DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]

X-CI-Metadata: master@4be9861 at 2025-06-07T13:59:46Z on beeac5128259

Generated at : 2025-06-07T13:59:46Z
Runner Host  : beeac5128259
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 4be9861 HEAD -> master

.archive/icon.lib

@@ -2,46 +2,48 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ✅
-🔧
+❌
+⚠️
+🚫
+🔐
+🔒
 🔑
+✍️
 🖥️
+🔄
+🔁
+🌌
+🔵
+💙
+🔍
+💡
+🔧
 🛠️
+🏗
+⚙️
+📐
+🧪
+📩
 📥
 📦
 📑
 📂
-🔒
+📀
-🔐
-⚙️
-❌
-🌌
 🎉
-🖥️
-📂
-📩
-🔵
 😺
-🧪
+📉
 📊
 🧾
-📀
+📋
-📉
 🕑
 🧠
 📅
-💙
-🚫
-🔄
-🔁
-📋
 🎯
-🔍
-💡
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.editorconfig

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml

@@ -25,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.03.400.2025.06.05"
+      placeholder: "e.g., Master V8.03.644.2025.06.07"
     validations:
       required: true
 

.gitea/ISSUE_TEMPLATE/PULL_REQUEST_TEMPLATE.yaml

@@ -48,8 +48,8 @@ body:
       options:
         - label: "My edits contain no tabs, use two-space indentation, and no trailing whitespace"
         - label: "I have read ~/docs/CONTRIBUTING.md and ~/docs/CODING_CONVENTION.md"
-        - label: "I have tested this fix or improvement on ≥2 VMs without issues"
+        - label: "I have tested this fix or improvement on >=2 VMs without issues"
-        - label: "I have tested this new feature on ≥2 VMs with and without it to avoid side effects"
+        - label: "I have tested this new feature on >=2 VMs with and without it to avoid side effects"
         - label: "Documentation and/or 'usage()' and/or 'arg_parser' have been updated for the new feature"
         - label: "I added myself to ~/docs/CREDITS.md (alphabetical) and updated ~/docs/CHANGELOG.md"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/TODO/dockerfile

@@ -0,0 +1,69 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Version Master V8.03.644.2025.06.07
+
+FROM debian:bookworm
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update -y \
+    && apt-get upgrade -y \
+    && apt-get install -y \
+      apt-transport-https \
+      apt-utils \
+      bash \
+      ca-certificates \
+      gnupg \
+      openssl \
+      sudo \
+    && apt-get update -y \
+    && apt-get upgrade -y \
+    && apt-get clean \
+    && apt-get autoremove --purge -y \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir -p /etc/apt/sources.list.d && touch /etc/apt/sources.list.d/bookworm-backports.list \
+    && echo 'deb https://deb.debian.org/debian bookworm-backports main' >| /etc/apt/sources.list.d/bookworm-backports.list \
+    && apt-get update -y \
+    && apt-get upgrade -y \
+    && apt-get install -y --no-install-recommends \
+      autoconf \
+      automake \
+      build-essential \
+      cryptsetup \
+      curl \
+      debootstrap \
+      dosfstools \
+      efibootmgr \
+      gettext \
+      git \
+      haveged \
+      libtool \
+      live-build \
+      parted \
+      pkg-config \
+      ssh \
+      ssl-cert \
+      texinfo \
+      wget \
+      whois \
+    && apt-get clean \
+    && apt-get autoremove --purge -y \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN useradd --create-home --shell /bin/bash runner
+
+WORKDIR /home/runner
+
+USER runner
+
+ENTRYPOINT ["bash"]

.gitea/TODO/render-md-to-html.yaml

@@ -9,9 +9,9 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.400.2025.06.05
+### Version Master V8.03.644.2025.06.07
 
-name: Render README.md to README.html.
+name: 🔁 Render README.md to README.html.
 
 permissions:
   contents: write
@@ -26,7 +26,7 @@ on:
 
 jobs:
   render-md-to-html:
-    name: Render README.md to README.html.
+    name: 🔁 Render README.md to README.html.
     runs-on: ubuntu-latest
 
     steps:
@@ -111,28 +111,28 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y pandoc
 
-      #- name: ⚙️ Ensure .html/ directory exists.
+      - name: ⚙️ Ensure .html/ directory exists.
-      #  shell: bash
+        shell: bash
-      #  run:
+        run:
-      #    mkdir -p .html
+          mkdir -p .html
 
-      #- name: 🛠️ Render *.md to full standalone HTML.
+      - name: 🛠️ Render *.md to full standalone HTML.
-      #  shell: bash
+        shell: bash
-      #  run: |
+        run: |
-      #    set -euo pipefail
+          set -euo pipefail
-      #    find . \( -path "*/.*" -prune \) -o -type f -name "*.md" -print  | while read file; do
+          find . \( -path "*/.*" -prune \) -o -type f -name "*.md" -print  | while read file; do
-      #      out=$(basename "${file%.md}.html")
+            out=$(basename "${file%.md}.html")
-      #      pandoc -s "${file}" \
+            pandoc -s "${file}" \
-      #        --metadata title="${file}" \
+              --metadata title="${file}" \
-      #        --metadata lang=en \
+              --metadata lang=en \
-      #        -f gfm+footnotes \
+              -f gfm+footnotes \
-      #        -t html5 \
+              -t html5 \
-      #        --no-highlight \
+              --no-highlight \
-      #        --strip-comments \
+              --strip-comments \
-      #        --wrap=none \
+              --wrap=none \
-      #        --lua-filter=.gitea/properties/lua/linkfix.lua \
+              --lua-filter=.gitea/properties/lua/linkfix.lua \
-      #        -o .html/"${out}"
+              -o .html/"${out}"
-      #    done
+          done
 
       - name: 🛠️ Extract HTML fragment for Gitea for *.md.
         shell: bash
@@ -150,6 +150,15 @@ jobs:
               -o "${out}"
           done
 
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
       - name: 🔄 Sync with remote before commit using merge strategy.
         shell: bash
         env:
@@ -168,6 +177,15 @@ jobs:
           git status
           git log --oneline -n 5
 
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
       - name: 📦 Stage generated files.
         shell: bash
         env:
@@ -197,15 +215,15 @@ jobs:
             WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
-            COMMIT_MSG="DEPLOY BOT: Auto-Generate *.html from *.md [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 🔁 Auto-Generate *.html from *.md [skip ci]
 
