diff --git a/config/hooks/live/0000_basic_chroot_setup.chroot b/config/hooks/live/0000_basic_chroot_setup.chroot index 438288a..0534bbe 100644 --- a/config/hooks/live/0000_basic_chroot_setup.chroot +++ b/config/hooks/live/0000_basic_chroot_setup.chroot @@ -209,7 +209,6 @@ export INITRD="No" apt-get update -qq apt-get install -y --no-install-suggests libpam-systemd - ### Installing microcode updates ----------------------------------------------------------------------------------------------- if [[ -f /root/.architecture ]]; then @@ -233,6 +232,9 @@ ln -sf /dev/null /etc/systemd/system/apt-show-versions.timer ln -sf /dev/null /etc/systemd/system/apt-show-versions.service rm -f /etc/cron.daily/apt-show-versions || true +### Remove original '/usr/lib/live/boot/0030-verify-checksums' ----------------------------------------------------------------- +[[ -e /usr/lib/live/boot/0030-verify-checksums ]] && rm -f /usr/lib/live/boot/0030-verify-checksums + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… '%s' applied successfully. \e[0m\n" "${0}" exit 0 diff --git a/lib/lib_ciss_upgrades_boot.sh b/lib/lib_ciss_upgrades_boot.sh index d9f8287..fbee67a 100644 --- a/lib/lib_ciss_upgrades_boot.sh +++ b/lib/lib_ciss_upgrades_boot.sh @@ -63,6 +63,9 @@ ciss_upgrades_boot() { mv "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums.sha512sum.txt.sig" \ "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/signatures/0030-ciss-verify-checksums.sha512sum.txt.sig" + [[ -e "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" ]] && \ + rm -f "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" return 0 diff --git a/lib/lib_ciss_upgrades_build.sh b/lib/lib_ciss_upgrades_build.sh index d2b80f4..9c399c2 100644 --- a/lib/lib_ciss_upgrades_build.sh +++ b/lib/lib_ciss_upgrades_build.sh @@ -25,10 +25,29 @@ guard_sourcing || return "${ERR_GUARD_SRCE}" ciss_upgrades_build() { printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" - ### CISS signing binary-checksums override. + ### CISS 0030-ciss-verify-checksums override. -------------------------------------------------------------------------------- + if [[ -e /usr/lib/live/boot/0030-verify-checksums ]]; then + + mkdir -p /usr/lib/live/backup + + if [[ -e /usr/lib/live/backup/0030-verify-checksums.original ]]; then + + rm -f /usr/lib/live/boot/0030-verify-checksums + + else + + mv /usr/lib/live/boot/0030-verify-checksums /usr/lib/live/backup/0030-verify-checksums.original + + fi + + fi + + ### CISS signing binary-checksums override. ---------------------------------------------------------------------------------- if [[ ! -e /usr/lib/live/build/binary_checksums.original ]]; then + cp /usr/lib/live/build/binary_checksums /usr/lib/live/build/binary_checksums.original chmod 0444 /usr/lib/live/build/binary_checksums.original + fi rm -f /usr/lib/live/build/binary_checksums @@ -38,8 +57,10 @@ ciss_upgrades_build() { ### https://reproducible-builds.org/docs/system-images/ ### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes if [[ ! -e /usr/lib/live/build/binary_rootfs.original ]]; then + cp /usr/lib/live/build/binary_rootfs /usr/lib/live/build/binary_rootfs.original chmod 0444 /usr/lib/live/build/binary_rootfs.original + fi rm -f /usr/lib/live/build/binary_rootfs