V9.14.004.2026.05.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
V9.14.002.2026.05.13
2026-05-17 14:28:12 +01:00 · 2026-05-17 13:34:00 +01:00
69 changed files with 560 additions and 239 deletions
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.004.2026.05.17

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.004.2026.05.17

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.004.2026.05.17

 name: 💙 Generating a PUBLIC Live ISO.

@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.768.2025.12.06"
+      placeholder: "e.g., Master V9.14.004.2026.05.17"
    validations:
      required: true

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.004.2026.05.17

 FROM debian:bookworm

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.004.2026.05.17

 name: 🔁 Render README.md to README.html.

@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.13.768.2025.12.06
+  version: V9.14.004.2026.05.17
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.13.768.2025.12.06
+  version: V9.14.004.2026.05.17
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.13.768.2025.12.06
+  version: V9.14.004.2026.05.17
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.004.2026.05.17

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.004.2026.05.17

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.004.2026.05.17

 name: 💙 Generating a PUBLIC Live ISO.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.004.2026.05.17

 # Gitea Workflow: Shell-Script Linting
 #
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.004.2026.05.17

 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.004.2026.05.17

 name: 🔁 Render Graphviz Diagrams.

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.768.2025.12.06"
+properties_version="V9.14.004.2026.05.17"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -0,0 +1,86 @@
+# AGENTS.md
+
+## Repository purpose
+
+This repository builds and maintains Debian-based live/installer infrastructure.
+Treat changes as security-sensitive and boot-chain-sensitive.
+Follow `docs/CODING_CONVENTION.md` for coding style and `code_review.md` for reviews.
+
+## Non-negotiable constraints
+
+- Target distribution: Debian 13 Trixie unless explicitly stated otherwise.
+- Do not introduce Ubuntu-specific assumptions.
+- Do not invent live-build, initramfs, cryptsetup, systemd, GRUB, or Debian package behavior. Verify against existing files or
+  official documentation.
+- Do not add phase-argument gates to live-boot/initramfs scripts. Script execution is controlled by Debian hook placement.
+- Preserve encrypted-root / encrypted-SquashFS architecture unless the task explicitly changes it.
+- Prefer simple, inspectable Bash over clever abstractions.
+
+## Repository workflow
+
+Before editing:
+- Inspect the relevant scripts, hooks, config files, README files, and existing naming conventions.
+- Identify the exact boot/build phase affected by the change.
+- Explain the minimal intended change.
+
+Boot/build phases:
+- host-side orchestration: `ciss_live_builder.sh`, `lib/*.sh`, `makefile`
+- live-build hooks: `config/hooks/live/*.chroot` and `config/hooks/live/*.binary`
+- initramfs hooks/scripts: `config/includes.chroot/etc/initramfs-tools/*`
+- live-boot runtime scripts: `config/includes.chroot/usr/lib/live/boot/*`
+
+After editing:
+- Run the most relevant available checks.
+- At minimum, run syntax checks for changed shell scripts:
+  - `bash -n <file>`
+  - `shellcheck <file>` if available
+- If POSIX shell scripts are changed, run `sh -n <file>` where Bash syntax is not expected.
+- If the make wrapper or builder argument composition changes, run `make dry-run`.
+- If Python files are introduced or changed:
+  - `ruff check`
+  - `mypy`
+  - `pytest` if tests exist
+- If CLI options or user-facing behavior change, update `usage()` and the relevant README/docs.
+- If live-build, initramfs, or ISO behavior changes, describe the required Debian Trixie live-build or ISO validation command.
+
+## Bash conventions
+
+- Use explicit error handling.
+- Quote expansions.
+- Prefer arrays where word splitting matters.
+- Avoid `eval`.
+- Avoid parsing `ls`.
+- Keep functions small and readable.
+- Use English comments.
+- Explain security-sensitive fallbacks.
+- Fail closed where possible.
+
+## Python conventions
+
+- Use Python 3.14-compatible code unless the project states otherwise.
+- Use pathlib.
+- Add type hints.
+- Keep ruff and mypy compatibility.
+- Avoid broad `except Exception` unless justified and logged.
+- Prefer explicit models/config objects over unstructured dictionaries for durable interfaces.
+
+## Security review checklist
+
+Before finalizing a change, check whether it affects:
+- boot trust
+- initramfs behavior
+- cryptsetup/LUKS handling
+- key material
+- remote unlock
+- TLS/mTLS verification
+- signature/hash verification
+- network exposure
+- file permissions
+- persistence
+- logging of sensitive values
+
+If affected, document the risk and mitigation in the final response.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.768.2025.12.06
+PackageVersion: Master V9.14.004.2026.05.17
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.768.2025.12.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.004.2026.05.17-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -11,10 +11,10 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.25.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Runner-0.2.13-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.4-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.26.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Runner-1.0.3-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2026.1.1-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.11-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&logo=x&logoColor=white&logoSize=auto&label=SocialMedia&color=%23000000)](https://x.com/coresecret_eu) &nbsp;
@@ -26,11 +26,11 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.004.2026.05.17<br>

