MAIN Program ---------------------------------------------------------------------------------------------------------------
 arg_priority_check
 check_stats
 if ! ${VAR_HANDLER_AUTOBUILD}; then check_provider; fi
 if ! ${VAR_HANDLER_AUTOBUILD}; then check_kernel; fi
-if [[ ! "${VAR_SSHFP}" == "true" ]]; then
+ciss_upgrades_build
-  rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
+hardening_ssh_tcp
  rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
 fi
-check_hooks
+### Preparing the build environment.
 hardening_ssh
 ciss_upgrades
 lb_config_start
 if [[ "${VAR_SUITE}" == "bookworm" ]]; then
  lb_config_write
  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_trixie.chroot"
  rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/etc/login.defs"
 else
  lb_config_write_trixie
  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/0003_install_backports.chroot"
  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_bookworm.chroot"
 fi
 # shellcheck disable=SC2164
 cd "${VAR_WORKDIR}"
-hardening_ultra
+### Writing the build configuration.
-hardening_root_pw
+lb_config_write_trixie
 ### Init GNUPGHOME.
 init_gnupg
 ### Integrate primordial SSH identity files.
 init_primordial
 ### CISS.debian.installer 'GRUB' and 'autostart' generator.
 cdi
 change_splash
 check_dhcp
-cdi
+ciss_upgrades_boot
-provider_netcup
+hardening_root_pw
 hardening_ultra
 note_target
 provider_netcup
 update_microcode
 x_hooks
 ### Start the build process
 set +o errtrace
 lb_build_start
 set -o errtrace
 run_analysis
 copy_db
-declare -g VAR_SCRIPT_SUCCESS=true
+declare -grx VAR_SCRIPT_SUCCESS="true"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0000_basic_chroot_setup.chroot
+++ b/config/hooks/live/0000_basic_chroot_setup.chroot
@@ -13,6 +13,9 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # shellcheck disable=SC2155
 declare -gx VAR_DATE="$(date +%F)"
 #######################################
 # Generates '/etc/default/ciss-xdg-profile'
 # Globals:
@@ -23,9 +26,9 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 #   0: on success
 #######################################
 generate_ciss_xdg_profile() {
-  cat << 'EOF' >> /etc/default/ciss-xdg-profile
+  cat << EOF >> /etc/default/ciss-xdg-profile
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -63,10 +66,10 @@ readonly -f generate_ciss_xdg_profile
 #   0: on success
 #######################################
 generate_ciss_xdg_sh() {
-  cat << 'EOF' >> /etc/profile.d/ciss-xdg.sh
+  cat << EOF >| /etc/profile.d/ciss-xdg.sh
 #!/bin/sh
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -76,6 +79,8 @@ generate_ciss_xdg_sh() {
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 EOF
  cat << 'EOF' >> /etc/profile.d/ciss-xdg.sh
 # shellcheck shell=sh
 # This file is sourced by login shells via '/etc/profile'. Keep POSIX sh compatible.
@@ -141,21 +146,23 @@ readonly -f generate_ciss_xdg_sh
 #   0: on success
 #######################################
 generate_ciss_xdg_tmp_sh() {
-  cat << 'EOF' >> /root/ciss_xdg_tmp.sh
+  cat << EOF >| /root/ciss_xdg_tmp.sh
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
+# SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### XDG variables (do not override if already set).
 EOF
  cat << 'EOF' >> /root/ciss_xdg_tmp.sh
 set -a
 # shellcheck disable=SC2034
@@ -207,6 +214,12 @@ if [[ -f /root/.architecture ]]; then
 fi
 if [[ -f /root/.architecture ]]; then
  :
 fi
 mkdir -p /root/.ciss/dlb/{backup,log,private_keys}
 chmod 0700 /root/.ciss/dlb/{backup,log,private_keys}
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -58,10 +58,10 @@ export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y intel-microcode amd64-microcode
 # shellcheck disable=SC2155
-declare nic_driver="$(grep_nic_driver_modules)"
+declare nic_driver="$(grep_nic_driver_modules)" VAR_DATE="$(date +%F)"
 cat << EOF >| /etc/initramfs-tools/modules
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -201,9 +201,9 @@ virtio_scsi
 EOF
-cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
+cat << EOF >| /etc/initramfs-tools/update-initramfs.conf
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -236,9 +236,9 @@ backup_initramfs=no
 EOF
-cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf
+cat << EOF >| /etc/initramfs-tools/initramfs.conf
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -340,10 +340,10 @@ FSTYPE=auto
 EOF
-cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
+cat << EOF >| /etc/initramfs-tools/hooks/ciss_debian_live_builder
 #!/bin/sh
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -353,9 +353,12 @@ cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 EOF
 cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
 set -e
-printf "\e[95mStarting: [0001_initramfs_modules.chroot] \n\e[0m"
+printf "\e[95mStarting: [ciss_debian_live_builder] \n\e[0m"
 PREREQ=""
 prereqs() { echo "${PREREQ}"; }
@@ -449,14 +452,15 @@ install -m 0444 /etc/ciss/keys/0xE62E84F8_public.gpg "${DESTDIR}/etc/ciss/keys/0
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/ciss/keys/0xE62E84F8_public.gpg %s/etc/ciss/keys/0xE62E84F8_public.gpg] \n\e[0m" "${DESTDIR}"
-printf "\e[92mSuccessfully executed: [0001_initramfs_modules.chroot] \n\e[0m"
+printf "\e[92mSuccessfully executed: [ciss_debian_live_builder] \n\e[0m"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder
-### Regenerate the initramfs for the live system kernel
+# TODO: Move to 9999_zzzz.chroot
 ### Regenerate the initramfs for the live system kernel.
 update-initramfs -u -k all -v
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
--- a/config/hooks/live/0002_verify_checksums.chroot
+++ b/config/hooks/live/0002_verify_checksums.chroot
@@ -1,172 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 target="/usr/lib/live/boot/0030-verify-checksums"
 src="$(mktemp)"
 if [[ ! -d /usr/lib/live/boot ]]; then
  mkdir -p /usr/lib/live/boot
 fi
 cat << 'EOF' >| "${src}"
 #!/bin/sh
 # bashsupport disable=BP5007
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: GPL-3.0-or-later
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Modified Version of the original file:
 ### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
 ### In case of successful verification of one of the offered checksums, proceed with booting, else panic.
 #######################################
 # Modified checksum-verification script for continuing the boot process.
 # Globals:
 #   LIVE_BOOT_CMDLINE
 #   LIVE_VERIFY_CHECKSUMS
 #   LIVE_VERIFY_CHECKSUMS_DIGESTS
 #   _CHECKSUM
 #   _CHECKSUMS
 #   _DIGEST
 #   _MOUNTPOINT
 #   _PARAMETER
 #   _RETURN
 #   _TTY
 # Arguments:
 #   1: ${_PARAMETER}
 # Returns:
 #   0 : Successful Verification
 #######################################
 Verify_checksums() {
  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
    case "${_PARAMETER}" in
      live-boot.verify-checksums=* | verify-checksums=*)
        LIVE_VERIFY_CHECKSUMS="true"
        LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
        ;;
      live-boot.verify-checksums | verify-checksums)
        LIVE_VERIFY_CHECKSUMS="true"
        ;;
    esac
  done
  case "${LIVE_VERIFY_CHECKSUMS}" in
    true)
      :
      ;;
    *)
      return 0
      ;;
  esac
  _MOUNTPOINT="${1}"
  LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
  _TTY="/dev/tty8"
  log_begin_msg "Verifying checksums"
  printf "\n"
  # shellcheck disable=SC2164
  cd "${_MOUNTPOINT}"
  # shellcheck disable=SC2001
  for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
    # shellcheck disable=SC2060
    _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
    for _CHECKSUM in ${_CHECKSUMS}; do
      # shellcheck disable=SC2292
      if [ -e "${_CHECKSUM}" ]; then
        #echo "Found ${_CHECKSUM}..." > "${_TTY}"
        printf "Found %s...\n" "${_CHECKSUM}"
        if [ -e "/bin/${_DIGEST}sum" ]; then
          #echo "Checking ${_CHECKSUM}..." > "${_TTY}"
          printf "Checking %s...\n" "${_CHECKSUM}"
          # Verify checksums
          # shellcheck disable=SC2312
          grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
          _RETURN="${?}"
          # Stop after the first verification
          # break 2
        else
          #echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}"
          printf "Not found /bin/%ssum....\n" "${_DIGEST}"
        fi
      fi
    done
  done
  log_end_msg
  case "${_RETURN}" in
    0)
      log_success_msg "Verification of checksums successful; continuing booting in 8 seconds."
      sleep 8
      return 0
      ;;
    *)
      panic "Verification failed, $(basename "${_TTY}") for more information."
      ;;
  esac
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 # Copy and make executable
 install -Dm755 "${src}" "${target}"
 rm -f "${src}"
 unset target src
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0007_update_logrotate.chroot
+++ b/config/hooks/live/0007_update_logrotate.chroot
@@ -23,10 +23,10 @@ cat << EOF >| "/etc/logrotate.conf"
 # Rotate log files daily
 daily
-# Keep 384 daily worth of backlogs.
+# Keep 90 daily worth of backlogs.
 rotate 90
-# Hard cap: delete rotated logs older than 384 days.
+# Hard cap: delete rotated logs older than 90 days.
 maxage 90
 # Do not rotate the log if it is empty (this overrides the ifempty option).
--- a/config/hooks/live/0050_activate_root.chroot
+++ b/config/hooks/live/0050_activate_root.chroot
@@ -39,13 +39,13 @@ unset hashed_pwd safe_hashed_pwd
 cat /etc/shadow
-if shred -vfzu -n 5 /root/.pwd; then
+if shred -fzu -n 5 /root/.pwd; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: -vfzu -n 5 >> done. \e[0m\n"
+  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n"
 else
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: -vfzu -n 5 >> NOT successful. \e[0m\n" >&2
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2
 fi
--- a/config/hooks/live/0870_bashdb.chroot
+++ b/config/hooks/live/0870_bashdb.chroot
@@ -0,0 +1,36 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 umask 0077
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y texinfo
 cd /root/git
 git clone https://github.com/Trepan-Debuggers/bashdb.git
 cd /root/git/bashdb
 ./autogen.sh
 make
 apt-get purge -y texinfo
 apt-get autoremove --purge -y
 apt-get autoclean -y
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9930_hardening_ssh.chroot
+++ b/config/hooks/live/9930_hardening_ssh.chroot
@@ -13,26 +13,35 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-cd /etc/ssh || {
+cd /etc/ssh
-  printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
+
 }
 rm -rf ssh_host_*key*
 if [[ -d /root/ssh ]]; then
  mv /root/ssh/ssh_host_*key* /etc/ssh
  rm -rf /root/ssh
 else
  # shellcheck disable=SC2312
  ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
  # shellcheck disable=SC2312
  ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
-awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
+fi
 rm -rf /etc/ssh/moduli
 mv /etc/ssh/moduli.safe /etc/ssh/moduli
 chmod 0600 /etc/ssh/ssh_host_*_key
 chown root:root /etc/ssh/ssh_host_*_key
 chmod 0644 /etc/ssh/ssh_host_*_key.pub
 chown root:root /etc/ssh/ssh_host_*_key.pub
-chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config
+awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
 rm -rf /etc/ssh/moduli
 mv /etc/ssh/moduli.safe /etc/ssh/moduli
 chmod 0600 /etc/ssh/sshd_config /etc/ssh/ssh_config
 touch /root/sshfp
 ssh-keygen -r @ >| /root/sshfp
--- a/config/hooks/live/9935_hardening_ssh.chroot.tmpl
+++ b/config/hooks/live/9935_hardening_ssh.chroot.tmpl
@@ -1,93 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /etc/ssh || {
  printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
 }
 cat << 'EOF' >| ssh_host_ed25519_key
 {{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
 EOF
 cat << 'EOF' >| ssh_host_ed25519_key.pub
 {{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
 EOF
 cat << 'EOF' >| ssh_host_rsa_key
 {{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
 EOF
 cat << 'EOF' >| ssh_host_rsa_key.pub
 {{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
 EOF
 awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
 rm -rf /etc/ssh/moduli
 mv /etc/ssh/moduli.safe /etc/ssh/moduli
 chmod 0600 /etc/ssh/ssh_host_*_key
 chown root:root /etc/ssh/ssh_host_*_key
 chmod 0644 /etc/ssh/ssh_host_*_key.pub
 chown root:root /etc/ssh/ssh_host_*_key.pub
 chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config
 touch /root/sshfp
 ssh-keygen -r @ >| /root/sshfp
 ###########################################################################################
 # Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only          #
 # environment variables: TMOUT and HISTFILE.                                              #
 # TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
 # readonly HISTFILE ensures that the command history cannot be changed.                   #
 # The chmod +x command ensures that the file is executed in every shell session.          #
 ###########################################################################################
 cat << 'EOF' >| /etc/profile.d/idle-users.sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 case $- in
  *i*)
    TMOUT=14400
    export TMOUT
    readonly TMOUT
  ;;
 esac
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 chmod +x /etc/profile.d/idle-users.sh
 mkdir -p /etc/systemd/system/ssh.service.d
 cat << 'EOF' >| /etc/systemd/system/ssh.service.d/override.conf
 [Unit]
 After=ufw.service
 Requires=ufw.service
 EOF
 chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9999_zzzz.chroot
+++ b/config/hooks/live/9999_zzzz.chroot
@@ -15,6 +15,9 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target"
 ### Regenerate the initramfs for the live system kernel.
 update-initramfs -u -k all -v
 ### Determine the canonical systemd unit dir inside chroot.
 if [[ -d /lib/systemd/system ]]; then
--- a/config/includes.chroot/etc/ssh/ssh_known_hosts
+++ b/config/includes.chroot/etc/ssh/ssh_known_hosts
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.296.2025.10.29
+# Version Master V8.13.384.2025.11.06
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.296.2025.10.29
+# Version Master V8.13.384.2025.11.06
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -48,8 +48,8 @@ MaxAuthTries                 3
 MaxSessions                  2
 ### Begin randomly dropping new unauthenticated connections after the 2nd attempt,
 ### with a 64% chance to drop each additional connection, up to a hard limit of 08.
-MaxStartups                  02:64:08
+MaxStartups                  16:32:48
-### Restrict each individual source IP to only 4 unauthenticated connection slot
+### Restrict each individual source IP to only 8 unauthenticated connection slot
 ### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots.