-            ${CI_HEADER}
+          ${CI_HEADER}
 
-            Generated at: ${TIMESTAMP_UTC}
+          Generated at : ${TIMESTAMP_UTC}
-            Runner Host : ${HOSTNAME}
+          Runner Host  : ${HOSTNAME}
-            Workflow ID : ${WORKFLOW_ID}
+          Workflow ID  : ${WORKFLOW_ID}
-            Git Commit  : ${GIT_SHA} HEAD → ${GIT_REF}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
-            "
+          "
 
             echo "🔏 Commit message :"
             echo "${COMMIT_MSG}"

.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.03.384.2025.06.03
+  version: V8.03.644.2025.06.07
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml

@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 build:
-  counter: 1024
+  counter: 1023
-  version: V8.03.400.2025.06.05
+  version: V8.03.644.2025.06.07
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PUBLIC.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.03.384.2025.06.03
+  version: V8.03.644.2025.06.07
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_dns.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.03.400.2025.06.05
+  version: V8.03.644.2025.06.07
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml

@@ -9,9 +9,9 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.400.2025.06.05
+### Version Master V8.03.644.2025.06.07
 
-name: Generating a Private Live ISO FLV 0.
+name: 🔐 Generating a Private Live ISO FLV 0.
 
 permissions:
   contents: write
@@ -25,8 +25,8 @@ on:
 
 jobs:
   generate-private-ciss-debian-live-iso:
-    name: Generating a Private Live ISO FLV 0.
+    name: 🔐 Generating a Private Live ISO FLV 0.
-    runs-on: ciss.debian.live.builder
+    runs-on: ciss.debian.live.builder.iso.generator
 
     ### Run all steps inside Debian Bookworm
     container:
@@ -35,17 +35,17 @@ jobs:
     steps:
       - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
         run: |
-          apt-get update
+          apt-get update -y
           apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
           echo 'deb https://deb.debian.org/debian bookworm-backports main' \
             >| /etc/apt/sources.list.d/bookworm-backports.list
-          apt-get update
+          apt-get update -y
-          apt-get upgrade
+          apt-get upgrade -y
 
       - name: 🛠️ Installing Build Tools.
         shell: bash
         run: |
-          apt-get update
+          apt-get update -y
           apt-get install -y \
             autoconf \
             automake \
@@ -85,22 +85,27 @@ jobs:
             "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
           )
 
+          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
+          gpg --batch --import signature_key.asc
+
           for url in "${urls[@]}"; do
             archive_name="${url##*/}"
             pkg_name="${archive_name%.tar.bz2}"
             echo "🔄 Processing ${pkg_name}"
             if [[ ! -f "${archive_name}" ]]; then
               echo "📥 Downloading: '${archive_name}'."
-              if wget "${url}" -O "${archive_name}" > /dev/null 2>&1; then
+              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
                 echo "✅ Download successful: '${archive_name}'."
               else
                 echo "❌ Download NOT successful: '${archive_name}'."
                 exit 1
               fi
             else
-              echo "ℹ️ Skipping download, package already exists: '${archive_name}'."
+              echo "💡 Skipping download, package already exists: '${archive_name}'."
             fi
 
+            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
+
             if [[ ! -d "${pkg_name}" ]]; then
               echo "📂 Extracting: '${archive_name}'."
               if tar -xjf "${archive_name}"; then
@@ -110,7 +115,7 @@ jobs:
                 exit 1
               fi
             else
-              echo "ℹ️ Skipping directory, already exists: '${pkg_name}'."
+              echo "💡 Skipping directory, already exists: '${pkg_name}'."
             fi
 
             echo "🏗️ Build and install the package: '${pkg_name}'."
@@ -124,15 +129,15 @@ jobs:
 
             cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
 
-            rm -f "${archive_name}"; \
+            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
-            echo "✅ Removed archive: '${pkg_name}'."
+            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
-            rm -fr "${pkg_name}"; \
-            echo "✅ Removed build artifacts: '${pkg_name}'."
             echo "✅ Successful build and installation of '${pkg_name}'."
             echo "-------------------------------------------------------------------------------------"
 
           done
 
+          rm -f signature_key.asc
+
           echo "✅ All packages were built and installed successfully."
 
           mv_bin=(
@@ -153,7 +158,7 @@ jobs:
                 echo "❌ Moved NOT successfully: '${bin}'."
               fi
             else
-              echo "ℹ️ Does not exist as build binary: '${bin}'."
+              echo "💡 Does not exist as build binary: '${bin}'."
             fi
           done
 
@@ -166,7 +171,7 @@ jobs:
                 echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
               fi
             else
-              echo "ℹ️ Does not exist: '/usr/local/bin/${name}'."
+              echo "💡 Does not exist: '/usr/local/bin/${name}'."
             fi
           done
 
@@ -299,7 +304,7 @@ jobs:
           grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
 
           if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
-            echo "ℹ️ Old ISO files found and deleted :"
+            echo "💡 Old ISO files found and deleted :"
             while IFS= read -r href; do
               FILE_URL="${NC_BASE}${href}"
               echo "  Delete: ${FILE_URL}"
@@ -312,7 +317,7 @@ jobs:
               fi
             done < public_iso_list.txt
           else
-            echo "ℹ️ No old ISO files found to delete."
+            echo "💡 No old ISO files found to delete."
           fi
 
       - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
@@ -388,6 +393,15 @@ jobs:
           # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
           EOF
 
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
       - name: 🔄 Sync with remote before commit using merge strategy.
         shell: bash
         env:
@@ -406,6 +420,15 @@ jobs:
           git status
           git log --oneline -n 5
 
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
       - name: 📦 Stage generated files.
         shell: bash
         env:
@@ -436,14 +459,14 @@ jobs:
             WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
-            COMMIT_MSG="DEPLOY BOT: Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci]
 
           ${CI_HEADER}
 
-          Generated at: ${TIMESTAMP_UTC}
+          Generated at : ${TIMESTAMP_UTC}
-          Runner Host : ${HOSTNAME}
+          Runner Host  : ${HOSTNAME}
-          Workflow ID : ${WORKFLOW_ID}
+          Workflow ID  : ${WORKFLOW_ID}
-          Git Commit  : ${GIT_SHA} HEAD → ${GIT_REF}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
           "
 
             echo "🔏 Commit message :"

.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml

@@ -9,9 +9,9 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.400.2025.06.05
+### Version Master V8.03.512.2025.06.06
 
-name: Generating a Private Live ISO FLV 1.
+name: 🔐 Generating a Private Live ISO FLV 1.
 