 **CISS.debian.live.builder — First of its own.**<br>
-**World-class CIA: Designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
+**World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**

 Developed and maintained as a one-man, security-driven engineering effort since 2024, **CISS.debian.live.builder** is designed 
 to serve as a reference implementation for hardened, image-based Debian deployments.
@@ -175,7 +175,7 @@ installer toolchain.

 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.

-Example: `V8.13.768.2025.12.06`
+Example: `V9.14.004.2026.05.17`

 `x.y.z` represents major (x), minor (y), and patch (z) version increments.

@@ -221,7 +221,7 @@ The parameters fall into several categories.
 * The audit subsystem is configured to be always on ``audit=1`` and to tolerate heavy bursts without dropping events ``audit_backlog_limit=262144``. I treat the audit trail as an evidentiary artifact; truncation because of backlog limits is not acceptable in that model.
 * The debug surface of the kernel is reduced aggressively. ``debugfs=off`` avoids a traditional footgun that exposes kernel internals in a way that is friendly to attackers and rarely necessary in production.
 * Memory is hardened on several levels at allocation time and at free time. ``init_on_alloc=1`` and ``init_on_free=1`` provide deterministic zeroing, ``page_poison=1`` fills freed pages with a poison pattern, and ``page_alloc.shuffle=1`` shuffles the allocator so that a process can no longer rely on stable physical patterns. Together these measures raise the cost of use-after-free exploitation and other memory corruption attacks.
-* The IOMMU is not optional. I force it on ``iommu=force``, disable passthrough ``iommu.passthrough=0`` and require strict behavior ``iommu.strict=``1. Any environment that contains devices capable of DMA must have a correctly configured IOMMU, otherwise the trust model for the CPU and for the memory hierarchy collapses as soon as a hostile device is introduced.
+* The IOMMU is not optional. I force it on ``iommu=force``, disable passthrough, and require strict behavior ``iommu.strict=``1. Any environment that contains devices capable of DMA must have a correctly configured IOMMU, otherwise the trust model for the CPU and for the memory hierarchy collapses as soon as a hostile device is introduced.
 * ``kfence.sample_interval=100`` activates KFENCE with a sampling interval that is still usable in production but sensitive enough to catch a meaningful subset of memory safety bugs under real workloads.
 * Virtualization-specific knobs include ``kvm.nx_huge_pages=force``, to keep huge pages non-executable, and ``l1d_flush=on`` so that context switches flush the L1 data cache where needed.
 * ``lockdown=integrity`` places the kernel into lockdown mode with an emphasis on integrity. In this project I consider the integrity of the system more critical than the ability to introspect a running kernel from userspace.
@@ -7,14 +7,14 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. Repository Structure

 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.768.2025.12.06** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.004.2026.05.17** (as of 2025-10-11)