 PerSourceMaxStartups         8
 ClientAliveInterval          300
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -1,3 +1,5 @@
 # bashsupport disable=BP5007
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
@@ -9,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.296.2025.10.29
+# Version Master V8.13.384.2025.11.06
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.13.296.2025.10.29"
+declare -gr VERSION="Master V8.13.384.2025.11.06"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.296.2025.10.29 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.384.2025.11.06 at: 10:18:37.9542
--- a/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums
+++ b/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums
@@ -0,0 +1,212 @@
 #!/bin/sh
 # bashsupport disable=BP5007
 # shellcheck shell=sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: GPL-3.0-or-later
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Modified Version of the original file:
 ### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
 ### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
 #######################################
 # Modified checksum-integrity and authenticity-verification-script for continuing the boot process.
 # Globals:
 #   LIVE_BOOT_CMDLINE
 #   _TTY
 # Arguments:
 #   1: _MOUNTPOINT
 # Returns:
 #   0 : Successful verification
 #######################################
 Verify_checksums() {
  _MOUNTPOINT="${1}"
  _TTY="/dev/tty8"
  LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
  LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"
  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
    case "${_PARAMETER}" in
      live-boot.verify-checksums=* | verify-checksums=*)
        LIVE_VERIFY_CHECKSUMS="true"
        LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
        ;;
      live-boot.verify-checksums | verify-checksums)
        LIVE_VERIFY_CHECKSUMS="true"
        ;;
      live-boot.verify-checksums-signatures | verify-checksums-signatures)
        LIVE_VERIFY_CHECKSUMS_SIGNATURES="true"
        ;;
    esac
  done
  case "${LIVE_VERIFY_CHECKSUMS}" in
    true)
      :
      ;;
    *)
      return 0
      ;;
  esac
  # shellcheck disable=SC2164
  cd "${_MOUNTPOINT}"
  ### CDLB verification of script integrity itself -----------------------------------------------------------------------------
  if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
    log_begin_msg "Verifying integrity of '0030-verify-checksums' ..."
    printf "\n"
    CDLB_SCRIPT="$(basename "${0}")"
    CDLB_SHA="sha512"
    CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_ITEM="" CDLB_SIG_FILE=""
    for CDLB_ITEM in ${CDLB_SHA}; do
      CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_ITEM}"
      CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
      CDLB_CMD="${CDLB_ITEM}sum"
      printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}"
      if ! gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
        printf "Signature verification failed for: [%s]\n" "${CDLB_HASHFILE}"
        sleep 8
        # TODO: Remove debug mode
        # return 0
      else
        printf "Signature verification successful for: [%s]\n" "${CDLB_HASHFILE}"
      fi
      printf "Recomputing hash for: [%s]\n" "${CDLB_ITEM}"
      CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first rest || exit 1; printf '%s\n' "${first}"; })
      read -r CDLB_EXPECTED < "${CDLB_HASHFILE}"
      if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
        printf "Recomputed hash mismatch for: [%s]\n" "${CDLB_ITEM}"
        sleep 8
        # TODO: Remove debug mode
        # return 0
      fi
      printf "Hash verification successful for: [%s]\n" "${CDLB_ITEM}"
    done
    printf "Verifying integrity of '0030-verify-checksums' successfully completed. Proceeding."
    log_end_msg
    printf "\n"
  fi
  ### Checksum and checksum signature verification -----------------------------------------------------------------------------
  log_begin_msg "Verifying checksums"
  printf "\n"
  # shellcheck disable=SC2001
  for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
    # shellcheck disable=SC2060
    _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
    for _CHECKSUM in ${_CHECKSUMS}; do
      if [ -e "${_CHECKSUM}" ]; then
        printf "Found [%s] ...\n" "${_CHECKSUM}"
        if [ -e "/bin/${_DIGEST}sum" ]; then
          if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
            printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}"
            _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
            gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"
            _RETURN_PGP="${?}"
          else
            _RETURN_PGP="na"
          fi
          printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}"
          # shellcheck disable=SC2312
          grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
          _RETURN_SHA="${?}"
          # Stop after the first verification.
          break 2
        else
          printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum"
        fi
      fi
    done
  done
  log_end_msg
  case "${_RETURN_PGP},${_RETURN_SHA}" in
    0,0)
      log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds."
      sleep 8
      return 0
      ;;
    na,0)
      log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds."
      sleep 8
      return 0
      ;;
    *,0)
      panic "Verification of signature file failed while verification of checksum file successful."
      ;;
    na,*)
      panic "Verification of checksum file failed."
      ;;
  esac
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/package-lists/live.list.common.chroot
+++ b/config/package-lists/live.list.common.chroot
@@ -129,6 +129,7 @@ sudo
 sysstat
 systemd-sysv
 tar
 tmux
 tree
 tshark
 ufw
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.296.2025.10.29<br>
+**Build**: V8.13.384.2025.11.06<br>
 # 2. DNSSEC Status
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.296.2025.10.29<br>
+**Build**: V8.13.384.2025.11.06<br>
 # 2. Haveged Audit on Netcup RS 2000 G11
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.296.2025.10.29<br>
+**Build**: V8.13.384.2025.11.06<br>
 # 2. Lynis Audit:
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.296.2025.10.29<br>
+**Build**: V8.13.384.2025.11.06<br>
 # 2. SSH Audit by ssh-audit.com
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.296.2025.10.29<br>
+**Build**: V8.13.384.2025.11.06<br>
 # 2. TLS Audit:
 ````text
--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.296.2025.10.29<br>
+**Build**: V8.13.384.2025.11.06<br>
 # 2. Hardened Kernel Boot Parameters
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,10 +8,66 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.296.2025.10.29<br>
+**Build**: V8.13.384.2025.11.06<br>
 # 2. Changelog
 ## V8.13.384.2025.11.06
 * **Global**: Changed ``shred -vfzu -n 5`` to ``shred -fzu -n 5``.
 * **Global**: Live-hooks: ``apt-get`` commands safeguarded by ``export DEBIAN_FRONTEND="noninteractive" INITRD="No"``.
 * **Added**: [marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc](../.pubkey/marc_s_weidner_msw%2Bdeploy%40coresecet.dev_0x2CCF4601_public.asc)
 * **Added**: [0870_bashdb.chroot](../config/hooks/live/0870_bashdb.chroot) bashdb debugger https://github.com/Trepan-Debuggers/bashdb.git
 * **Added**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums) Unified handling via includes.chroot.
 * **Added**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) Updates for CISS and PhysNet primordial-workflow™.
 * **Added**: [lib_ciss_upgrades_build.sh](../lib/lib_ciss_upgrades_build.sh) Updates for CISS and PhysNet primordial-workflow™.
 * **Added**: [lib_gnupg.sh](../lib/lib_gnupg.sh) Updates for CISS and PhysNet primordial-workflow™.
 * **Added**: [lib_primordial.sh](../lib/lib_primordial.sh) Updates for CISS and PhysNet primordial-workflow™.
 * **Added**: [0030-verify-checksums](../scripts/usr/lib/live/boot/0030-verify-checksums) Unified handling via includes.chroot.
 * **Bugfixes**: [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-linter_char_scripts.yaml}"
 * **Bugfixes**: [render-dnssec-status.yaml](../.gitea/workflows/render-dnssec-status.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dnssec-status.yaml}"
 * **Bugfixes**: [render-dot-to-png.yaml](../.gitea/workflows/render-dot-to-png.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dot-to-png.yaml}"
 * **Changed**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) Rewritten for new secrets handling.
 * **Changed**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) + VAR_DATE improvements.
 * **Changed**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + VAR_DATE improvements.
 * **Changed**: [9930_hardening_ssh.chroot](../config/hooks/live/9930_hardening_ssh.chroot) Rewritten for CISS and PhysNet primordial-workflow™.
 * **Changed**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot) + Final update-initramfs
 * **Changed**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) + Less strict MaxStartups settings.
 * **Changed**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) + tmux
 * **Changed**: [lib_arg_parser.sh](../lib/lib_arg_parser.sh) Rewritten for CISS and PhysNet primordial-workflow™.
 * **Changed**: [lib_arg_priority_check.sh](../lib/lib_arg_priority_check.sh) Unified UI.
 * **Changed**: [lib_cdi.sh](../lib/lib_cdi.sh) + Commandline parameters: verify-checksums=sha512,sha384 verify-checksums-signatures
 * **Changed**: [lib_change_splash.sh](../lib/lib_change_splash.sh) Unified UI.
 * **Changed**: [lib_check_dhcp.sh](../lib/lib_check_dhcp.sh) Unified UI.
 * **Changed**: [lib_check_hooks.sh](../lib/lib_check_hooks.sh) Unified UI.
 * **Changed**: [lib_check_kernel.sh](../lib/lib_check_kernel.sh) Minor declare unification.
 * **Changed**: [lib_check_pkgs.sh](../lib/lib_check_pkgs.sh) Improved command checks. Unified UI.
 * **Changed**: [lib_check_provider.sh](../lib/lib_check_provider.sh) Unified variables.
 * **Changed**: [lib_clean_up.sh](../lib/lib_clean_up.sh) Secure deletion of CISS and PhysNet primordial-workflow™ artifacts.
 * **Changed**: [lib_debug.sh](../lib/lib_debug.sh) + Integrated EPOCH in PS4.
 * **Changed**: [lib_debug_header.sh](../lib/lib_debug_header.sh) + Integrated SOURCE_DATE_EPOCH.
 * **Changed**: [lib_hardening_root_pw.sh](../lib/lib_hardening_root_pw.sh) Unified UI.
 * **Changed**: [lib_hardening_ultra.sh](../lib/lib_hardening_ultra.sh) Rewritten for CISS and PhysNet primordial-workflow™.
 * **Changed**: [lib_hardening_ssh_tcp.sh](../lib/lib_hardening_ssh_tcp.sh) Unified UI.
 * **Changed**: [lib_lb_build_start.sh](../lib/lib_lb_build_start.sh) Deterministic return code examination.
 * **Changed**: [lib_lb_config_start.sh](../lib/lib_lb_config_start.sh) Removed potential disown race condition.
 * **Changed**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) Unified config writing for deterministic workflow.
 * **Changed**: [lib_note_target.sh](../lib/lib_note_target.sh) Unified UI.
 * **Changed**: [lib_provider_netcup.sh](../lib/lib_provider_netcup.sh) Added Centurion DNS Server 03.
 * **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) + PGP signature verification.
 * **Changed**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) + mksquashfs-excludes.
 * **Changed**: [early.var.sh](../var/early.var.sh) Unified variable declaration.
 * **Changed**: [global.var.sh](../var/global.var.sh) Unified variable declaration.
 * **Changed**: [ciss_live_builder.sh](../ciss_live_builder.sh) Updated program workflow for deterministic environment creation.
 * **Removed**: [0002_verify_checksums.chroot](../.archive/0002_verify_checksums.chroot) Unified handling via includes.chroot.
 * **Removed**: [9998_sources_list_bookworm.chroot](../.archive/9998_sources_list_bookworm.chroot) Debian bookworm support deprecated.
 * **Removed**: [lib_lb_config_write.sh](../.archive/lib_lb_config_write.sh) Debian bookworm support deprecated.
 * **Updated**: [icon.lib](../.archive/icon.lib) + Emojis
 ## V8.13.298.2025.10.30
 * **Added**: [0870_bashdb.chroot](../config/hooks/live/0870_bashdb.chroot)
 * **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) + tmux
 ## V8.13.296.2025.10.29
 * **Changed**: ``lockdown=confidentiality`` -> ``lockdown=integrity``
 * **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - clamav, clamav-daemon
@@ -19,7 +75,7 @@ include_toc: true
 ## V8.13.294.2025.10.28
 * **Added**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) + mksquashfs-excludes
-* **Added**: [lib_ciss_upgrades.sh](../lib/lib_ciss_upgrades.sh) + modifies '/usr/lib/live/build/...' scripts
+* **Added**: [lib_ciss_upgrades.sh](../lib/lib_ciss_upgrades_build.sh) + modifies '/usr/lib/live/build/...' scripts
 * **Added**: [lib_update_microcode.sh](../lib/lib_update_microcode.sh)
 * **Added**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) + modifies binary_rootfs script
 * **Updated**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) + --sshfp
@@ -125,7 +181,7 @@ include_toc: true
 * **Updated**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh)
 * **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter)
 * **Updated**: [9980_usb_guard.chroot](../config/hooks/live/9980_usb_guard.chroot)
-* **Updated**: [9998_sources_list_bookworm.chroot](../config/hooks/live/9998_sources_list_bookworm.chroot)
+* **Updated**: [9998_sources_list_bookworm.chroot](../.archive/9998_sources_list_bookworm.chroot)
 * **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
 * **Updated**: [9999_interfaces_update.chroot](../config/hooks/live/9999_interfaces_update.chroot)
 * **Updated**: [lib_cdi.sh](../lib/lib_cdi.sh) Unified Kernel bootparameter.
@@ -222,7 +278,6 @@ include_toc: true
 * **Updated**: [lib_clean_up.sh](../lib/lib_clean_up.sh): Removal of Lock FD and Artifacts.
 * Rearranged VARs sourcing: [early.var.sh](../var/early.var.sh)
 * Rearranged DEBUG XTRACE sourcing: [meta_sources_debug.sh](../meta_sources_debug.sh)
 * **Added**: Git Repo specific VARs: [lib_debug_var_git.sh](../lib/lib_git_var.sh)
 * **Added**: ``guard_sourcing()``: [lib_guard_sourcing.sh](../lib/lib_guard_sourcing.sh)
  to prevent the caller LIB-file from being sourced twice.