 permissions:
   contents: write
@@ -21,12 +21,12 @@ on:
     branches:
       - master
     paths:
-      - '.gitea/trigger/.t_generate_PRIVATE_iso_flavour_1.yaml'
+      - '.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml'
 
 jobs:
   generate-private-ciss-debian-live-iso:
-    name: Generating a Private Live ISO FLV 1.
+    name: 🔐 Generating a Private Live ISO FLV 1.
-    runs-on: ciss.debian.live.builder
+    runs-on: ciss.debian.live.builder.iso.generator
 
     ### Run all steps inside Debian Bookworm
     container:
@@ -35,17 +35,17 @@ jobs:
     steps:
       - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
         run: |
-          apt-get update
+          apt-get update -y
           apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
           echo 'deb https://deb.debian.org/debian bookworm-backports main' \
             >| /etc/apt/sources.list.d/bookworm-backports.list
-          apt-get update
+          apt-get update -y
-          apt-get upgrade
+          apt-get upgrade -y
 
       - name: 🛠️ Installing Build Tools.
         shell: bash
         run: |
-          apt-get update
+          apt-get update -y
           apt-get install -y \
             autoconf \
             automake \
@@ -85,22 +85,27 @@ jobs:
             "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
           )
 
+          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
+          gpg --batch --import signature_key.asc
+
           for url in "${urls[@]}"; do
             archive_name="${url##*/}"
             pkg_name="${archive_name%.tar.bz2}"
             echo "🔄 Processing ${pkg_name}"
             if [[ ! -f "${archive_name}" ]]; then
               echo "📥 Downloading: '${archive_name}'."
-              if wget "${url}" -O "${archive_name}" > /dev/null 2>&1; then
+              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
                 echo "✅ Download successful: '${archive_name}'."
               else
                 echo "❌ Download NOT successful: '${archive_name}'."
                 exit 1
               fi
             else
-              echo "ℹ️ Skipping download, package already exists: '${archive_name}'."
+              echo "💡 Skipping download, package already exists: '${archive_name}'."
             fi
 
+            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
+
             if [[ ! -d "${pkg_name}" ]]; then
               echo "📂 Extracting: '${archive_name}'."
               if tar -xjf "${archive_name}"; then
@@ -110,7 +115,7 @@ jobs:
                 exit 1
               fi
             else
-              echo "ℹ️ Skipping directory, already exists: '${pkg_name}'."
+              echo "💡 Skipping directory, already exists: '${pkg_name}'."
             fi
 
             echo "🏗️ Build and install the package: '${pkg_name}'."
@@ -124,15 +129,15 @@ jobs:
 
             cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
 
-            rm -f "${archive_name}"; \
+            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
-            echo "✅ Removed archive: '${pkg_name}'."
+            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
-            rm -fr "${pkg_name}"; \
-            echo "✅ Removed build artifacts: '${pkg_name}'."
             echo "✅ Successful build and installation of '${pkg_name}'."
             echo "-------------------------------------------------------------------------------------"
 
           done
 
+          rm -f signature_key.asc
+
           echo "✅ All packages were built and installed successfully."
 
           mv_bin=(
@@ -153,7 +158,7 @@ jobs:
                 echo "❌ Moved NOT successfully: '${bin}'."
               fi
             else
-              echo "ℹ️ Does not exist as build binary: '${bin}'."
+              echo "💡 Does not exist as build binary: '${bin}'."
             fi
           done
 
@@ -166,7 +171,7 @@ jobs:
                 echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
               fi
             else
-              echo "ℹ️ Does not exist: '/usr/local/bin/${name}'."
+              echo "💡 Does not exist: '/usr/local/bin/${name}'."
             fi
           done
 
@@ -296,7 +301,7 @@ jobs:
           grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
 
           if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
-            echo "ℹ️ Old ISO files found and deleted :"
+            echo "💡 Old ISO files found and deleted :"
             while IFS= read -r href; do
               FILE_URL="${NC_BASE}${href}"
               echo "  Delete: ${FILE_URL}"
@@ -309,7 +314,7 @@ jobs:
               fi
             done < public_iso_list.txt
           else
-            echo "ℹ️ No old ISO files found to delete."
+            echo "💡 No old ISO files found to delete."
           fi
 
       - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
@@ -385,6 +390,15 @@ jobs:
           # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
           EOF
 
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
       - name: 🔄 Sync with remote before commit using merge strategy.
         shell: bash
         env:
@@ -403,6 +417,15 @@ jobs:
           git status
           git log --oneline -n 5
 
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
       - name: 📦 Stage generated files.
         shell: bash
         env:
@@ -433,14 +456,14 @@ jobs:
             WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
-            COMMIT_MSG="DEPLOY BOT: Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci]
 
           ${CI_HEADER}
 
-          Generated at: ${TIMESTAMP_UTC}
+          Generated at : ${TIMESTAMP_UTC}
-          Runner Host : ${HOSTNAME}
+          Runner Host  : ${HOSTNAME}
-          Workflow ID : ${WORKFLOW_ID}
+          Workflow ID  : ${WORKFLOW_ID}
-          Git Commit  : ${GIT_SHA} HEAD → ${GIT_REF}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
           "
 
             echo "🔏 Commit message :"

.gitea/workflows/generate_PUBLIC_iso.yaml

@@ -9,9 +9,9 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.400.2025.06.05
+### Version Master V8.03.644.2025.06.07
 
-name: Generating a PUBLIC Live ISO.
+name: 💙 Generating a PUBLIC Live ISO.
 
 permissions:
   contents: write
@@ -21,12 +21,12 @@ on:
     branches:
       - master
     paths:
-      - '.gitea/trigger/.t_generate_PUBLIC.yaml'
+      - '.gitea/trigger/t_generate_PUBLIC.yaml'
 
 jobs:
   generate-private-ciss-debian-live-iso:
-    name: Generating a PUBLIC Live ISO.
+    name: 💙 Generating a PUBLIC Live ISO.
-    runs-on: ciss.debian.live.builder
+    runs-on: ciss.debian.live.builder.iso.generator
 
     ### Run all steps inside Debian Bookworm
     container:
@@ -35,17 +35,17 @@ jobs:
     steps:
       - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
         run: |
-          apt-get update
+          apt-get update -y
           apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
           echo 'deb https://deb.debian.org/debian bookworm-backports main' \
             >| /etc/apt/sources.list.d/bookworm-backports.list
-          apt-get update
+          apt-get update -y
-          apt-get upgrade
+          apt-get upgrade -y
 
       - name: 🛠️ Installing Build Tools.
         shell: bash
         run: |
-          apt-get update
+          apt-get update -y
           apt-get install -y \
             autoconf \
             automake \
@@ -85,22 +85,27 @@ jobs:
             "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
           )
 
