V8.13.440.2025.11.19

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/hooks/live/0000_basic_chroot_setup.chroot

@@ -209,7 +209,6 @@ export INITRD="No"
 apt-get update -qq
 apt-get install -y --no-install-suggests libpam-systemd
 
-
 ### Installing microcode updates -----------------------------------------------------------------------------------------------
 if [[ -f /root/.architecture ]]; then
 
@@ -233,6 +232,9 @@ ln -sf /dev/null /etc/systemd/system/apt-show-versions.timer
 ln -sf /dev/null /etc/systemd/system/apt-show-versions.service
 rm -f /etc/cron.daily/apt-show-versions || true
 
+### Remove original '/usr/lib/live/boot/0030-verify-checksums' -----------------------------------------------------------------
+[[ -e /usr/lib/live/boot/0030-verify-checksums ]] && rm -f /usr/lib/live/boot/0030-verify-checksums
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0

lib/lib_ciss_upgrades_boot.sh

@@ -63,6 +63,9 @@ ciss_upgrades_boot() {
   mv "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums.sha512sum.txt.sig" \
     "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/signatures/0030-ciss-verify-checksums.sha512sum.txt.sig"
 
+  [[ -e "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" ]] && \
+    rm -f "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
+
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
 
   return 0

lib/lib_ciss_upgrades_build.sh

@@ -25,10 +25,29 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 ciss_upgrades_build() {
   printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
 
-  ### CISS signing binary-checksums override.
+  ### CISS 0030-ciss-verify-checksums override. --------------------------------------------------------------------------------
+  if [[ -e /usr/lib/live/boot/0030-verify-checksums ]]; then
+
+    mkdir -p /usr/lib/live/backup
+
+    if [[ -e /usr/lib/live/backup/0030-verify-checksums.original ]]; then
+
+      rm -f /usr/lib/live/boot/0030-verify-checksums
+
+    else
+
+      mv /usr/lib/live/boot/0030-verify-checksums /usr/lib/live/backup/0030-verify-checksums.original
+
+    fi
+
+  fi
+
+  ### CISS signing binary-checksums override. ----------------------------------------------------------------------------------
   if [[ ! -e /usr/lib/live/build/binary_checksums.original ]]; then
+
     cp /usr/lib/live/build/binary_checksums /usr/lib/live/build/binary_checksums.original
     chmod 0444 /usr/lib/live/build/binary_checksums.original
+
   fi
 
   rm -f /usr/lib/live/build/binary_checksums
@@ -38,8 +57,10 @@ ciss_upgrades_build() {
   ### https://reproducible-builds.org/docs/system-images/
   ### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes
   if [[ ! -e /usr/lib/live/build/binary_rootfs.original ]]; then
+
     cp /usr/lib/live/build/binary_rootfs /usr/lib/live/build/binary_rootfs.original
     chmod 0444 /usr/lib/live/build/binary_rootfs.original
+
   fi
 
   rm -f /usr/lib/live/build/binary_rootfs