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.296.2025.10.29<br>
+**Build**: V8.13.384.2025.11.06<br>
 # 2. Centurion Net - Developer Branch Overview
--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.296.2025.10.29<br>
+**Build**: V8.13.384.2025.11.06<br>
 # 2. Coding Style
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.296.2025.10.29<br>
+**Build**: V8.13.384.2025.11.06<br>
 # 2. Contributing / participating
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.296.2025.10.29<br>
+**Build**: V8.13.384.2025.11.06<br>
 # 2. Credits
--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.296.2025.10.29<br>
+**Build**: V8.13.384.2025.11.06<br>
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,12 +8,12 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.296.2025.10.29<br>
+**Build**: V8.13.384.2025.11.06<br>
 # 2.1. Usage
 ````text
 CISS.debian.live.builder
-Master V8.13.296.2025.10.29
+Master V8.13.384.2025.11.06
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 (c) Marc S. Weidner, 2018 - 2025
@@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
 # 2.2. Contact
 ````text
 CISS.debian.live.builder
-Master V8.13.296.2025.10.29
+Master V8.13.384.2025.11.06
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 (c) Marc S. Weidner, 2018 - 2025
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.296.2025.10.29<br>
+**Build**: V8.13.384.2025.11.06<br>
 # 2. Resources
--- a/lib/lib_arg_parser.sh
+++ b/lib/lib_arg_parser.sh
@@ -33,6 +33,10 @@ guard_sourcing
 #   VAR_ISO8601
 #   VAR_REIONICE_CLASS
 #   VAR_REIONICE_PRIORITY
 #   VAR_SIGNER
 #   VAR_SIGNING_KEY
 #   VAR_SIGNING_KEY_FPR
 #   VAR_SIGNING_KEY_PASS
 #   VAR_SSHFP
 #   VAR_SSHPORT
 #   VAR_SSHPUBKEY
@@ -119,7 +123,7 @@ arg_parser() {
            printf "\e[91m❌ Error: --build-directory MUST be an absolute path. Got: '%s'\n" "${VAR_HANDLER_BUILD_DIR}" >&2
            exit "${ERR_NOTABSPATH}"
          fi
-          declare -gx VAR_BUILD_LOG="${VAR_HANDLER_BUILD_DIR}/${VAR_ISO8601}_build.log"
+          declare -gx VAR_BUILD_LOG="${VAR_HANDLER_BUILD_DIR}/cdlb_${VAR_ISO8601}_build.log"
          shift 2
          ;;
@@ -294,20 +298,25 @@ arg_parser() {
        --root-password-file)
          declare pw_file="${2}"
          if [[ -z "${pw_file}" ]]; then
            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --root-password-file missing password file path argument.\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_MISS_PWD_P}"
          fi
          if [[ ! -f "${pw_file}" ]]; then
            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --root-password-file password file '%s' does not exist.\e[0m\n" "${pw_file}" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_MISS_PWD_F}"
          fi
          declare owner
@@ -335,32 +344,42 @@ arg_parser() {
          fi
          declare plaintext_pw
-          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
+          ### No tracing for security reasons ----------------------------------------------------------------------------------
          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x
          if ! IFS= read -r plaintext_pw < "${pw_file}"; then
            :
          fi
-          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
+
          ### Turn on tracing again --------------------------------------------------------------------------------------------
          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x
          declare pw_length
          pw_length=${#plaintext_pw}
-          if (( pw_length < 20 || pw_length > 64 )); then
+          if (( pw_length < 42 || pw_length > 64 )); then
            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
-            printf "\e[91m❌ Error: --root-password-file password MUST be between 20 and 64 characters (got %d).\e[0m\n" "${pw_length}" >&2
+            printf "\e[91m❌ Error: --root-password-file password MUST be between 42 and 64 characters (got %d).\e[0m\n" "${pw_length}" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_PASS_LENGH}"
          fi
-          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
+          ### No tracing for security reasons ----------------------------------------------------------------------------------
          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x
          if [[ "${plaintext_pw}" == *\"* ]]; then
-            [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
+
            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --root-password-file password MUST NOT contain double quotes (\").\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_PASS_PLICY}"
          fi
-          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
+
          ### Turn on tracing again --------------------------------------------------------------------------------------------
          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x
          declare salt
          set +o pipefail
@@ -371,53 +390,81 @@ arg_parser() {
          set -o pipefail
          declare hash_temp
-          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
+          ### No tracing for security reasons ----------------------------------------------------------------------------------
          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x
          hash_temp=$(mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 "${plaintext_pw}")
-          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
+
          ### Turn on tracing again --------------------------------------------------------------------------------------------
          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x
          # shellcheck disable=SC2034
          declare -g VAR_HASHED_PWD="${hash_temp}"
          unset hash_temp plaintext_pw
          sync
-          if shred -vfzu -n 5 "${pw_file}" > /dev/null 2>&1; then
+          if shred -fzu -n 5 "${pw_file}" > /dev/null 2>&1; then
-            printf "\e[92m✅ Password file '%s': shred -vfzu -n 5 >> done. \e[0m\n" "${pw_file}" > /dev/null 2>&1
+            printf "\e[92m✅ Password file '%s': shred -fzu -n 5 >> done. \e[0m\n" "${pw_file}" > /dev/null 2>&1
          else
-            printf "\e[91m❌ Password file '%s': shred -vfzu -n 5 >> NOT successful. \e[0m\n" "${pw_file}" > /dev/null 2>&1
+            printf "\e[91m❌ Password file '%s': shred -fzu -n 5 >> NOT successful. \e[0m\n" "${pw_file}" > /dev/null 2>&1
          fi
          sync
          shift 2
          ;;
        --signing_key=*)
          # shellcheck disable=SC2034
          declare -gx VAR_SIGNER="true"
          # shellcheck disable=SC2034
          declare -gx VAR_SIGNING_KEY="${1#*=}"
          shift 1
          ;;
        --signing_key_fpr=*)
          # shellcheck disable=SC2034
          declare -gx VAR_SIGNING_KEY_FPR="${1#*=}"
          shift 1
          ;;
        --signing_key_pass=*)
          # shellcheck disable=SC2034
          declare -gx VAR_SIGNING_KEY_PASS="${1#*=}"
          shift 1
          ;;
        --ssh-port)
          if [[ -n "${2-}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then
            # shellcheck disable=SC2034
-            declare -gi VAR_SSHPORT="${2}"
+            declare -gix VAR_SSHPORT="${2}"
            shift 2
          else
            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --ssh-port MUST be an integer between '1' and '65535'.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR__SSH__PORT}"
          fi
          ;;
        --sshfp)
          # shellcheck disable=SC2034
-          declare -g VAR_SSHFP="true"
+          declare -gx VAR_SSHFP="true"
          shift 1
          ;;
        --ssh-pubkey)
          # shellcheck disable=SC2034
-          declare -g VAR_SSHPUBKEY="${2}"
+          declare -gx VAR_SSHPUBKEY="${2}"
          shift 2
          ;;
        --trixie)
          # shellcheck disable=SC2034
-          declare -g VAR_SUITE="trixie"
+          declare -gx VAR_SUITE="trixie"
          shift 1
          ;;
--- a/lib/lib_arg_priority_check.sh
+++ b/lib/lib_arg_priority_check.sh
@@ -15,6 +15,7 @@ guard_sourcing
 #######################################
 # Check and setup Script Priorities
 # Globals:
 #   BASH_SOURCE
 #   VAR_HANDLER_PRIORITY
 #   VAR_REIONICE_CLASS
 #   VAR_REIONICE_PRIORITY
@@ -24,7 +25,9 @@ guard_sourcing
 #   0: on success
 #######################################
 arg_priority_check() {
-  declare var
+  declare var=""
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
  ### Check if nice PRIORITY is set and adjust nice priority.
  if [[ "${VAR_HANDLER_PRIORITY:-}" -ne 0 ]]; then
@@ -34,8 +37,6 @@ arg_priority_check() {
      renice "${VAR_HANDLER_PRIORITY}" -p "$$"
      var=$(ps -o ni= -p $$) > /dev/null 2>&1
      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New renice value: %s\e[0m\n" "${var}"
      # sleep 1
      unset var
    else
@@ -53,8 +54,6 @@ arg_priority_check() {
      ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
      var=$(ionice -p $$) > /dev/null 2>&1
      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New ionice value: %s\e[0m\n" "${var}"
      # sleep 1
      unset var
    else
@@ -64,6 +63,8 @@ arg_priority_check() {
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
  return 0
 }
 ### Prevents accidental 'unset -f'.
--- a/lib/lib_cdi.sh
+++ b/lib/lib_cdi.sh
@@ -13,7 +13,7 @@
 guard_sourcing
 #######################################
-# CISS.debian.installer 'GRUB' and 'Autostart' generator.
+# CISS.debian.installer 'GRUB' and 'autostart' generator.
 # Globals:
 #   BASH_SOURCE
 #   VAR_HANDLER_BUILD_DIR
@@ -30,24 +30,19 @@ cdi() {
  if [[ "${VAR_HANDLER_CDI}" == "true" ]]; then
    touch      "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.cdi"
    chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.cdi"
    if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin" ]]; then
      mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin"
    fi
-    cp "${VAR_WORKDIR}/scripts/usr/local/sbin/9999-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh"
+    install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/local/sbin/9999-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh"
    chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh"
    chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh"
    declare tmp_entry
    tmp_entry="$(mktemp)"
    cat << EOF >| "${tmp_entry}"
 menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i {
-        linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums components splash nopersistence toram ramdisk-size=1024M swap=true noautologin nottyautologin nox11autologin noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Etc/UTC apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
+        linux /live/vmlinuz-${VAR_KERNEL} boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
        initrd /live/initrd.img-${VAR_KERNEL}
 }
 EOF
--- a/lib/lib_change_splash.sh
+++ b/lib/lib_change_splash.sh
@@ -15,6 +15,7 @@ guard_sourcing
 #######################################
 # Change Grub Boot Screen Splash
 # Globals:
 #   BASH_SOURCE
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_HANDLER_SPLASH
 #   VAR_WORKDIR
@@ -24,6 +25,8 @@ guard_sourcing
 #   0: on success
 #######################################
 change_splash() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
  if [[ ${VAR_HANDLER_SPLASH} == "club" ]]; then
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'club.png' selected ...\e[0m\n"
@@ -42,6 +45,8 @@ change_splash() {
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
  return 0
 }
 ### Prevents accidental 'unset -f'.
--- a/lib/lib_check_dhcp.sh
+++ b/lib/lib_check_dhcp.sh
@@ -15,6 +15,7 @@ guard_sourcing
 #######################################
 # Check if hardened Centurion DNS servers are desired.
 # Globals:
 #   BASH_SOURCE
 #   VAR_HANDLER_DHCP
 #   VAR_WORKDIR
 # Arguments:
@@ -23,10 +24,14 @@ guard_sourcing
 #   0: on success
 #######################################
 check_dhcp() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
  if [[ ${VAR_HANDLER_DHCP} -eq 1 ]]; then
    chmod +x "${VAR_WORKDIR}/scripts/0010_dhcp_supersede.sh" && "${VAR_WORKDIR}/scripts/0010_dhcp_supersede.sh"
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
  return 0
 }
 ### Prevents accidental 'unset -f'.
--- a/lib/lib_check_hooks.sh
+++ b/lib/lib_check_hooks.sh
@@ -13,8 +13,10 @@
 guard_sourcing
 #######################################
-# Check and apply 0755 Permissions on every ./config/hooks/live/*.chroot file
+# Check and apply 0755 Permissions on every '"${VAR_HANDLER_BUILD_DIR}"/./config/hooks/live/*.chroot'-file.
 # Globals:
 #   BASH_SOURCE
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_WORKDIR
 # Arguments:
 #   None
@@ -22,11 +24,15 @@ guard_sourcing
 #   0: on success
 #   ERR_UNCRITICAL: on failure
 #######################################
-check_hooks() {
+x_hooks() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
  declare ifs
  ifs=$'\n\t'
  shopt -s nullglob
-  declare -a files=("${VAR_WORKDIR}"/config/hooks/live/*.chroot)
+
  declare -a files=("${VAR_HANDLER_BUILD_DIR}"/config/hooks/live/*.chroot)
  if (( ${#files[@]} == 0 )); then
@@ -43,9 +49,13 @@ check_hooks() {
  done
  shopt -u nullglob
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
-readonly -f check_hooks
+readonly -f x_hooks
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_check_kernel.sh
+++ b/lib/lib_check_kernel.sh
@@ -26,12 +26,9 @@ guard_sourcing
 #######################################
 check_kernel() {
  clear
  declare -i counter=1
  declare first_string=""
  declare line=""
  declare -gx VAR_KERNEL=""
-  declare name=""
+  declare -i  counter=1
-  declare options=""
+  declare     first_string="" line="" name="" options=""