+          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
+          gpg --batch --import signature_key.asc
+
           for url in "${urls[@]}"; do
             archive_name="${url##*/}"
             pkg_name="${archive_name%.tar.bz2}"
             echo "🔄 Processing ${pkg_name}"
             if [[ ! -f "${archive_name}" ]]; then
               echo "📥 Downloading: '${archive_name}'."
-              if wget "${url}" -O "${archive_name}" > /dev/null 2>&1; then
+              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
                 echo "✅ Download successful: '${archive_name}'."
               else
                 echo "❌ Download NOT successful: '${archive_name}'."
                 exit 1
               fi
             else
-              echo "ℹ️ Skipping download, package already exists: '${archive_name}'."
+              echo "💡 Skipping download, package already exists: '${archive_name}'."
             fi
 
+            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
+
             if [[ ! -d "${pkg_name}" ]]; then
               echo "📂 Extracting: '${archive_name}'."
               if tar -xjf "${archive_name}"; then
@@ -110,7 +115,7 @@ jobs:
                 exit 1
               fi
             else
-              echo "ℹ️ Skipping directory, already exists: '${pkg_name}'."
+              echo "💡 Skipping directory, already exists: '${pkg_name}'."
             fi
 
             echo "🏗️ Build and install the package: '${pkg_name}'."
@@ -124,15 +129,15 @@ jobs:
 
             cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
 
-            rm -f "${archive_name}"; \
+            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
-            echo "✅ Removed archive: '${pkg_name}'."
+            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
-            rm -fr "${pkg_name}"; \
-            echo "✅ Removed build artifacts: '${pkg_name}'."
             echo "✅ Successful build and installation of '${pkg_name}'."
             echo "-------------------------------------------------------------------------------------"
 
           done
 
+          rm -f signature_key.asc
+
           echo "✅ All packages were built and installed successfully."
 
           mv_bin=(
@@ -153,7 +158,7 @@ jobs:
                 echo "❌ Moved NOT successfully: '${bin}'."
               fi
             else
-              echo "ℹ️ Does not exist as build binary: '${bin}'."
+              echo "💡 Does not exist as build binary: '${bin}'."
             fi
           done
 
@@ -166,7 +171,7 @@ jobs:
                 echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
               fi
             else
-              echo "ℹ️ Does not exist: '/usr/local/bin/${name}'."
+              echo "💡 Does not exist: '/usr/local/bin/${name}'."
             fi
           done
 
@@ -296,7 +301,7 @@ jobs:
           grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
 
           if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
-            echo "ℹ️ Old ISO files found and deleted :"
+            echo "💡 Old ISO files found and deleted :"
             while IFS= read -r href; do
               FILE_URL="${NC_BASE}${href}"
               echo "  Delete: ${FILE_URL}"
@@ -309,7 +314,7 @@ jobs:
               fi
             done < public_iso_list.txt
           else
-            echo "ℹ️ No old ISO files found to delete."
+            echo "💡 No old ISO files found to delete."
           fi
 
       - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
@@ -385,6 +390,15 @@ jobs:
           # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
           EOF
 
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
       - name: 🔄 Sync with remote before commit using merge strategy.
         shell: bash
         env:
@@ -403,6 +417,15 @@ jobs:
           git status
           git log --oneline -n 5
 
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
       - name: 📦 Stage generated files.
         shell: bash
         env:
@@ -433,14 +456,14 @@ jobs:
             WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
-            COMMIT_MSG="DEPLOY BOT: Auto-Generate PUBLIC LIVE ISO [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
 
           ${CI_HEADER}
 
-          Generated at: ${TIMESTAMP_UTC}
+          Generated at : ${TIMESTAMP_UTC}
-          Runner Host : ${HOSTNAME}
+          Runner Host  : ${HOSTNAME}
-          Workflow ID : ${WORKFLOW_ID}
+          Workflow ID  : ${WORKFLOW_ID}
-          Git Commit  : ${GIT_SHA} HEAD → ${GIT_REF}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
           "
 
             echo "🔏 Commit message :"

.gitea/workflows/linter_char_scripts.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.400.2025.06.05
+### Version Master V8.03.644.2025.06.07
 
 # Gitea Workflow: Shell-Script Linting
 #
@@ -70,7 +70,7 @@ jobs:
           GITHUB_REF_NAME: ${{ github.ref_name }}
         run: |
           set -euo pipefail
-          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/PRIVATE_TESTING_CISS.debian.live.builder.git .
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
           git fetch --unshallow || echo "Nothing to fetch - already full clone."
 
       - name: 🛠️ Cleaning the workspace.
@@ -127,32 +127,34 @@ jobs:
           #
           # We capture:
           # - All files '*.sh', '*.zsh', '*.chroot'
-          # - All files whose first line begins with “#!” (shebang)
+          # - All files whose first line begins with "#!" (shebang)
           # -------------------------------
           mapfile -t files_to_check < <(
-            find . -type f \( \
+            find . \
-              -iname '*.sh' -o \
+              -path './.git' -prune -o \
-              -iname '*.zsh' -o \
+              -type f \( \
-              -iname '*.chroot' -o \
+                -iname '*.sh' -o \
-              -exec grep -Iq '^#!' {} \; \
+                -iname '*.zsh' -o \
-            \) -print
+                -iname '*.chroot' -o \
+                -exec grep -Iq '^#!' {} \; \
+              \) -print
           )
 
           # -------------------------------
           # STEP 2: Regex definitions
           #
-          # - CRLF_REGEX → Carriage Return (\r) for Windows CRLF
+          # - CRLF_REGEX           Carriage Return (\r) for Windows CRLF
-          # - CTRL_REGEX → C0 control characters except Tab (\x09) and Newline (\x0A)
+          # - CTRL_REGEX           C0 control characters except Tab (\x09) and Newline (\x0A)
-          # Range: [\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]
+          #   - Range:             [\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]
-          # - NON_ASCII_REGEX → All bytes > 0x7F, except emoji characters in defined ranges
+          # - NON_ASCII_REGEX      All bytes -> 0x7F, except emoji characters in defined ranges
           #
           # Emoji ranges that we exclude:
-          # - \x{1F300}-\x{1F5FF} (Misc Symbols & Pictographs)
+          # - \x{1F300}-\x{1F5FF}  Misc Symbols & Pictographs
-          # - \x{1F600}-\x{1F64F} (Emoticons)
+          # - \x{1F600}-\x{1F64F}  Emoticons
-          # - \x{1F680}-\x{1F6FF} (Transport & Map Symbols)
+          # - \x{1F680}-\x{1F6FF}  Transport & Map Symbols
-          # - \x{1F900}-\x{1F9FF} (Supplemental Symbols & Pictographs)
+          # - \x{1F900}-\x{1F9FF}  Supplemental Symbols & Pictographs
-          # - \x{2600}-\x{26FF}   (Miscellaneous Symbols)
+          # - \x{2600}-\x{26FF}    Miscellaneous Symbols
-          # - \x{2700}-\x{27BF}   (Dingbats)
+          # - \x{2700}-\x{27BF}    Dingbats
           # -------------------------------
 
           CRLF_REGEX=$'\r'
@@ -170,7 +172,7 @@ jobs:
           for file in "${files_to_check[@]}"; do
             #
             # 4.1: CRLF detection
-            #      grep -nP returns “lineno:<line with CR>”
+            #      grep -nP returns "lineno:<line with CR>"
             # -------------------------------
             while IFS=: read -r lineno _rest; do
               findings+="${file}: CRLF-found at line ${lineno}: <CR>"$'\n'
@@ -178,7 +180,7 @@ jobs:
 
             #
             # 4.2: Unallowed control characters
-            #      grep -nP -o returns “lineno:<matched-char>”
+            #      grep -nP -o returns "lineno:<matched-char>"
             # -------------------------------
             while IFS=: read -r lineno char; do
               findings+="${file}: control-char at line ${lineno}: ${char}"$'\n'
@@ -186,7 +188,7 @@ jobs:
 
             #
             # 4.3: Non-ASCII characters with emoji exception
-            #      grep -nP -o returns “lineno:<matched-char>”
+            #      grep -nP -o returns "lineno:<matched-char>"
             # -------------------------------
             while IFS=: read -r lineno char; do
               findings+="${file}: non-ascii at line ${lineno}: ${char}"$'\n'
@@ -199,8 +201,139 @@ jobs:
           if [[ -n "${findings}" ]]; then
             echo -e "⚠️ Linting issues detected:\n"
             echo -e "${findings}"
-            exit 1
+            timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+            PRIVATE_FILE="LINTER_RESULTS.txt"
+            touch "${PRIVATE_FILE}"
+            cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+
+          ⚠️ The last linter check was NOT successful. ⚠️
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
           else
             echo "✅ No issues found in shell scripts."
+            timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+            PRIVATE_FILE="LINTER_RESULTS.txt"
+            touch "${PRIVATE_FILE}"
+            cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+
+          ✅ The last linter check was successful. ✅
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
           fi
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LINTER_RESULTS.txt"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🛡️ Shell Script Linting [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/render-dnssec-status.yaml

@@ -9,9 +9,9 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.400.2025.06.05
+### Version Master V8.03.644.2025.06.07
 
-name: Retrieve DNSSEC status of coresecret.dev.
+name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 
 permissions:
   contents: write
@@ -25,7 +25,7 @@ on:
 
 jobs:
   build-dnssec-diagram:
-    name: Retrieve DNSSEC status of coresecret.dev.
+    name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
     runs-on: ubuntu-latest
 
     steps:
@@ -127,6 +127,15 @@ jobs:
           dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json
           dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png
 
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
       - name: 🔄 Sync with remote before commit using merge strategy.
         shell: bash
         env:
@@ -145,6 +154,15 @@ jobs:
           git status
           git log --oneline -n 5
 
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
       - name: 📦 Stage generated files.
         shell: bash
         env:
@@ -174,14 +192,14 @@ jobs:
             WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
-            COMMIT_MSG="DEPLOY BOT: Auto-Generate DNSSEC Status [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 🛡️ Auto-Generate DNSSEC Status [skip ci]
 
           ${CI_HEADER}
 
-          Generated at: ${TIMESTAMP_UTC}
+          Generated at : ${TIMESTAMP_UTC}
-          Runner Host : ${HOSTNAME}
+          Runner Host  : ${HOSTNAME}
-          Workflow ID : ${WORKFLOW_ID}
+          Workflow ID  : ${WORKFLOW_ID}
-          Git Commit  : ${GIT_SHA} HEAD → ${GIT_REF}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
           "
 
             echo "🔏 Commit message :"

.gitea/workflows/render-dot-to-png.yaml

@@ -9,9 +9,9 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.400.2025.06.05
+### Version Master V8.03.644.2025.06.07
 
-name: Render Graphviz Diagrams.
+name: 🔁 Render Graphviz Diagrams.
 
 permissions:
   contents: write
@@ -26,7 +26,7 @@ on:
 
 jobs:
   build-graphiz-diagrams:
-    name: Render Graphviz Diagrams.
+    name: 🔁 Render Graphviz Diagrams.
     runs-on: ubuntu-latest
 
     steps:
@@ -120,6 +120,15 @@ jobs:
             dot -Tpng "${file}" -o "${out}"
           done
 
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
       - name: 🔄 Sync with remote before commit using merge strategy.
         shell: bash
         env:
@@ -138,6 +147,15 @@ jobs:
           git status
           git log --oneline -n 5
 
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
       - name: 📦 Stage generated files.
         shell: bash
         env:
@@ -167,14 +185,14 @@ jobs:
             WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
-            COMMIT_MSG="DEPLOY BOT: DEPLOY BOT: Auto-Generate PNG from *.dot. [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 🔁 Auto-Generate PNG from *.dot. [skip ci]
 
           ${CI_HEADER}
 
-          Generated at: ${TIMESTAMP_UTC}
+          Generated at : ${TIMESTAMP_UTC}
-          Runner Host : ${HOSTNAME}
+          Runner Host  : ${HOSTNAME}
-          Workflow ID : ${WORKFLOW_ID}
+          Workflow ID  : ${WORKFLOW_ID}
-          Git Commit  : ${GIT_SHA} HEAD → ${GIT_REF}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
           "
 
             echo "🔏 Commit message :"

.gitignore

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

.version.properties

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.03.400.2025.06.05"
+properties_version="V8.03.644.2025.06.07"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.03.400.2025.06.05
+PackageVersion: Master V8.03.644.2025.06.07
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

LINTER_RESULTS.txt

@@ -0,0 +1,16 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+This file was automatically generated by the DEPLOY BOT on: "2025-06-07T13:59:44Z".
+
+✅ The last linter check was successful. ✅
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO.public