  if [[ ${VAR_ARCHITECTURE} != arm64 ]]; then
--- a/lib/lib_check_pkgs.sh
+++ b/lib/lib_check_pkgs.sh
@@ -14,27 +14,32 @@ guard_sourcing
 #######################################
 # Check for required Deb Packages to run the script.
 # Globals:
 #   BASH_SOURCE
 #   VAR_HANDLER_AUTOBUILD
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 check_pkgs() {
-  apt-get update > /dev/null 2>&1
+  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
-  if [[ -z "$(command -v batcat || true)" ]]; then
+  apt-get update -qq > /dev/null 2>&1
-    apt-get install -y --no-install-recommends bat
+  if ! command -v lsb_release >/dev/null 2>&1; then
  fi
  if [[ -z "$(command -v lsb_release || true)" ]]; then
    apt-get install -y --no-install-recommends lsb-release
  fi
-  if [[ -z "$(command -v debootstrap || true)" ]]; then
+  if ! command -v batcat >/dev/null 2>&1; then
    apt-get install -y --no-install-recommends bat
  fi
  if ! command -v debootstrap >/dev/null 2>&1; then
    if grep -RqsE '^[[:space:]]*deb .*backports' /etc/apt/sources.list /etc/apt/sources.list.d; then
@@ -50,15 +55,21 @@ check_pkgs() {
  fi
  if ! command -v gpg >/dev/null 2>&1; then
    apt-get install -y --no-install-recommends gnupg gpgv gpg-agent pinentry-curses gnupg-utils
  fi
  if [[ ! -f /usr/share/live/build/VERSION ]]; then
    apt-get install -y live-build
  fi
-  if [[ "${VAR_HANDLER_AUTOBUILD}" == false ]]; then
+  if [[ "${VAR_HANDLER_AUTOBUILD}" == "false" ]]; then
-    if [[ -z "$(command -v dialog || true)" ]]; then
+    if ! command -v dialog >/dev/null 2>&1; then
      apt-get install -y --no-install-recommends dialog
@@ -66,16 +77,13 @@ check_pkgs() {
  fi
-  if [[ -z "$(command -v mkpasswd || true)" ]]; then
+  if ! command -v mkpasswd >/dev/null 2>&1; then
    apt-get install -y --no-install-recommends whois
  fi
-  # shellcheck disable=SC2034,SC2155
+  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
  declare -gr VAR_LB_VER="$(lb -v)"
  # shellcheck disable=SC2034,SC2155
  declare -gr VAR_DS_VER="$(debootstrap --version)"
  return 0
 }
--- a/lib/lib_check_provider.sh
+++ b/lib/lib_check_provider.sh
@@ -14,6 +14,10 @@ guard_sourcing
 #######################################
 # Notes Textbox.
 # Globals:
 #   VAR_GIT_REL
 #   VAR_NOTES
 #   VAR_VERSION
 # Arguments:
 #   None
 # Returns:
--- a/lib/lib_check_var.sh
+++ b/lib/lib_check_var.sh
@@ -17,9 +17,10 @@ guard_sourcing
 # Globals:
 #   ERR_UNBOUNDVAR
 # Arguments:
-#   $1: VAR_NAME to check
+#   1: VAR_NAME to check
 # Returns:
-#   {ERR_UNBOUNDVAR: on failure
+#   0: on success
 #   ERR_UNBOUNDVAR: on failure
 #######################################
 check_var() {
  declare var_name_to_check="$1"
@@ -43,6 +44,8 @@ check_var() {
    return "${ERR_UNBOUNDVAR}"
  fi
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/lib/lib_ciss_upgrades_boot.sh
+++ b/lib/lib_ciss_upgrades_boot.sh
@@ -0,0 +1,50 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Integrates primordial SSH identity- and / or ssh_host-files.
 # Globals:
 #   BASH_SOURCE
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_SIGNING_KEY_FPR
 #   VAR_SIGNING_KEY_PASSFILE
 #   VAR_WORKDIR
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 ciss_upgrades_boot() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
  ### Updates '/usr/lib/live/boot/0030-verify-checksums'.
  install -D -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
  declare var_sha="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512"
  declare var_sig="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512.sig"
  declare var_fil="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
  sha512sum "${var_fil}" >| "${var_sha}"
  gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
    --detach-sign --output "${var_sig}" "${var_sha}"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f ciss_upgrades_boot
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_ciss_upgrades_build.sh
+++ b/lib/lib_ciss_upgrades_build.sh
@@ -13,19 +13,30 @@
 guard_sourcing
 #######################################
-# Wrapper to update '/usr/lib/live/build/...' scripts.
+# Module to update '/usr/lib/live/build/...' scripts.
 # Globals:
-#   SCRIPT_BASEPATH
+#   BASH_SOURCE
-#   VAR_BUILD_LOG
+#   VAR_WORKDIR
 #   VAR_HANDLER_BUILD_DIR
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
-ciss_upgrades() {
+ciss_upgrades_build() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
  ### CISS signing binary-checksums override.
  if [[ ! -e /usr/lib/live/build/binary_checksums.original ]]; then
    cp /usr/lib/live/build/binary_checksums /usr/lib/live/build/binary_checksums.original
    chmod 0444 /usr/lib/live/build/binary_checksums.original
  fi
  rm -f /usr/lib/live/build/binary_checksums
  install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/lib/live/build/binary_checksums.sh" /usr/lib/live/build/binary_checksums
  ### https://wiki.debian.org/ReproducibleInstalls/LiveImages
  ### https://reproducible-builds.org/docs/system-images/
  ### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes
  if [[ ! -e /usr/lib/live/build/binary_rootfs.original ]]; then
    cp /usr/lib/live/build/binary_rootfs /usr/lib/live/build/binary_rootfs.original
    chmod 0444 /usr/lib/live/build/binary_rootfs.original
@@ -40,5 +51,5 @@ ciss_upgrades() {
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
-readonly -f ciss_upgrades
+readonly -f ciss_upgrades_build
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_clean_up.sh
+++ b/lib/lib_clean_up.sh
@@ -13,33 +13,88 @@
 guard_sourcing
 #######################################
-# Clean Up Wrapper on Trap on 'ERR' and 'EXIT'.
+# Cleanup wrapper on the traps on 'ERR' and 'EXIT'.
 # Globals:
 #   VAR_CDLB_INSIDE_RUNNER
 #   GNUPGHOME
 #   LOG_ERROR
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_KERNEL_INF
 #   VAR_KERNEL_SRT
 #   VAR_KERNEL_TMP
 #   VAR_NOTES
 #   VAR_WORKDIR
 # Arguments:
 #   1 : ${trap_on_exit_code} of trap_on_exit()
 # Returns:
 #   0: on success
 #######################################
 clean_up() {
-  declare clean_exit_code="$1"
+  declare clean_exit_code="$1" fs_type=""
  shopt -s nullglob dotglob
  rm -f -- "${VAR_KERNEL_INF}"
  rm -f -- "${VAR_KERNEL_SRT}"
  rm -f -- "${VAR_KERNEL_TMP}"
  rm -f -- "${VAR_NOTES}"
  # Release advisory lock on FD 127.
  flock -u 127
  # Close file descriptor 127.
  exec 127>&-
  # Remove the lockfile artifact.
  rm -f /run/lock/ciss_live_builder.lock
  # Removes the error log on clean exit.
  if (( clean_exit_code == 0 )); then rm -f -- "${LOG_ERROR}"; fi
  # Cleaning TCP wrapper artifacts.
  if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
    rm -f "${VAR_WORKDIR}/hosts.allow"
  fi
  if [[ -f "${VAR_WORKDIR}/hosts.deny" ]]; then
    rm -f "${VAR_WORKDIR}/hosts.deny"
  fi
  # Kill gpg-agent and remove artifacts securely.
  if [[ ! "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
    if [[ -n "${GNUPGHOME:-}" && -d "${GNUPGHOME}" && "${GNUPGHOME}" == /dev/shm/cdlb_*_gnupg ]]; then
      gpgconf --kill gpg-agent >/dev/null 2>&1 || true
      fs_type="$(stat -f -c %T "${GNUPGHOME}" 2>/dev/null || echo "GNUPGHOME: unknown fs.")"
      if [[ "${fs_type}" == "tmpfs" || "${fs_type}" == "ramfs" ]]; then
        rm -rf --one-file-system -- "${GNUPGHOME}" 2>/dev/null || true
      else
        chmod -R u+rwX "${GNUPGHOME}" >/dev/null 2>&1 || true
        find "${GNUPGHOME}" -type f -exec shred -fuz -n 2 -- {} + 2>/dev/null || true
        find "${GNUPGHOME}" \( -type s -o -type p -o -type l \) -delete 2>/dev/null || true
        rm -rf --one-file-system -- "${GNUPGHOME}" 2>/dev/null || true
      fi
    fi
  fi
  # Removes secrets securely.
  # shellcheck disable=SC2312
  find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 -- no-run-if-empty shred -fzu -n 5 --
  find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete
  shopt -u nullglob dotglob
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f clean_up
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_contact.sh
+++ b/lib/lib_contact.sh
@@ -13,9 +13,11 @@
 #######################################
 # Contact Wrapper CISS.debian.live.builder
 # Globals:
-#   none
+#   None
 # Arguments:
-#   none
+#   None
 # Returns:
 #   0: on success
 #######################################
 contact() {
  clear
@@ -38,5 +40,10 @@ $(echo -e "\e[95m  🌐 https://coresecret.eu/spenden/          \e[0m")
 $(echo -e "\e[97m################################################################################ \e[0m")
 EOF
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f contact
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_copy_integrity.sh
+++ b/lib/lib_copy_integrity.sh
@@ -20,21 +20,26 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0 : Aide Init DB copying successful.
+#   0 : on success
 #######################################
 copy_db() {
  # printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${BASH_SOURCE[0]}"
  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.integrity" ]]; then
    mkdir -p "${VAR_HANDLER_BUILD_DIR}/.integrity"
  fi
  if cp -p "${VAR_HANDLER_BUILD_DIR}/chroot/var/lib/aide/"* "${VAR_HANDLER_BUILD_DIR}/.integrity/"; then
    chmod 0400 "${VAR_HANDLER_BUILD_DIR}/.integrity/"*
-    # printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+
    return 0
  else
    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ '%s' NOT successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
  fi
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f copy_db
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_debug.sh
+++ b/lib/lib_debug.sh
@@ -13,47 +13,63 @@
 guard_sourcing
 #######################################
-# Debugger Wrapper for xtrace to Debug Log
+# Debugger module for xtrace to debug log.
 # Globals:
 #   BASH_SOURCE
 #   BASH_XTRACEFD
 #   LOG_DEBUG
 #   LOG_VAR
 #   PS4
 #   SHELLOPTS
 #   VAR_DUMP_VARS_INITIAL
 #   VAR_EARLY_DEBUG
-#   var
+#   VAR_ISO8601
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 debugger() {
  ### Capture an initial snapshot of all variables (excluding '^(BASH|_).*')
  # shellcheck disable=SC2155
  declare -grx VAR_DUMP_VARS_INITIAL=$(mktemp)
  # shellcheck disable=SC2312
  {
    declare var
    while IFS= read -r var; do
      declare -p "${var}" 2>/dev/null
    done < <(compgen -v | grep -Ev '^(BASH|_).*')
  } | sort >| "${VAR_DUMP_VARS_INITIAL}"
  declare -gx VAR_EARLY_DEBUG="true"
  ### Set a verbose PS4 prompt including timestamp, source, line, exit status, and function name
-  declare -grx PS4='\e[97m+\e[0m\e[96m$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m '
+
-  # shellcheck disable=SC2155
+  declare -grx PS4='\e[97m+\e[96m[${EPOCHREALTIME}]\e[97m:\e[94m[$$]\e[97m:\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[97m:\e[93m[${?}]\e[97m:\e[95m[${FUNCNAME[0]:-main}()]\e[97m>>\e[0m '
-  declare -grx LOG_DEBUG="/tmp/ciss_live_builder_$$_debug.log"
+  declare -grx LOG_DEBUG="/tmp/cdlb_${VAR_ISO8601}_debug.log"
-  declare -grx LOG_VAR="/tmp/ciss_live_builder_$$_var.log"
+  declare -grx LOG_VAR="/tmp/cdlb_${VAR_ISO8601}_var.log"
  ### Generates empty LOG_DEBUG and LOG_VAR
  touch "${LOG_DEBUG}" && chmod 0600 "${LOG_DEBUG}"
  touch "${LOG_VAR}"   && chmod 0600 "${LOG_VAR}"
  ### Open file descriptor 42 for writing to the debug log
  exec 42>| "${LOG_DEBUG}"
  ### Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables
  debug_header "$#" "$*"
  ### Tell Bash to send xtrace output to FD 42
  export BASH_XTRACEFD=42
  ### Enable inheritable shell options
  export SHELLOPTS
  ### Turn on xtrace
  set -x
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f debugger
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_debug_header.sh
+++ b/lib/lib_debug_header.sh
@@ -13,7 +13,7 @@
 guard_sourcing
 #######################################
-# Generates Debug Log Header
+# Generates the debug log header.
 # Globals:
 #   BASHOPTS
 #   BASH_VERSINFO
@@ -22,21 +22,27 @@ guard_sourcing
 #   HOSTNAME
 #   PPID
 #   PWD
 #   SHELLOPTS
 #   SOURCE_DATE_EPOCH
 #   UID
 #   VAR_GIT_REL
 #   VAR_SYSTEM
 #   VAR_VERSION
 # Arguments:
-#   $0: Script Name $0
+#   0: Script Name $0
-#   $1: Argument Counter $#
+#   1: Argument Counter $#
-#   $2: Argument String $*
+#   2: Argument String $*
 #######################################
 debug_header() {
  declare -r arg_counter="$1"
  declare -r arg_string="$2"
  # shellcheck disable=SC2312
  {
    printf "\e[97m+\e[0m\e[92m%s: CISS.debian.live.builder Debug Log \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
    printf "\e[97m+\e[0m\e[92m%s: Git Commit                : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_GIT_REL}"
    printf "\e[97m+\e[0m\e[92m%s: Version                   : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_VERSION}"
    printf "\e[97m+\e[0m\e[92m%s: Epoch                     : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EPOCHREALTIME}"
    printf "\e[97m+\e[0m\e[92m%s: Source Date Epoch         : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${SOURCE_DATE_EPOCH}"
    printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release          : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[0]}"
    printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version          : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[1]}"
    printf "\e[97m+\e[0m\e[92m%s: Bash Patch Level          : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[2]}"
@@ -58,4 +64,7 @@ debug_header() {
    printf "\e[97m+\e[0m\e[92m%s: ==== Debug Log Begin ==== : \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
  } >&42
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f debug_header
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_git_var.sh
+++ b/lib/lib_git_var.sh
@@ -1,36 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Define Git Repo related Variables.
 # Globals:
 #   VAR_GIT_HEAD
 #   VAR_GIT_REL
 #   VAR_GIT_REL_DATE
 #   VAR_GIT_REL_DATE_TIME
 #   VAR_GIT_REL_SHORT
 # Arguments:
 #   None
 #######################################
 check_git() {
  # shellcheck disable=SC2155
  if git rev-parse --is-inside-work-tree &>/dev/null; then
    declare -grx VAR_GIT_REL="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
    declare -grx VAR_GIT_REL_SHORT="${VAR_GIT_REL%% *}"
    declare -grx VAR_GIT_REL_DATE_TIME="${VAR_GIT_REL#* }"
    declare -grx VAR_GIT_REL_DATE="${VAR_GIT_REL_DATE_TIME% *}"
    declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_gnupg.sh
+++ b/lib/lib_gnupg.sh
@@ -0,0 +1,87 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Init GNUPGHOME.
 # Globals:
 #   BASH_SOURCE
 #   GNUPGHOME
 #   VAR_CDLB_INSIDE_RUNNER
 #   VAR_EARLY_DEBUG
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_ISO8601
 #   VAR_SIGNER
 #   VAR_SIGNING_KEY
 #   VAR_SIGNING_KEY_FPR
 #   VAR_SIGNING_KEY_PASS
 #   VAR_SIGNING_KEY_PASSFILE
 #   VAR_TMP_SECRET
 #   VAR_VERIFY_KEYRING
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 init_gnupg() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
  if [[ "${VAR_SIGNER}" == "true" ]]; then
    __umask=$(umask)
    umask 0077
    ### Avoid collision with Gitea runner workflows.
    if [[ ! "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
      declare -grx GNUPGHOME="/dev/shm/cdlb_${VAR_ISO8601}_gnupg"
      # shellcheck disable=SC2174
      mkdir -p -m 0700 "${GNUPGHOME}"
      echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf"
      gpgconf --reload gpg-agent || true
    fi
    gpg --batch --import "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"
    shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"
    gpg --batch --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_KEY_FPR}_public.gpg"
    gpg --batch --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums_public.gpg"
    declare -grx VAR_VERIFY_KEYRING="${GNUPGHOME}/pubring.kbx"
    declare -grx VAR_SIGNING_KEY_PASSFILE="${VAR_TMP_SECRET}/${VAR_SIGNING_KEY_PASS}"
    ### No tracing for security reasons ------------------------------------------------------------------------------------------
    [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x
    declare __pw=""
    __pw="$(<"${VAR_SIGNING_KEY_PASSFILE}")"; __pw="${__pw%$'\r'}"; printf '%s' "${__pw}" >| "${VAR_SIGNING_KEY_PASSFILE}"
    __pw="" && unset __pw
    ### Turn on tracing again ----------------------------------------------------------------------------------------------------
    [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x
    umask "${__umask}"
    __umask=""
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f init_gnupg
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_guard_sourcing.sh
+++ b/lib/lib_guard_sourcing.sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
-# Prevent the caller LIB-file from being sourced twice.
+# Prevents the caller LIB-file from being sourced twice.
 # Derive a safe guard-variable name from the caller script filename.
 # Globals:
 #   BASH_SOURCE
 # Arguments:
-#   $1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.)
+#   1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.)
 # Returns:
 #   0: Returns '0' in both cases as they are intended to be successful.
 #######################################
@@ -37,6 +37,10 @@ guard_sourcing() {
  ### Mark as loaded (readonly + exported)
  declare -grx "${var_guard_var}"=1
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f guard_sourcing
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_hardening_root_pw.sh
+++ b/lib/lib_hardening_root_pw.sh
@@ -15,18 +15,22 @@ guard_sourcing
 #######################################
 # Updates the Live ISO to use root password authentication for local console access.
 # Globals:
 #   BASH_SOURCE
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_HASHED_PWD
 # Arguments:
 #   None
 # Returns:
-#   0: In case no root password is desired.
+#   0: on success
 #######################################
 hardening_root_pw() {
-  if [[ -z ${VAR_HASHED_PWD} ]]; then
+  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Root Password for Console set, skipping root password hook.\e[0m\n"
  if [[ -z ${VAR_HASHED_PWD} ]]; then
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Root Password for Console set, skipping root password hook.\e[0m\n"
    return 0
  fi
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Setup Root Password for Console ... \e[0m\n"
@@ -79,5 +83,12 @@ EOF
  #chmod -x "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setup Root Password for Console done. \e[0m\n"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f hardening_root_pw
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_hardening_ssh_tcp.sh
+++ b/lib/lib_hardening_ssh_tcp.sh
@@ -13,17 +13,33 @@
 guard_sourcing
 #######################################
-# SSH Hardening Ultra via TCP Wrapper
+# SSH hardening via TCP wrapper.
 # Globals:
 #   ARY_HANDLER_JUMPHOST
 #   BASH_SOURCE
 #   VAR_WORKDIR
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
-hardening_ssh() {
+hardening_ssh_tcp() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
  if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
    declare allowed=""
    cat << 'EOF' >| "${VAR_WORKDIR}/hosts.allow"
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # /etc/hosts.allow: list of hosts that are allowed to access the system.
 #                   See the manual pages hosts_access(5) and hosts_options(5).
 #
@@ -37,9 +53,20 @@ hardening_ssh() {
 EOF
    allowed=$(echo "${ARY_HANDLER_JUMPHOST[*]}" | tr '\n' ' ')
-    printf 'sshd: %s\n' "${allowed}" >> "${VAR_WORKDIR}/hosts.allow"
+    printf 'sshd: %s\n\n# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf\n' "${allowed}" >> "${VAR_WORKDIR}/hosts.allow"
    cat << 'EOF' >| "${VAR_WORKDIR}/hosts.deny"
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
 #                  See the manual pages hosts_access(5) and hosts_options(5).
 #
@@ -59,7 +86,15 @@ EOF
 ALL: ALL
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f hardening_ssh_tcp
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_hardening_ultra.sh
+++ b/lib/lib_hardening_ultra.sh
@@ -13,24 +13,29 @@
 guard_sourcing
 #######################################
-# Wrapper for accompanying all CISS.debian.hardening features into the Live ISO image.
+# Module for accompanying all 'CISS.debian.hardening' features into the Live ISO image.
 # Globals:
 #   ARY_HANDLER_JUMPHOST
 #   ARY_HANDLER_JUMPHOST_UNIQUE
 #   BASH_SOURCE
 #   VAR_ARCHITECTURE
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_SSHFP
 #   VAR_SSHPORT
 #   VAR_SSHPUBKEY
 #   VAR_WORKDIR
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 hardening_ultra() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
  # shellcheck disable=SC2164
  cd "${VAR_WORKDIR}"
-
+  ### ./config/bootloaders -----------------------------------------------------------------------------------------------------
  ### ./config/bootloaders
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/bootloaders ... \e[0m\n"
  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" ]]; then
@@ -47,7 +52,7 @@ hardening_ultra() {
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/bootloaders done.\e[0m\n"
-  ### ./config/includes.binary
+  ### ./config/includes.binary -------------------------------------------------------------------------------------------------
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.binary ... \e[0m\n"
  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then
@@ -64,7 +69,7 @@ hardening_ultra() {
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.binary done.\e[0m\n"
-  ### ./config/includes.chroot
+  ### ./config/includes.chroot -------------------------------------------------------------------------------------------------
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot ... \e[0m\n"
  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
@@ -85,7 +90,7 @@ hardening_ultra() {
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot done.\e[0m\n"
-  ### ./config/hooks/early
+  ### ./config/hooks/early -----------------------------------------------------------------------------------------------------
  if [[ -d "${VAR_WORKDIR}/config/hooks/early" ]]; then
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/early ... \e[0m\n"
@@ -106,7 +111,7 @@ hardening_ultra() {
  fi
-  ### ./config/hooks/live
+  ### ./config/hooks/live ------------------------------------------------------------------------------------------------------
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n"
  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
@@ -123,7 +128,7 @@ hardening_ultra() {
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n"
-
+  ### ./config/package-lists ---------------------------------------------------------------------------------------------------
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/package-lists ... \e[0m\n"
  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/package-lists" ]]; then
    mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/package-lists"
@@ -167,34 +172,17 @@ hardening_ultra() {
    }
    print
    }
-    ' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
+    ' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" >| temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/package-lists done.\e[0m\n"
-  ### Updating SSH Keys, Ports.
+  ### Updating SSH Keys, Ports -------------------------------------------------------------------------------------------------
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating SSH Keys, Ports ... \e[0m\n"
-  ### Check for static SSHFP key material via Gitea Actions Runner Secrets injection.
+  ### ./config/includes.chroot/root/.ssh ---------------------------------------------------------------------------------------
-  if [[ "${VAR_SSHFP}" == "true" ]]; then
+  install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
-
+  install -m 0600 -o root -g root "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/"
    rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9930_hardening_ssh.chroot"
    rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
  else
    rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot"
    rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
  fi
  ### /config/includes.chroot/root/.ssh
  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"  ]]; then
    mkdir -p  "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
    cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
    chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
    chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
  declare -r sshport="${VAR_SSHPORT:-22}"
@@ -209,7 +197,6 @@ hardening_ultra() {
  ### /config/hooks/live/0900_ufw_setup.chroot
  sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
  ### /config/hooks/live/0900_ufw_setup.chroot
  if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then
@@ -223,8 +210,10 @@ hardening_ultra() {
    line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
    if [[ -z "${line}" ]]; then
      printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
      exit 1
    fi
    declare host
@@ -239,78 +228,26 @@ hardening_ultra() {
  fi
  else
    cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
    chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
    chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
    declare -r sshport="${VAR_SSHPORT:-22}"
    ### /config/includes.chroot/etc/ssh/sshd_config
    # shellcheck disable=SC2155
    declare pad="$(printf '%-29s' 'Port')"
    sed -i -E "/PORT_MUST_BE_CHANGED/ s|.*|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
    ### /config/hooks/live/9950_hardening_fail2ban.chroot
    sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
    ### /config/hooks/live/0900_ufw_setup.chroot
    sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
    ### /config/hooks/live/0900_ufw_setup.chroot
    if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then
      declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
      sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
      declare line
      # shellcheck disable=SC2312
      line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
      if [[ -z "${line}" ]]; then
        printf "\e[91m❌ Error: 'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
        exit 1
      fi
      declare host
      for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
        ((line++))
        sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}"
      done
    fi
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating SSH Keys, Ports done. \e[0m\n"
-  ### /config/includes.chroot/etc/hosts.allow
+  ### ./config/includes.chroot/etc/hosts. --------------------------------------------------------------------------------------
  if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 SSH Hardening Ultra ... \e[0m\n"
-    cp -af "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
+    mv "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
-    cp -af "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
+    mv "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
    chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow"
    chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny"
    rm -f "${VAR_WORKDIR}/hosts.allow"
    rm -f "${VAR_WORKDIR}/hosts.deny"
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ SSH Hardening Ultra done.\e[0m\n"
  fi
-  ### /config/hooks/live/9950_hardening_fail2ban.chroot
+  ### ./config/hooks/live/9950_hardening_fail2ban.chroot -----------------------------------------------------------------------
  if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"
@@ -338,5 +275,12 @@ hardening_ultra() {
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Placeholder removed. \e[0m\n"
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f hardening_ultra
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_helper_ip.sh
+++ b/lib/lib_helper_ip.sh
@@ -13,16 +13,17 @@
 guard_sourcing
 #######################################
-# IP Notation cleaner for pure IP output only
+# IP notation cleaner for pure IP output only.
 # Globals:
 #   ARY_HANDLER_JUMPHOST
 #   ARY_HANDLER_JUMPHOST_UNIQUE
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 clean_ip() {
-  declare host
+  declare host="" stripped=""
  declare stripped
  for host in "${ARY_HANDLER_JUMPHOST[@]}"; do
    # Remove leading '[' and trailing ']'
    stripped="${host#\[}"
@@ -32,7 +33,12 @@ clean_ip() {
        continue
    fi
    # Directly append, no duplicate check
    # shellcheck disable=SC2034
    declare -ga ARY_HANDLER_JUMPHOST_UNIQUE+=("${stripped}")
  done
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f clean_ip
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_lb_build_start.sh
+++ b/lib/lib_lb_build_start.sh
@@ -15,7 +15,7 @@ guard_sourcing
 #######################################
 # Wrapper to write a new 'lb config' environment.
 # Globals:
-#   SCRIPT_BASEPATH
+#   VAR_WORKDIR
 #   VAR_BUILD_LOG
 #   VAR_HANDLER_BUILD_DIR
 # Arguments:
@@ -25,23 +25,29 @@ guard_sourcing
 #   ERR_UNCRITICAL: on failure
 #######################################
 lb_build_start() {
  declare -i var_build_rc=""
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔨 Start Build... Log file: %s \e[0m\n" "${VAR_BUILD_LOG}"
  # shellcheck disable=SC2164
-  cd "${SCRIPT_BASEPATH}"
+  cd "${VAR_WORKDIR}"
  # shellcheck disable=SC2164
  cd "${VAR_HANDLER_BUILD_DIR}"
  # shellcheck disable=SC2312
-  if lb build --color 2>&1 | tee "${VAR_BUILD_LOG}"; then
+  lb build --color 2>&1 | tee "${VAR_BUILD_LOG}"
  var_build_rc=${PIPESTATUS[0]}
  if [[ "${var_build_rc}" -eq 0 ]]; then
    printf "\e[92m✅ Build successfully completed.\e[0m\n"
  else
    printf "\e[91m❌ Build failed!\e[0m\n" >&2
-    exit "${ERR_UNCRITICAL}"
+    exit "${var_build_rc}"