@@ -2,26 +2,26 @@
 # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-03T12:10:46Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-06-07T13:28:13Z".
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_03T11_33_11Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_06_07T12_48_35Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  "ciss-debian-live-2025_06_03T11_33_11Z-amd64.hybrid.iso.sha512"
+  "ciss-debian-live-2025_06_07T12_48_35Z-amd64.hybrid.iso.sha512"
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaD7mRgAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaEQ+bQAKCRA85KY4hzOw
-IcORAP4lGjiHbnMe3CQWMH+Tz2Z4Mp/kLXbh3K2+j6agrK1rHQEA/d1NJ9npprJN
+IdnhAQC+NGhgMMPqZgS51p59kCYSoGLDzodY7TtFOJOxLo5LeAD/bgJifC51JFju
-2TKYjeFA1sAPA/LvgAdVXKKfTlhsyww=
+RKy7e3am5Z80cAGZJ1RFliRgjJVZeAU=
-=PjlU
+=P9Qk
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_FLV_0.private

@@ -2,26 +2,26 @@
 # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-02T23:05:15Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-06-07T11:52:28Z".
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_02T22_27_09Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_06_07T11_12_45Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  "ciss-debian-live-2025_06_02T22_27_09Z-amd64.hybrid.iso.sha512"
+  "ciss-debian-live-2025_06_07T11_12_45Z-amd64.hybrid.iso.sha512"
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaD4uKwAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaEQn/AAKCRA85KY4hzOw
-IQ/pAQCVmu7uuOLHWrWM4XSX/t6nD/0WLZk68aR829FhF7hqaAD7Bve8jHudhvlv
+IeMFAP0ZsIuEHFz3EgDpk1rN066VZ2nGrx3NvQenvjg5EQsRNAD+MNlJ4JE9zk17
-ewg9APapMOqKaM2aDowmuR8ONHJktAU=
+pvWF+r0l2K7P6CmxlK7WZFU2Hs6KYwc=
-=meXV
+=6azh
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_FLV_1.private

@@ -2,26 +2,26 @@
 # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-05T19:17:12Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-06-07T12:39:29Z".
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_05T18_36_07Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_06_07T12_01_03Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  "ciss-debian-live-2025_06_05T18_36_07Z-amd64.hybrid.iso.sha512"
+  "ciss-debian-live-2025_06_07T12_01_03Z-amd64.hybrid.iso.sha512"
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaEHtOAAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaEQzAQAKCRA85KY4hzOw
-IXO2AQC73XTi/UMGPOMQggNfFdC/D8C16l09hgrdsq+3pWsNKwD+PeJhzSwmlMRB
+IedVAQDj71Q0oAweOhYGabzgECIwgIxHPypvidif0fnjucGuIgD+O5XAvFsPnUzQ
-+3xze9K4Jw+5LOVcdGT8hkA/WmvY1ww=
+7lXvBLPURbSoa5//sgkXL3Pmik2vvwk=
-=eaNF
+=TJPq
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

README.md

@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.400.2025.06.05-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.644.2025.06.07-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.644.2025.06.07<br>
 
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -121,7 +121,7 @@ The following happens in all cases:
 * The installer kernel (/install/vmlinuz) + initrd.gz are started.
 * The existing live system is exited.
 * The memory is overwritten.
-* All running processes – e.g., firewall, hardened SSH access, etc. pp. – cease to exist.
+* All running processes - e.g., firewall, hardened SSH access, etc. pp. - cease to exist.
 
 The Debian Installer loads:
 * its own kernel,

ciss_live_builder.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -40,7 +40,7 @@
 
 declare -g VAR_HANDLER_AUTOBUILD="false"
 declare -gr VAR_CONTACT="security@coresecret.eu"
-declare -gr VAR_VERSION="Master V8.03.400.2025.06.05"
+declare -gr VAR_VERSION="Master V8.03.644.2025.06.07"
 
 ### VERY EARLY CHECK FOR AUTO-BUILD, CONTACT, USAGE, AND VERSION STRING
 declare arg

config/bootloaders/grub-efi/grub.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/bootloaders/grub-pc/grub.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0000_generate_backup_dir.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0001_initramfs_modules.chroot

@@ -148,7 +148,7 @@ cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -207,9 +207,9 @@ COMPRESS=zstd
 # Defaults vary by compressor.
 #
 # Valid values are:
-# 1–9 for gzip|bzip2|lzma|lzop
+# 1-9 for gzip|bzip2|lzma|lzop
-# 0–9 for  lz4|xz
+# 0-9 for  lz4|xz
-# 0–19 for zstd
+# 0-19 for zstd
 # COMPRESSLEVEL=3
 
 #
@@ -253,7 +253,7 @@ cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/0002_verify_checksums.chroot

@@ -27,7 +27,7 @@ cat << 'EOF' >| "${src}"
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/0003_install_backports.chroot

@@ -0,0 +1,39 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -C -e -u -o pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+# sleep 1
+
+DEBIAN_FRONTEND=noninteractive \
+  apt-get update && \
+    DEBIAN_FRONTEND=noninteractive \
+      apt-get install -y --no-install-recommends \
+        -o Dpkg::Options::="--force-confdef" \
+        -o Dpkg::Options::="--force-confold" \
+        -t bookworm-backports \
+        btrfs-progs \
+        curl \
+        debootstrap \
+        iproute2 \
+        ncat \
+        nmap \
+        ssh \
+        systemd \
+        systemd-sysv \
+        whois
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+# sleep 1
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0820_kernel_hardening_checker.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/9920_deleting_invalid_x509.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/9940_hardening_memory.dump.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/9950_fail2ban_hardening.chroot

@@ -30,7 +30,7 @@ cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
@@ -46,7 +46,7 @@ findtime  = 24h
 bantime   = 24h
 
 ### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
-###               Jump host mistyped 1–3 times: no ban, only after four attempts          [sshd]
+###               Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
 
 [sshd]
 enabled   = true

config/hooks/live/9991_file_permissions.chroot

@@ -39,6 +39,7 @@ EOF
 
 cp -a /etc/login.defs /root/.ciss/dlb/backup/login.defs.bak
 
+sed -i 's/LOGIN_TIMEOUT       60/LOGIN_TIMEOUT       180/' /etc/login.defs
 sed -i 's/UMASK		022/UMASK		077/' /etc/login.defs
 sed -i 's/PASS_MAX_DAYS	99999/PASS_MAX_DAYS	16384/' /etc/login.defs
 sed -i 's/PASS_MIN_DAYS	0/PASS_MIN_DAYS	1/' /etc/login.defs

config/hooks/live/9992_password_expiration.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/9993_aide.chroot

@@ -14,7 +14,7 @@ set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 
-apt-get install -y aide
+apt-get install -y aide > /dev/null 2>&1
 
 cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
 sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf

config/hooks/live/9994_password_policy.chroot

@@ -26,7 +26,7 @@ cat << 'EOF' >| /etc/security/pwquality.conf
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -34,7 +34,7 @@ cat << 'EOF' >| /etc/security/pwquality.conf
 # SPDX-Security-Contact: security@coresecret.eu
 
 ### Current recommendations for '/etc/security/pwquality.conf' based on common best practices,
-### including NIST SP 800–63B, https://pages.nist.gov/800-63-3/sp800-63b.html
+### including NIST SP 800-63B, https://pages.nist.gov/800-63-3/sp800-63b.html
 ### and weighing usability against security.
 