  fi
--- a/lib/lib_lb_config_start.sh
+++ b/lib/lib_lb_config_start.sh
@@ -15,12 +15,15 @@ guard_sourcing
 #######################################
 # Wrapper for 'lb config' - set up a build environment or deleting old build artifacts.
 # Globals:
 #   BASH_SOURCE
 #   VAR_HANDLER_BUILD_DIR
 # Arguments:
-#   0: Script-name
+#   None
 # Returns:
 #   0: on success
 #######################################
 lb_config_start() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
  if [[ ! -d ${VAR_HANDLER_BUILD_DIR} ]]; then
@@ -36,30 +39,27 @@ lb_config_start() {
  fi
-  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.build" ]]; then
+  if [[ -d "${VAR_HANDLER_BUILD_DIR}/.build" ]]; then
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Preparing environment ... \e[0m\n"
    # Start lb config in a completely detached shell
    bash -c "lb config" &
    disown
    sleep 1
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Preparing environment done.\e[0m\n"
  else
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Deleting former config, binary and cache ... \e[0m\n"
-    rm -f ./config/binary
+
-    rm -f ./config/bootstrap
+    lb clean --binary --cache --purge --source
-    rm -f ./config/chroot
+
-    rm -f ./config/common
+    if [[ "${PWD}" == "${VAR_HANDLER_BUILD_DIR}" && "${PWD}" != "/" && -n "${PWD}" ]]; then
-    rm -f ./config/source
+
-    rm -f ./*.{contents,files,iso,bz2,packages}
+      rm -rf -- ./* ./.??*
-    # Start lb clean in a completely detached shell
+
-    bash -c "lb clean && lb clean --binary --cache" &
+    fi
-    disown
+
    sleep 1
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Deleting former config, binary and cache done.\e[0m\n"
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f lb_config_start
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_lb_config_write_trixie.sh
+++ b/lib/lib_lb_config_write_trixie.sh
@@ -15,18 +15,19 @@ guard_sourcing
 #######################################
 # Wrapper to write a new 'lb config' environment.
 # Globals:
 #   BASH_SOURCE
 #   VAR_ARCHITECTURE
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_HANDLER_ISO_COUNTER
 #   VAR_KERNEL
 #   VAR_VERSION
 #   VAR_WORKDIR
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 lb_config_write_trixie() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Writing new config ... \e[0m\n"
  lb config \
@@ -41,10 +42,10 @@ lb_config_write_trixie() {
    --binary-filesystem fat32 \
    --binary-image iso-hybrid \
    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
-    --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
+    --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
    --bootloaders grub-efi \
    --cache true \
-    --checksums sha512 sha256 md5 \
+    --checksums sha512 sha384 sha256 \
    --chroot-filesystem squashfs \
    --chroot-squashfs-compression-level 22 \
    --chroot-squashfs-compression-type zstd \
@@ -104,33 +105,10 @@ lb_config_write_trixie() {
  sleep 1
  sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary
  sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary
  sed -i 's/^LB_CHECKSUMS=.*/LB_CHECKSUMS="sha512 sha384 sha256"/' ./config/binary
  sed -i 's/^LB_DM_VERITY=.*/LB_DM_VERITY="false"/'                ./config/binary
  ### Update 0030-verify-checksums
  mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot"
  cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
  chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
  chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
  ### Installing PGP Public Keys for signature verification.
  #mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys"
  #install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/0x8733B021_public.gpg"
  #install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.gpg"
  #### Installing PGP Private Deploy Key for signature creation
  #mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/cdlb/private_keys"
  #cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/cdlb/private_keys/"
 #{{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
 #EOF
  #if grep -q '{{ secrets.' /root/.config/sops/age/keys.txt; then
  #  : >| /root/.config/sops/age/keys.txt
  #fi
  #chmod 0400 /root/.config/sops/age/keys.txt
  ### https://wiki.debian.org/ReproducibleInstalls/LiveImages
  ### https://reproducible-builds.org/docs/system-images/
@@ -156,6 +134,7 @@ EOF
  chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
  return 0
 }
--- a/lib/lib_note_target.sh
+++ b/lib/lib_note_target.sh
@@ -13,6 +13,15 @@
 #######################################
 # Version file generator for '/root/cdlb.txt' of Live ISO.
 # Globals:
 #   BASH_SOURCE
 #   SOURCE_DATE_EPOCH
 #   VAR_BASH_VER
 #   VAR_DATE_INFO
 #   VAR_DS_VER
 #   VAR_GIT_REL
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_HOST
 #   VAR_LB_VER
 #   VAR_VERSION
 # Arguments:
 #   None
@@ -31,6 +40,7 @@ note_target() {
  Version     : ${VAR_VERSION}
  Git         : ${VAR_GIT_REL}
  Epoch       : ${SOURCE_DATE_EPOCH}
  Date        : ${VAR_DATE_INFO}
  Host        : ${VAR_HOST}
  Bash        : ${VAR_BASH_VER}
@@ -63,6 +73,7 @@ export CDLB_CR_HOST="${VAR_HOST}"
 export CDLB_BASHVER="${VAR_BASH_VER}"
 export CDLB_DS_VER="${VAR_DS_VER}"
 export CDLB_LB_VER="${VAR_LB_VER}"
 export CDLB_SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH}"
 EOF
  chmod 0444 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ciss-debian-live-builder.env"
--- a/lib/lib_primordial.sh
+++ b/lib/lib_primordial.sh
@@ -0,0 +1,63 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Integrate primordial SSH identity files.
 # Globals:
 #   BASH_SOURCE
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_SSHFP
 #   VAR_TMP_SECRET
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 init_primordial() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
  if [[ ! "${VAR_SSHFP,,}" == "true" ]]; then
    if compgen -G "${VAR_TMP_SECRET}/id*" > /dev/null; then
      shred -fzu -n 5 -- "${VAR_TMP_SECRET}/id"*
    fi
    if compgen -G "${VAR_TMP_SECRET}/ssh_host_*" > /dev/null; then
      shred -fzu -n 5 -- "${VAR_TMP_SECRET}/ssh_host_"*
    fi
  else
    install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
    install -m 0600 "${VAR_TMP_SECRET}/id"* "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/"
    shred -fzu -n 5 -- "${VAR_TMP_SECRET}/id"* 2>/dev/null || rm -f "${VAR_TMP_SECRET}/id"*
    install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ssh"
    install -m 0600 "${VAR_TMP_SECRET}/ssh_host_"* "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ssh/"
    shred -fzu -n 5 -- "${VAR_TMP_SECRET}/ssh_host_"* 2>/dev/null || rm -f "${VAR_TMP_SECRET}/ssh_host_"*
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f init_primordial
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_provider_netcup.sh
+++ b/lib/lib_provider_netcup.sh
@@ -13,12 +13,21 @@
 guard_sourcing
 #######################################
-# Notes Textbox
+# Module for Netcup static IPv6 address.
 # Globals:
 #   ARY_HANDLER_NETCUP_IPV6
 #   BASH_SOURCE
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_HANDLER_NETCUP_IPV6
 #   VAR_WORKDIR
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 provider_netcup() {
  if "${VAR_HANDLER_NETCUP_IPV6}"; then
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
    declare handler_netcup_ipv6_string="${ARY_HANDLER_NETCUP_IPV6[*]}"
@@ -29,8 +38,8 @@ provider_netcup() {
 ### Static IPv6 Address for Netcup Root Server
 iface ens3 inet6 static
    address ${handler_netcup_ipv6_string}/128
-    ### dns01.eddns.eu dns02.eddns.de
+    ### dns01.eddns.eu dns02.eddns.de dns03.eddns.eu
-    dns-nameservers 2a01:4f9:c012:a813:135:181:207:105 2a0a:4cc0:1:e6:89:58:62:53
+    dns-nameservers 2a01:4f9:c012:a813:135:181:207:105 2a0a:4cc0:1:e6:89:58:62:53 2a01:4f8:c013:8011:138:199:237:109
    gateway fe80::1
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -42,6 +51,12 @@ EOF
    chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
  fi
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f provider_netcup
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_trap_on_err.sh
+++ b/lib/lib_trap_on_err.sh
@@ -138,7 +138,9 @@ readonly -f print_scr_err
 #   ERRFUNC
 #   ERRLINE
 #   ERRSCRT
 #   ERRTRAP
 #   VAR_EARLY_DEBUG
 #   VAR_HANDLER_AUTOBUILD
 # Arguments:
 #   1: $?
 #   2: ${BASH_SOURCE[0]}
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -39,13 +39,13 @@ usage() {
  # shellcheck disable=SC2155
  declare var_header=$(center "CLB(1)                        CISS.debian.live.builder                        CLB(1)" "${var_cols}")
  # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.13.296.2025.10.29                        2025-10-07                        CLB(1)" "${var_cols}")
+  declare var_footer=$(center "V8.13.384.2025.11.06                        2025-11-07                        CLB(1)" "${var_cols}")
  {
    echo -e "\e[1;97m${var_header}\e[0m"
    echo
    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.13.296.2025.10.29\e[0m"
+    echo -e "\e[92mMaster V8.13.384.2025.11.06\e[0m"
    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
    echo
    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
@@ -57,70 +57,64 @@ usage() {
    echo "    What you're looking at."
    echo
    echo -e "\e[97m  --autobuild=*, -a=* \e[0m"
-    echo "    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel"
+    echo "    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel selector dialog."
-    echo "    selector dialog. Change '*' to your desired Linux kernel and trim the"
+    echo "    Change '*' to your desired Linux kernel and trim the 'linux-image-' string to select a specific kernel,"
-    echo "    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'."
+    echo "    e.g. '--autobuild=6.12.30+bpo-amd64'."
    echo
    echo -e "\e[97m  --architecture <STRING> one of <amd64 | arm64> \e[0m"
    echo "    A string reflecting the architecture of the Live System."
    echo "    MUST be provided."
    echo
    echo -e "\e[97m  --build-directory </path/to/build_directory> \e[0m"
    echo "    RECOMMENDED path: </opt/cdlb>"
    echo "    Where the Debian Live Build Image should be generated."
    echo "    MUST be provided."
    echo
    echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m"
-    echo "    A string reflecting the Grub Boot Screen Splash you want to use."
+    echo "    A string reflecting the Grub Boot Screen Splash you want to use. If omitted defaults to:"
-    echo "    If omitted defaults to './.archive/background/club.png'."
+    echo "    <./.archive/background/club.png>"
    echo
    echo -e "\e[97m  --cdi (Experimental Feature)\e[0m"
-    echo "    This option generates a boot menu entry to start the forthcoming"
+    echo "    This option creates a boot menu entry that starts the forthcoming 'CISS.debian.installer', which is executed"
-    echo "    'CISS.debian.installer', which will be executed after"
+    echo "    once the system has successfully booted up."
    echo "    the system has successfully booted up."
    echo
    echo -e "\e[97m  --contact, -c\ e[0m"
    echo "    Show author contact information."
    echo
-    echo -e "\e[97m  --control <INTEGER>\e[0m"
+    echo -e "\e[97m  --control <STRING>\e[0m"
-    echo "    An integer that reflects the version of your Live ISO Image."
+    echo "    A string, that reflects the version of your Live ISO Image."
    echo "    MUST be provided."
    echo
    echo -e "\e[97m  --debug, -d \e[0m"
-    echo "    Enables debug logging for the main program routine. Detailed logging"
+    echo "    Enables debug logging for the main program routine. Detailed logging information are written to:"
-    echo "    information are written to '/tmp/ciss_live_builder_$$.log'."
+    echo "    </tmp/ciss_live_builder_$$.log>"
    echo
    echo -e "\e[97m  --dhcp-centurion \e[0m"
-    echo "    If a DHCP lease is provided, the provider's nameserver will be overridden,"
+    echo "    If a DHCP lease is provided, the provider's name server will be overridden and the hardened, privacy-focused "
-    echo "    and only the hardened, privacy-focused Centurion DNS servers will be used:"
+    echo "    Centurion DNS servers will be used instead:"
    echo "      - https://dns01.eddns.eu/"
    echo "      - https://dns02.eddns.de/"
    echo "      - https://dns03.eddns.eu/"
    echo
    echo -e "\e[97m  --jump-host <IP | IP | ... > \e[0m"
-    echo "    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access."
+    echo "    Provide up to 10 IPs for '/etc/host.allow' whitelisting of SSH access. Could be either IPv4 and / or IPv6 "
-    echo "    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation."
+    echo "    addresses and / or CCDIR notation. If provided, than it MUST be a <SPACE> separated list."
    echo "    If provided, than it MUST be a <SPACE> separated list."
    echo "    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64."
    echo
    echo -e "\e[97m  --log-statistics-only\e[0m"
-    echo "    Provides statistic only after successful building a"
+    echo "    Provides statistic only after successful building a CISS.debian.live-ISO. While enabling '--log-statistics-only'"
-    echo "    CISS.debian.live-ISO. While enabling '--log-statistics-only'"
+    echo "    the argument '--build-directory' MUST be provided."
    echo "    the argument '--build-directory' MUST be provided while"
    echo "    all further options MUST be omitted."
    echo
    echo -e "\e[97m  --provider-netcup-ipv6 \e[0m"
-    echo "    Activates IPv6 support for Netcup Root Server. One unique"
+    echo "    Activates IPv6 support for Netcup Root Server. One unique IPv6 address MUST be provided in this case and MUST be"
-    echo "    IPv6 address MUST be provided in this case and MUST be encapsulated"
+    echo "    encapsulated with [], e.g., [1234::abcd]."
    echo "    with [], e.g., [1234::abcd]."
    echo
    echo -e "\e[97m  --renice-priority <PRIORITY> \e[0m"
-    echo "    Reset the nice priority value of the script and all its children"
+    echo "    Reset the nice priority value of the script and all its children to the desired <PRIORITY>. MUST be an integer"
-    echo "    to the desired <PRIORITY>. MUST be an integer (between '-19' and 19)."
+    echo "    between '-19' and 19. Negative (higher) values MUST be enclosed in double quotes '\"'."
    echo "    Negative (higher) values MUST be enclosed in double quotes '\"'."
    echo
    echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY> \e[0m"
-    echo "    Reset the ionice priority value of the script and all its children"
+    echo "    Reset the ionice priority value of the script and all its children to the desired <CLASS>. MUST be an integer:"
    echo "    to the desired <CLASS>. MUST be an integer:"
    echo "      1: realtime"
    echo "      2: best-effort"
    echo "      3: idle"
@@ -129,31 +123,39 @@ usage() {
    echo "      0: highest priority and"
    echo "      7: lowest priority."
    echo "    Defaults to '4'."
-    echo "    A real-time I/O process can significantly slow down other processes"
+    echo "    A real-time I/O process can significantly slow down other processes or even cause them to starve if it"
-    echo "    or even cause them to starve if it continuously requests I/O."
+    echo "    continuously requests I/O."
    echo
-    echo -e "\e[97m  --root-password-file </path/to/password.txt> \e[0m"
+    echo -e "\e[97m  --root-password-file </dev/shm/cdlb_secrets/password.txt>> \e[0m"
-    echo "    Password file for 'root', if given, MUST be a string of 20 to 64 characters,"
+    echo "    Password file for 'root', if given, MUST be a string of 42 to 64 characters."
-    echo "    and MUST NOT contain the special character '\"'."
+    echo "    If the argument is omitted, no further login authentication is required for the local console."
-    echo "    If the argument is omitted, no further login authentication is required for"
+    echo "    MUST be placed in:"
-    echo "    the local console. The root password is hashed with an 16 Byte '/dev/random'"
+    echo "    </dev/shm/cdlb_secrets/password.txt>"
-    echo "    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately"
+    echo
-    echo "    after Hash generation all Variables containing plain password fragments are"
+    echo -e "\e[97m  --signing_key=* and --signing_key_fpr=*; if desired then additionally --signing_key_pass=* \e[0m"
-    echo "    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without"
+    echo "    The GPG private keyring that should be used for signing artifacts such as checksum hashes and scripts is"
-    echo "    further prompt after password hash has been successfully generated via:"
+    echo "    specified via '--signing_key=*'. If the keyring is passphrase protected provide the passphrase in its own file."
-    echo "    'shred -vfzu 5 -f'."
+    echo "    Specify the fingerprint of the key to use via '--signing_key_fpr=*'."
-    echo "    'No tracing of any plain text password fragment in any debug log."
+    echo "    Change '*' to your desired files / fingerprint. Files MUST be placed in:"
    echo "    </dev/shm/cdlb_secrets>"
    echo
    echo -e "\e[97m  --sshfp \e[0m"
    echo "    Desired SSH id-files that should be incorporated in '/root/.ssh/id*'."
    echo "    Desired SSH host-files that should be incorporated in '/etc/ssh/ssh_host_*'."
    echo "    The respective id-files and / or host-files MUST be placed in:"
    echo "    </dev/shm/cdlb_secrets/id*> / </dev/shm/cdlb_secrets/ssh_host_*>"
    echo
    echo -e "\e[97m  --ssh-port <INTEGER> \e[0m"
    echo "    The desired Port SSH should listen to."
    echo "    If not provided defaults to Port '22'."
    echo
-    echo -e "\e[97m  --ssh-pubkey </path/to/.ssh/> \e[0m"
+    echo -e "\e[97m  --ssh-pubkey </dev/shm/cdlb_secrets/> \e[0m"
-    echo "    Imports the SSH Public Key from the FILE 'authorized_keys' of the"
+    echo "    Imports the SSH Public Key from the file 'authorized_keys' into the Live ISO."
-    echo "    specified PATH into the Live ISO. MUST be provided."
+    echo "    Key file MUST be placed in:"
    echo "    </dev/shm/cdlb_secrets/authorized_keys>"
    echo
    echo -e "\e[97m  --trixie \e[0m"
-    echo "    Create a Debian Trixie Live ISO."
+    echo "    Creates a Debian Trixie Live ISO. If omitted defaults to 'Trixie'. No other Debian Version is supported."
    echo
    echo -e "\e[97m  --version, -v \e[0m"
    echo "    Show version of ${0}."
--- a/lib/lib_version.sh
+++ b/lib/lib_version.sh
@@ -11,26 +11,20 @@
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
-# Version Wrapper CISS.debian.live.builder
+# Version module 'CISS.debian.live.builder'.
 # Globals:
 #   VAR_BASH_VER
 #   VAR_GIT_REL
 #   VAR_HOST
 #   VAR_VERSION
 #   VAR_VER_DS
 #   VAR_VER_LB
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 version() {
  # shellcheck disable=SC2155
  declare -r var_repo_ver="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
  # shellcheck disable=SC2155
  declare -r var_lb_ver="$(lb -v)"
  # shellcheck disable=SC2155
  declare -r var_ds_ver="$(debootstrap --version)"
  # shellcheck disable=SC2155
  declare -r var_host="$(uname -n)"
  # shellcheck disable=SC2155
  declare -r var_bash_ver="$(bash --version | head -n1 | awk '{print $4" "$5" "$6}')"
  clear
  cat << EOF
 $(echo -e "\e[97m################################################################################ \e[0m")
@@ -38,7 +32,7 @@ $(echo -e "\e[92m  CISS.debian.live.builder from https://git.coresecret.dev/msw
 $(echo -e "\e[92m  A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
  Version : ${VAR_VERSION}
-  Git     : ${var_repo_ver}
+  Git     : ${VAR_GIT_REL}
 $(echo -e "\e[97m  This program is free software. Distribution and modification under  \e[0m")
 $(echo -e "\e[97m  EUPL-1.2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! \e[0m")
@@ -47,9 +41,9 @@ $(echo -e "\e[97m  EUPL-1.2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OW
 $(echo -e "\e[95m  https://git.coresecret.dev/msw/CISS.debian.live.builder/issues \e[0m")
 $(echo -e "\e[97m################################################################################\e[0m")
-  Using   : lb (${var_lb_ver}) debootstrap (${var_ds_ver})
+  Using   : lb (${VAR_VER_LB}) debootstrap (${VAR_VER_DS})
-  on      : ${var_host}
+  on      : ${VAR_HOST}
-  Bash    : ${var_bash_ver}
+  Bash    : ${VAR_BASH_VER}
 EOF
--- a/scripts/live-boot/0030-verify-checksums
+++ b/scripts/live-boot/0030-verify-checksums
@@ -1,136 +0,0 @@
 #!/bin/sh
 # bashsupport disable=BP5007
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: GPL-3.0-or-later
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Modified Version of the original file:
 ### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
 ### In case of successful verification of one of the offered checksums, proceed with booting, else panic.
 #######################################
 # Modified checksum-verification script for continuing the boot process.
 # Globals:
 #   LIVE_BOOT_CMDLINE
 #   LIVE_VERIFY_CHECKSUMS
 #   LIVE_VERIFY_CHECKSUMS_DIGESTS
 #   _CHECKSUM
 #   _CHECKSUMS
 #   _DIGEST
 #   _MOUNTPOINT
 #   _PARAMETER
 #   _RETURN
 #   _TTY
 # Arguments:
 #   1: ${_PARAMETER}
 # Returns:
 #   0 : Successful Verification
 #######################################
 Verify_checksums() {
  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
    case "${_PARAMETER}" in
      live-boot.verify-checksums=* | verify-checksums=*)
        LIVE_VERIFY_CHECKSUMS="true"
        LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
        ;;
      live-boot.verify-checksums | verify-checksums)
        LIVE_VERIFY_CHECKSUMS="true"
        ;;
    esac
  done
  case "${LIVE_VERIFY_CHECKSUMS}" in
    true)
      :
      ;;
    *)
      return 0
      ;;
  esac
  _MOUNTPOINT="${1}"
  LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
  _TTY="/dev/tty8"
  log_begin_msg "Verifying checksums"
  printf "\n"
  # shellcheck disable=SC2164
  cd "${_MOUNTPOINT}"
  # shellcheck disable=SC2001
  for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
    # shellcheck disable=SC2060
    _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
    for _CHECKSUM in ${_CHECKSUMS}; do
      # shellcheck disable=SC2292
      if [ -e "${_CHECKSUM}" ]; then
        #echo "Found ${_CHECKSUM}..." > "${_TTY}"
        printf "Found %s...\n" "${_CHECKSUM}"
        if [ -e "/bin/${_DIGEST}sum" ]; then
          #echo "Checking ${_CHECKSUM}..." > "${_TTY}"
          printf "Checking %s...\n" "${_CHECKSUM}"
          # Verify checksums
          # shellcheck disable=SC2312
          grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
          _RETURN="${?}"
          # Stop after the first verification
          # break 2
        else
          #echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}"
          printf "Not found /bin/%ssum....\n" "${_DIGEST}"
        fi
      fi
    done
  done
  log_end_msg
  case "${_RETURN}" in
    0)
      log_success_msg "Verification of checksums successful; continuing booting in 8 seconds."
      sleep 8
      return 0
      ;;
    *)
      panic "Verification failed, $(basename "${_TTY}") for more information."
      ;;
  esac
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/scripts/usr/lib/live/boot/0030-verify-checksums
+++ b/scripts/usr/lib/live/boot/0030-verify-checksums
@@ -0,0 +1,212 @@
 #!/bin/sh
 # bashsupport disable=BP5007
 # shellcheck shell=sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: GPL-3.0-or-later
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Modified Version of the original file:
 ### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
 ### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
 #######################################
 # Modified checksum-integrity and authenticity-verification-script for continuing the boot process.
 # Globals:
 #   LIVE_BOOT_CMDLINE
 #   _TTY
 # Arguments:
 #   1: _MOUNTPOINT
 # Returns:
 #   0 : Successful verification
 #######################################
 Verify_checksums() {
  _MOUNTPOINT="${1}"
  _TTY="/dev/tty8"
  LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
  LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"
  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
    case "${_PARAMETER}" in
      live-boot.verify-checksums=* | verify-checksums=*)
        LIVE_VERIFY_CHECKSUMS="true"
        LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
        ;;
      live-boot.verify-checksums | verify-checksums)
        LIVE_VERIFY_CHECKSUMS="true"
        ;;
      live-boot.verify-checksums-signatures | verify-checksums-signatures)
        LIVE_VERIFY_CHECKSUMS_SIGNATURES="true"
        ;;
    esac
  done
  case "${LIVE_VERIFY_CHECKSUMS}" in
    true)
      :
      ;;
    *)
      return 0
      ;;
  esac
  # shellcheck disable=SC2164
  cd "${_MOUNTPOINT}"
  ### CDLB verification of script integrity itself -----------------------------------------------------------------------------
  if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
    log_begin_msg "Verifying integrity of '0030-verify-checksums' ..."
    printf "\n"
    CDLB_SCRIPT="$(basename "${0}")"
    CDLB_SHA="sha512"
    CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_ITEM="" CDLB_SIG_FILE=""
    for CDLB_ITEM in ${CDLB_SHA}; do
      CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_ITEM}"
      CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
      CDLB_CMD="${CDLB_ITEM}sum"
      printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}"
      if ! gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
        printf "Signature verification failed for: [%s]\n" "${CDLB_HASHFILE}"
        sleep 8
        # TODO: Remove debug mode
        # return 0
      else
        printf "Signature verification successful for: [%s]\n" "${CDLB_HASHFILE}"
      fi
      printf "Recomputing hash for: [%s]\n" "${CDLB_ITEM}"
      CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first rest || exit 1; printf '%s\n' "${first}"; })
      read -r CDLB_EXPECTED < "${CDLB_HASHFILE}"
      if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
        printf "Recomputed hash mismatch for: [%s]\n" "${CDLB_ITEM}"
        sleep 8
        # TODO: Remove debug mode
        # return 0
      fi
      printf "Hash verification successful for: [%s]\n" "${CDLB_ITEM}"
    done
    printf "Verifying integrity of '0030-verify-checksums' successfully completed. Proceeding."
    log_end_msg
    printf "\n"
  fi
  ### Checksum and checksum signature verification -----------------------------------------------------------------------------
  log_begin_msg "Verifying checksums"
  printf "\n"
  # shellcheck disable=SC2001
  for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
    # shellcheck disable=SC2060
    _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
    for _CHECKSUM in ${_CHECKSUMS}; do
      if [ -e "${_CHECKSUM}" ]; then
        printf "Found [%s] ...\n" "${_CHECKSUM}"
        if [ -e "/bin/${_DIGEST}sum" ]; then
          if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
            printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}"
            _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
            gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"
            _RETURN_PGP="${?}"
          else
            _RETURN_PGP="na"
          fi
          printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}"
          # shellcheck disable=SC2312
          grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
          _RETURN_SHA="${?}"
          # Stop after the first verification.
          break 2
        else
          printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum"
        fi
      fi
    done
  done
  log_end_msg
  case "${_RETURN_PGP},${_RETURN_SHA}" in
    0,0)
      log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds."
      sleep 8
      return 0
      ;;
    na,0)
      log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds."
      sleep 8
      return 0
      ;;
    *,0)
      panic "Verification of signature file failed while verification of checksum file successful."
      ;;
    na,*)
      panic "Verification of checksum file failed."
      ;;
  esac
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/scripts/usr/lib/live/build/binary_checksums.sh
+++ b/scripts/usr/lib/live/build/binary_checksums.sh
@@ -1,11 +1,13 @@
 #!/bin/sh
 # bashsupport disable=BP5007
 # shellcheck shell=sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2006-2015 Daniel Baumann <mail@daniel-baumann.ch>
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: GPL-3.0-or-later
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -22,10 +24,9 @@
 ## This is free software, and you are welcome to redistribute it
 ## under certain conditions; see COPYING for details.
-set -e
+set -Ceu
 ### Including common functions.
 # shellcheck disable=SC2292
 if [ -e "${LIVE_BUILD}/scripts/build.sh" ]; then
  . "${LIVE_BUILD}/scripts/build.sh"
 else
@@ -34,19 +35,17 @@ fi
 ### Setting static variables.
 # shellcheck disable=SC2034
-DESCRIPTION="Create binary checksums and PGP signature files."
+DESCRIPTION="[CDLB] Create binary checksums and PGP signature files."
 # shellcheck disable=SC2034
 USAGE="${PROGRAM} [--force]"
 ### Processing arguments and configuration files.
 Init_config_data "${@}"
 # shellcheck disable=SC2292
 if [ "${LB_CHECKSUMS}" = "none" ]; then
 	exit 0
 fi
 # shellcheck disable=SC2292
 if [ "${LB_INITRAMFS}" = "dracut-live" ]; then
 	### The checksums will be generated by binary_iso.
 	exit 0
@@ -61,7 +60,7 @@ Check_stagefile
 ### Acquire a lock file.
 Acquire_lockfile
-declare CHECKSUM=""
+CHECKSUM=""
 for CHECKSUM in ${LB_CHECKSUMS}; do
@@ -91,18 +90,29 @@ for CHECKSUM in ${LB_CHECKSUMS}; do
    \! -path './*gpg' \
    \! -path './*sig' \
 		-print0 | LC_ALL=C sort -z | xargs -0 "${CHECKSUM}sum" >| "${CHECKSUMS}"
  Echo_message "Begin creating binary ${CHECKSUMS} done."