 ### Configuration for systemwide password quality limits
@@ -46,7 +46,7 @@ difok = 4
 
 ### Length over complexity: Studies show that longer passphrases are significantly more
 ### resistant to brute-force and dictionary attacks. NIST recommends at least eight characters
-### but advises longer passphrases (e.g., 12–64) for increased security. Twenty characters strike a
+### but advises longer passphrases (e.g., 12-64) for increased security. Twenty characters strike a
 ### good balance between security and user convenience.
 ### Minimum acceptable size for the new password (plus one if
 ### credits are not disabled, which is the default). (See pam_cracklib manual.)
@@ -54,7 +54,7 @@ difok = 4
 minlen = 20
 
 ### dcredit = 0, ucredit = 0, lcredit = 0, ocredit = 0, minclass = 0
-### NIST SP 800–63B advises against rigid complexity rules (numbers, symbols, uppercase)
+### NIST SP 800-63B advises against rigid complexity rules (numbers, symbols, uppercase)
 ### because they can lead users to adopt predictable patterns (e.g., "Pa$$word!").
 ### Length and dictionary checks are more effective.
 

config/includes.binary/boot/grub/config.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/includes.chroot/etc/live/config.conf

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/etc/network/interfaces

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/etc/ssh/sshd_config

@@ -2,14 +2,14 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.400.2025.06.05
+### Version Master V8.03.644.2025.06.07
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

config/includes.chroot/etc/sysctl.d/99_local.hardened

@@ -2,14 +2,14 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.400.2025.06.05
+### Version Master V8.03.644.2025.06.07
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/0_di_preseed_include_command.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/1_di_preseed_early_command.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/2_di_partman_early_command.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/3_di_preseed_late_command.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/di_scripting_flexibility.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/di_scripting_password.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -26,13 +26,13 @@ grep -o '[!-~]' /dev/urandom | tr -d '\n' | head -c64 >> "${TMP_PASSPHRASE_FILE}
 DEB_INSTALLER_CRYPT_INC_FILE=$(mktemp)
 readonly DEB_INSTALLER_CRYPT_INC_FILE
 
-# Read the first line (the passphrase) – POSIX-compliant
+# Read the first line (the passphrase) - POSIX-compliant
 # IFS= prevents leading/trailing spaces from being truncated,
 # -r ensures that backslashes are not interpreted.
 IFS= read -r passphrase < "${TMP_PASSPHRASE_FILE}"
 
 # A single printf call with exactly one redirect
-# – ShellCheck-compliant and valid in POSIX-sh
+# - ShellCheck-compliant and valid in POSIX-sh
 printf 'd-i partman-crypto/passphrase string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"
 
 printf 'd-i partman-crypto/passphrase-again string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"

config/includes.chroot/preseed/.ash/di_scripting_ssh.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/.directories.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/apt.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/base.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/finished.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/firmware.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/grub.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/locale.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/modules.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/network.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/packages.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/partitioning.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/security.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/software.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/ssh.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/time.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/user.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.iso/iso.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.iso/preseed_hash_generator.sh

@@ -3,14 +3,14 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V8.03.400.2025.06.05"
+declare -gr VERSION="Master V8.03.644.2025.06.07"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then

config/includes.chroot/preseed/.lib/sshd_config.lib

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.

config/includes.chroot/preseed/preseed.cfg

@@ -4,7 +4,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024â€"2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.03.400.2025.06.05 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.03.644.2025.06.07 at: 10:18:37.9542

config/includes.chroot/root/.bashrc

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/root/.ciss/alias

@@ -3,14 +3,14 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-########################################################################################### ℵ
+########################################################################################### Alpha
 #######################################
 # Outputs a 16-character random printable string
 # Arguments:

config/includes.chroot/root/.ciss/clean_logout.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/root/.ciss/scan_libwrap

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/includes.chroot/root/.ciss/shortcuts

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/package-lists/live.list.amd64.chroot

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/package-lists/live.list.arm64.chroot

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/package-lists/live.list.common.chroot

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

docs/AUDIT_DNSSEC.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.644.2025.06.07<br>
 
 # 2. DNSSEC Status
 

docs/AUDIT_HAVEGED.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.644.2025.06.07<br>
 
 # 2. Haveged Audit on Netcup RS 2000 G11
 

docs/AUDIT_LYNIS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.644.2025.06.07<br>
 
 # 2. Lynis Audit:
 

docs/AUDIT_SSH.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.644.2025.06.07<br>
 
 # 2. SSH Audit by ssh-audit.com
 

docs/AUDIT_TLS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.644.2025.06.07<br>
 
 # 2. TLS Audit:
 

docs/CHANGELOG.md

@@ -8,26 +8,59 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.644.2025.06.07<br>
 
 # 2. Changelog
 
+## V8.03.644.2025.06.07
+
+* Updated workflows ISO Generators Runners. 
+* Installing ``bookworm-backports`` Versions of:
+  * ``btrfs-progs``
+  * ``curl``
+  * ``debootstrap``
+  * ``iproute2``
+  * ``ncat``
+  * ``nmap``
+  * ``ssh``
+  * ``systemd``
+  * ``systemd-sysv``
+  * ``whois``
+* Changed default: ``/etc/login.defs`` ``LOGIN_TIMEOUT 60`` to: ``LOGIN_TIMEOUT 180``
+* LIVE ISO generated by workflow tested against:
+  * Netcup Root Server
+  * Proxmox 
+* LIVE ISO generated by script tested against:
+  * Netcup Root Server
+
+## V8.03.512.2025.06.06
+
+* Updated workflows: 
+  1. ``git stash push``
+  2. ``git fetch origin master``
+  3. ``git merge --no-edit origin/master``
+  4. ``git stash pop``
+
+* Changed workflows ISO Generators routines ``🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.``
+  * added ``wget --https-only`` flag
+  * added verification step
+
 ## V8.03.400.2025.06.05
 