-  ### sha256sum.txt
+  Echo_message "Begin verifying binary ${CHECKSUMS} ..."
-  Echo_message "Begin creating GPG armor signature ${CHECKSUMS} ..."
+  "${CHECKSUM}sum" -c --strict --quiet "${CHECKSUMS}"
-  gpg --batch --yes --local-user "${LB_GPG_SIGN_KEY}" --armor --detach-sign --output "${CHECKSUMS}.asc" "${CHECKSUMS}"
+  Echo_message "Begin verifying binary ${CHECKSUMS} done."
  if [ "${VAR_SIGNER}" = "true" ]; then
    Echo_message "Begin creating GPG binary signature ${CHECKSUMS} ..."
-  gpg --batch --yes --local-user "${LB_GPG_SIGN_KEY}" --detach-sign --output "${CHECKSUMS}.sig" "${CHECKSUMS}"
+    gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
      --detach-sign --output "${CHECKSUMS}.sig" "${CHECKSUMS}"
    Echo_message "Begin creating GPG binary signature ${CHECKSUMS} done."
    Echo_message "Begin verifying GPG binary signature ${CHECKSUMS} ..."
    gpgv --keyring "${VAR_VERIFY_KEYRING}" "${CHECKSUMS}.sig" "${CHECKSUMS}"
    Echo_message "Begin verifying GPG binary signature ${CHECKSUMS} done."
  fi
  Echo_message "Begin creating '${CHECKSUM}sum.README' ..."
 	cat << EOF >| "${CHECKSUM}sum.README"
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -119,6 +129,7 @@ ${CHECKSUM}sum -c ${CHECKSUMS}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
 EOF
  Echo_message "Begin creating '${CHECKSUM}sum.README' done."
 	cd "${OLDPWD}"
--- a/scripts/usr/lib/live/build/binary_rootfs.sh
+++ b/scripts/usr/lib/live/build/binary_rootfs.sh
@@ -1,11 +1,13 @@
 #!/bin/sh
 # bashsupport disable=BP5007
 # shellcheck shell=sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2006-2015 Daniel Baumann <mail@daniel-baumann.ch>
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: GPL-3.0-or-later
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -25,7 +27,6 @@
 set -e
 # Including common functions.
 # shellcheck disable=SC2292
 if [ -e "${LIVE_BUILD}/scripts/build.sh" ]; then
  . "${LIVE_BUILD}/scripts/build.sh"
 else
@@ -77,7 +78,6 @@ esac
 # Creating directory
 mkdir -p "binary/${INITFS}"
 # shellcheck disable=SC2292
 if In_list "rootfs" "${LB_CACHE_STAGES}" && [ -d cache/binary_rootfs ]
 then
 	# Removing old chroot
@@ -104,7 +104,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		Install_packages
 		# Remove old image
    # shellcheck disable=SC2292
 		if [ -f "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" ]
 		then
 			rm -f "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}"
@@ -140,7 +139,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
 					FAKE_MTAB=true
 				fi
 				BLOCK_SIZE=1024
        # shellcheck disable=SC2292
 				if [ "${LB_DM_VERITY}" = "true" ]
 				then
 					# Module dm-verity needs a block size of at least 4k
@@ -168,7 +166,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
 				# Removing depends
 				Remove_packages
        # shellcheck disable=SC2292
 				if [ -e chroot/chroot.cache ]
 				then
 					Remove_lockfile
@@ -215,13 +212,11 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		Install_packages
 		# Remove old jffs2 image
    # shellcheck disable=SC2292
 		if [ -f "binary/${INITFS}/filesystem.jffs2" ]
 		then
 			rm -f "binary/${INITFS}/filesystem.jffs2"
 		fi
    # shellcheck disable=SC2292
 		if [ -n "${LB_JFFS2_ERASEBLOCK}" ]
 		then
 			JFFS2_OPTIONS="--eraseblock=${LB_JFFS2_ERASEBLOCK}"
@@ -237,7 +232,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
 				# Removing depends
 				Remove_packages
        # shellcheck disable=SC2292
 				if [ -e chroot/chroot.cache ]
 				then
 					Remove_lockfile
@@ -266,7 +260,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		;;
 	plain)
    # shellcheck disable=SC2292
 		if [ -d "binary/${INITFS}/filesystem.dir" ]
 		then
 			rm -rf "binary/${INITFS}/filesystem.dir"
@@ -274,7 +267,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		case "${LB_BUILD_WITH_CHROOT}" in
 			true)
        # shellcheck disable=SC2292
 				if [ -e chroot/chroot.cache ]
 				then
 					# Different from the other LB_CHROOT_FILESYSTEM values:
@@ -310,7 +302,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		Echo_message "This may take a while."
 		# Remove old squashfs image
    # shellcheck disable=SC2292
 		if [ -f "binary/${INITFS}/filesystem.squashfs" ]
 		then
 			rm -f "binary/${INITFS}/filesystem.squashfs"
@@ -322,19 +313,16 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		# Do not display the progress bar if:
 		# - Run with --quiet, or
 		# - stdin is not a terminal (e.g., in CI, cron, etc.)
    # shellcheck disable=SC2292
 		if [ "${_QUIET}" = "true" ] || [ ! -t 0 ]
 		then
 			MKSQUASHFS_OPTIONS="-no-progress ${MKSQUASHFS_OPTIONS}"
 		fi
    # shellcheck disable=SC2292
 		if [ "${_VERBOSE}" = "true" ]
 		then
 			MKSQUASHFS_OPTIONS="-info ${MKSQUASHFS_OPTIONS}"
 		fi
    # shellcheck disable=SC2292
 		if [ -f config/rootfs/squashfs.sort ]
 		then
 			MKSQUASHFS_OPTIONS="-sort squashfs.sort ${MKSQUASHFS_OPTIONS}"
@@ -351,7 +339,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		fi
 		# Set squashfs compression type or default to xz
    # shellcheck disable=SC2292
 		if [ -n "${LB_CHROOT_SQUASHFS_COMPRESSION_TYPE}" ]
 		then
 			MKSQUASHFS_OPTIONS="-comp ${LB_CHROOT_SQUASHFS_COMPRESSION_TYPE} ${MKSQUASHFS_OPTIONS}"
@@ -359,7 +346,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
 			MKSQUASHFS_OPTIONS="-comp xz ${MKSQUASHFS_OPTIONS}"
 		fi
    # shellcheck disable=SC2292
 		if [ -n "${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL}" ]
 		then
 			MKSQUASHFS_OPTIONS="-Xcompression-level ${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL} ${MKSQUASHFS_OPTIONS}"
@@ -367,7 +353,9 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		case "${LB_BUILD_WITH_CHROOT}" in
 			true)
-        # shellcheck disable=SC2292
+        ### https://wiki.debian.org/ReproducibleInstalls/LiveImages
        ### https://reproducible-builds.org/docs/system-images/
        ### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes
 				if [ -e config/rootfs/excludes ]
 				then
@@ -403,7 +391,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
 				# Removing depends
 				Remove_packages
        # shellcheck disable=SC2292
 				if [ -e chroot/chroot.cache ]
 				then
 					Remove_lockfile
@@ -423,7 +410,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
 				;;
 			false)
        # shellcheck disable=SC2292
 				if [ -e config/rootfs/excludes ]
 				then
 					MKSQUASHFS_OPTIONS="-wildcards -ef config/rootfs/excludes ${MKSQUASHFS_OPTIONS}"
@@ -440,7 +426,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		;;
 	none)
    # shellcheck disable=SC2292
 		if [ -d binary ]
 		then
 			rm -rf binary
@@ -466,7 +451,6 @@ then
 	mkdir -p cache/binary_rootfs
  # shellcheck disable=SC2292
 	if [ "${LB_CHROOT_FILESYSTEM}" != "none" ]
 	then
 		cp -a binary/"${INITFS}"/filesystem.* cache/binary_rootfs
--- a/scripts/usr/local/sbin/9999-cdi-starter
+++ b/scripts/usr/local/sbin/9999-cdi-starter
@@ -127,7 +127,7 @@ main() {
  # shellcheck disable=SC2312
  exec > >(tee -a "${var_log}") 2>&1
-  printf "CISS.debian.installer Master V8.13.296.2025.10.29 is up! \n" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.384.2025.11.06 is up! \n" >> "${var_log}"
  ### Sleep a moment to settle boot artifacts.
  sleep 8
@@ -182,7 +182,7 @@ main() {
  ### Timeout reached without acceptable semaphore.
  logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.installer Master V8.13.296.2025.10.29: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.384.2025.11.06: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
  exit 0
 }
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -10,12 +10,35 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Definition of MUST set early Variables
+### Definition of MUST set early variables.
 # shellcheck disable=SC2155
 declare -grx VAR_BASH_VER="$(bash --version | head -n1 | awk '{
  # Print $4 and $5; include $6 only if it exists
  out = $4
  if (NF >= 5) out = out " " $5
  if (NF >= 6) out = out " " $6
  print out
 }')"
 declare -grx VAR_CONTACT="security@coresecret.eu"
-declare -grx VAR_VERSION="Master V8.13.296.2025.10.29"
+declare -grx VAR_DATE="$(date +%F)"
 declare -grx VAR_DATE_EPOCH="$(date -u +%s)"
 declare -grx VAR_DATE_INFO="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%S %z')"
 declare -grx VAR_GIT_REL="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
 declare -grx VAR_GIT_REL_SHORT="${VAR_GIT_REL%% *}"
 declare -grx VAR_GIT_REL_DATE_TIME="${VAR_GIT_REL#* }"
 declare -grx VAR_GIT_REL_DATE="${VAR_GIT_REL_DATE_TIME% *}"
 declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
 declare -grx VAR_VERSION="Master V8.13.384.2025.11.06"
 declare -grx VAR_VER_DS="$(debootstrap --version)"
 declare -grx VAR_VER_LB="$(lb -v)"
 declare -gx  APT_LISTCHANGES_FRONTEND="none"
 declare -gx  DEBIAN_FRONTEND="noninteractive"
 declare -gx  SOURCE_DATE_EPOCH="$(git log -1 --format=%ct)"
 declare -gx  VAR_EARLY_DEBUG="false"
 declare -gx  VAR_HANDLER_AUTOBUILD="false"
--- a/var/global.var.sh
+++ b/var/global.var.sh
@@ -14,46 +14,41 @@
 guard_sourcing
 ### Definition of MUST set global variables.
 declare -gr VAR_BASH_VER="$(bash --version | head -n1 | awk '{
  # Print $4 and $5; include $6 only if it exists
  out = $4
  if (NF >= 5) out = out " " $5
  if (NF >= 6) out = out " " $6
  print out
 }')"
 declare -gr VAR_HOST="$(uname -n)"
 declare -gr VAR_DATE_EPOCH="$(date -u +%s)"
 declare -gr VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -gr VAR_DATE_INFO="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%S %z')"
 declare -gr VAR_KERNEL_INF="$(mktemp)"
 declare -gr VAR_KERNEL_TMP="$(mktemp)"
 declare -gr VAR_KERNEL_SRT="$(mktemp)"
 declare -gr VAR_KERNEL_TMP="$(mktemp)"
 declare -gr VAR_NOTES="$(mktemp)"
-declare -gr LOG_ERROR="/tmp/ciss_live_builder_$$_error.log"
+declare -gr LOG_ERROR="/tmp/cdlb_${VAR_ISO8601}_error.log"
 touch "${LOG_ERROR}" && chmod 0600 "${LOG_ERROR}"
 declare -g  __umask=""
 declare -g  VAR_ARCHITECTURE=""
 declare -g  VAR_HANDLER_BUILD_DIR=""
 declare -g  VAR_HANDLER_CDI="false"
-declare -gi VAR_HANDLER_DHCP=0
+declare -g  VAR_HANDLER_NETCUP_IPV6="false"
 declare -g  VAR_HANDLER_SPLASH=""
 declare -g  VAR_HASHED_PWD=""
 declare -g  VAR_SCRIPT_SUCCESS="false"
 declare -g  VAR_SSHFP="false"
 declare -g  VAR_SSHPORT=""
 declare -g  VAR_SSHPUBKEY=""
-declare -g VAR_SCRIPT_SUCCESS="false"
+declare -g  VAR_SUITE="trixie"
-declare -g VAR_SUITE="bookworm"
+declare -ga ARY_HANDLER_JUMPHOST_UNIQUE=()
-declare -g VAR_HANDLER_NETCUP_IPV6="false"
+declare -ga ARY_HANDLER_JUMPHOST=()
-declare -g VAR_HASHED_PWD=""
+declare -ga ARY_HANDLER_NETCUP_IPV6=()
-declare -g VAR_SSHFP="false"
+declare -gi VAR_HANDLER_DHCP=0
 declare -gi VAR_HANDLER_STA=0
 declare -gi VAR_HANDLER_PRIORITY=0
 declare -gi VAR_HANDLER_STA=0
 declare -gi VAR_REIONICE_CLASS=2
 declare -gi VAR_REIONICE_PRIORITY=4
 declare -gr VAR_CHROOT_DIR="chroot"
 declare -gr VAR_PACKAGES_FILE="chroot.packages.live"
-declare -ga ARY_HANDLER_JUMPHOST=()
+declare -gx VAR_SIGNER="false"
-declare -ga ARY_HANDLER_NETCUP_IPV6=()
+declare -gx VAR_SIGNING_KEY_FPR=""
-declare -ga ARY_HANDLER_JUMPHOST_UNIQUE=()
+declare -gx VAR_SIGNING_KEY_PASS=""
 declare -gx VAR_SIGNING_KEY_PASSFILE=""
 declare -gx VAR_SIGNING_KEY=""
 ### Definition of error codes
 declare -gir ERR_UNCRITICAL=127