-* The workflow image was changed to ``debian:bookworm``.
+* The workflow ISO Generators image was changed to ``debian:bookworm``.
 * Added a LIVE ISO workflow routine to build GnuPG from sources, since Bookworm GPG does not recognize key format 5.
 * Changed verbosity of:
   * [9993_aide.chroot](../config/hooks/live/9993_aide.chroot)
   * [9997_debsums.chroot](../config/hooks/live/9997_debsums.chroot)
 * Added basic linter checks for:
-  * '*.sh',
+  * **``*.sh``**,
-  * '*.zsh',
+  * **``*.zsh``**,
-  * '*.chroot',
+  * **``*.chroot``**,
-  * all files with Shebang (#!) for:
+  * all files with Shebang **``#``**! for:
     * Windows CRLF line endings
     * unauthorized control characters (C0 control characters except \t, \n)
     * non-ASCII (ambiguous UTF) characters
-  [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml)
+  * [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml)
 
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**

docs/CNET.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.644.2025.06.07<br>
 
 # 2. Centurion Net - Developer Branch Overview
 

docs/CODING_CONVENTION.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.644.2025.06.07<br>
 
 # 2. Coding Style
 

docs/CONTRIBUTING.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.644.2025.06.07<br>
 
 # 2. Contributing / participating
 

docs/CREDITS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.644.2025.06.07<br>
 
 # 2. Credits
 

docs/DL_PUB_ISO.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.644.2025.06.07<br>
 
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
 

docs/DOCUMENTATION.md

@@ -8,12 +8,12 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.644.2025.06.07<br>
 
 # 2. Usage
 ````text
 CISS.debian.live.builder
-Master V8.03.400.2025.06.05
+Master V8.03.644.2025.06.07
 
 (c) Marc S. Weidner, 2018 - 2025
 (p) Centurion Press, 2024 - 2025

docs/LICENSES/CC-BY-NC-ND-4.0.txt

@@ -1,6 +1,6 @@
 Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International
 
-  Creative Commons Corporation (“Creative Commons”) is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an “as-is” basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible.
+  Creative Commons Corporation ("Creative Commons") is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an "as-is" basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible.
 
 Using Creative Commons Public Licenses
 
@@ -150,6 +150,6 @@ Section 8 - Interpretation.
 
      d.	Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.
 
-Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent, including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.
+Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the "Licensor." Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark "Creative Commons" or any other trademark or logo of Creative Commons without its prior written consent, including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.
 
 Creative Commons may be contacted at creativecommons.org.

docs/REFERENCES.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.644.2025.06.07<br>
 
 # 2. Resources
 

docs/graphviz/ciss.debian.live.builder.dot

@@ -138,15 +138,15 @@ digraph CISS_debian_live_builder {
     // Jump Host → Hidden-Master
     Jump_Host -> Hidden_Master [color=green];
 
-    // Hidden-Master → Name servers (each green with the label “HMAC SHA512”)
+    // Hidden-Master → Name servers (each green with the label "HMAC SHA512")
     Hidden_Master -> ns00 [color=green, label="HMAC SHA512"];
     Hidden_Master -> ns01 [color=green, label="HMAC SHA512"];
     Hidden_Master -> ns02 [color=green, label="HMAC SHA512"];
     Hidden_Master -> ns03 [color=green, label="HMAC SHA512"];
 
-    // Red arrows “DNSSEC” from name server cluster (ns_anchor) → B cluster (b_big_anchor)
+    // Red arrows "DNSSEC" from name server cluster (ns_anchor) → B cluster (b_big_anchor)
     ns_anchor -> b_big_anchor [color=red, label="DNSSEC"];
-    // Red arrow “DNSSEC” from nameserver cluster (ns_anchor) → cloud cluster (cloud_anchor)
+    // Red arrow "DNSSEC" from nameserver cluster (ns_anchor) → cloud cluster (cloud_anchor)
     ns_anchor -> cloud_anchor [color=red, label="DNSSEC"];
 
     // Red arrows from TLS Internet → B-Cluster and cloud

lib/lib_check_provider.sh

@@ -18,37 +18,37 @@
 check_provider() {
   clear
   cat << 'EOF' >| "${VAR_NOTES}"
-Build: Master V8.03.400.2025.06.05
+Build: Master V8.03.644.2025.06.07
 
 Press 'EXIT' to continue with CISS.debian.live.builder.
 
 When you provision ISO images using the Netcup provider, you MUST always supply a globally unique identifier
 for each image via the --control argument. If you omit this flag or reuse an existing identifier, Netcup's
 backend will automatically locate and mount the oldest ISO carrying that same name. In practice, this means
-you might believe you're booting a freshly uploaded image, but in fact the system silently reattaches an
+you might believe you're booting a freshly uploaded image, but in fact, the system silently reattaches an
-earlier one—leading to confusing failures and wasted troubleshooting time.
+earlier one-leading to confusing failures and wasted troubleshooting time.
 
-A separate but related issue emerges when booting certain Debian "cloud" kernel images—specifically those
+A separate but related issue emerges when booting certain Debian "cloud" kernel images-specifically those
-matching the patterns *.+bpo-cloud-amd64 or *.+bpo-cloud-arm64—on a Netcup G11 instance or on a Hetzner VM.
+matching the patterns *.+bpo-cloud-amd64 or *.+bpo-cloud-arm64-on a Netcup G11 instance or on a Hetzner VM.
 After the initramfs is loaded, the console output often becomes garbled or completely unreadable. This is not
 due to a kernel panic, but rather to a mismatch between the framebuffer mode expected by the initramfs and the
 one actually provided by the virtual hardware. Common workarounds, like editing the boot entry (e) and appending
 
-— 'nomodeset', or
+- 'nomodeset', or
-— 'vga=0x318',
+- 'vga=0x318',
 
 do not resolve the issue because they address legacy VGA modes rather than the EFI framebuffer parameters used
 in modern cloud images.
 
 To mitigate this, you can:
 
-— Use a plain Debian kernel (e.g., linux-image-amd64) instead of the bpo-cloud variants, which are optimized
+- Use a plain Debian kernel (e.g., linux-image-amd64) instead of the bpo-cloud variants, which are optimized
   for cloud-init but presume a different console setup.
 
-— Explicitly set an EFI-compatible framebuffer by adding something like 'video=efifb:mode=auto' to the kernel
+- Explicitly set an EFI-compatible framebuffer by adding something like 'video=efifb:mode=auto' to the kernel
   command line. This aligns the initramfs console driver with the actual firmware framebuffer.
 
-— Build a custom initramfs that includes the correct video modules or switches back to a serial console. For
+- Build a custom initramfs that includes the correct video modules or switches back to a serial console. For
   example, adding 'console=ttyS0,115200' can force all early messages to the serial port bypassing the
   graphical framebuffer entirely.
 EOF