 ## 3.1. Top-Level Layout

@@ -15,7 +15,7 @@
 ### WHY BASH?
 # Ease of installation. No compiling or installing gems, CPAN modules, pip packages, etc. Simple to use and read. Clear syntax
 # and straightforward output interpretation. Built-in power. Pattern matching, line processing, and regular expression support
-# are available natively, no external binaries required. Cross-platform consistency. '/bin/bash' is the default shell on most
+# are available natively; no external binaries are required. Cross-platform consistency. '/bin/bash' is the default shell on most
 # Linux distributions, ensuring scripts run unmodified across systems. macOS compatibility. Since macOS Catalina (10.15), the
 # default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
 # or Cygwin on Windows systems.
@@ -0,0 +1,49 @@
+# code_review.md
+
+Review priorities, in order:
+
+1. Correctness
+2. Security regressions
+3. Boot/build reproducibility
+4. Data loss risk
+5. Error handling
+6. Test coverage
+7. Maintainability
+8. Minimality of diff
+9. Style consistency
+
+Finding classes:
+- BLOCKER: proven correctness bug, security regression, build break, boot break, or data loss risk that must be fixed before
+  merge
+- RISK: plausible issue or security concern that is not fully proven from the available context
+- CLEANUP: maintainability, readability, or consistency improvement that is not required for correctness
+- NOTE: observation only; no change requested
+
+Review output format:
+- List findings first, ordered by severity.
+- Cite file paths and line numbers where possible.
+- For each finding, explain the concrete impact, and the smallest reasonable fix.
+- Separate observations, inferences, and recommendations.
+- After findings, list missing checks or residual risks.
+- If there are no findings, say so explicitly and still mention relevant test gaps.
+
+Do not nitpick formatting if automated tooling exists.
+Do not invent requirements not present in the task, repository, or documentation.
+
+Security-sensitive review checklist:
+- boot trust
+- initramfs behavior
+- cryptsetup/LUKS handling
+- encrypted SquashFS handling
+- key material
+- remotely unlock
+- TLS/mTLS verification
+- signature/hash verification
+- network exposure
+- file permissions
+- persistence
+- logging of sensitive values
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -10,6 +10,9 @@
 # SPDX-Security-Contact: security@coresecret.eu

 BUILD_DIR            ?=
+
+### Optional Dropbear source override; empty uses VAR_DROPBEAR_VERSION from var/global.var.sh:
+DROPBEAR_VERSION     ?=
 PROVIDER_NETCUP_IPV6 ?=
 ROOT_PASSWORD_FILE   ?=
 SSH_PORT             ?=
@@ -18,14 +18,33 @@ export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"

 ### Declare Arrays, HashMaps, and Variables.
-declare var_dropbear_version="2025.88"
+declare var_dropbear_env="/root/dropbear.env"
+[[ -r "${var_dropbear_env}" ]] || {
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
+  exit 43
+}
+
+# shellcheck disable=SC1090
+. "${var_dropbear_env}"
+declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}"
+[[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || {
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
+  exit 43
+}
+
 declare var_tar="/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
 declare var_build_dir="/root/build/dropbear-${var_dropbear_version}"
 declare var_logfile="/root/.ciss/cdlb/log/0020_dropbear_build.log"

 mkdir -p "/root/build"
+
+[[ -r "${var_tar}" ]] || {
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Missing Dropbear tarball: [%s] \e[0m\n" "${var_tar}" >&2
+  exit 43
+}
+
 cp "${var_tar}" "/root/build"
-tar xjf "/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2" -C "/root/build"
+tar xjf "${var_tar}" -C "/root/build"
 cp "/root/dropbear/localoptions.h" "${var_build_dir}"
 cd "${var_build_dir}"

@@ -13,13 +13,28 @@ set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

-### Declare Arrays, HashMaps, and Variables.
-declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
-
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"

+### Declare Arrays, HashMaps, and Variables.
+declare var_dropbear_env="/root/dropbear.env"
+[[ -r "${var_dropbear_env}" ]] || {
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
+  exit 43
+}
+
+# shellcheck disable=SC1090
+. "${var_dropbear_env}"
+declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}"
+[[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || {
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
+  exit 43
+}
+
+declare var_dropbear_build_dir="/root/build/dropbear-${var_dropbear_version}"
+declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
+
 apt-get install -y --no-install-recommends --no-install-suggests cryptsetup-initramfs dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
 apt-get purge -y dropbear 2>&1 | tee -a "${var_logfile}" || true
 apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a "${var_logfile}"
@@ -32,16 +47,18 @@ rm -f /root/dropbear.file

 mkdir -p /root/.ciss/cdlb/backup/usr/sbin
 mv /usr/sbin/dropbear /root/.ciss/cdlb/backup/usr/sbin/dropbear.trixie
-install -m 0755 -o root -g root /root/build/dropbear-2025.88/dropbear /usr/sbin/
+install -m 0755 -o root -g root "${var_dropbear_build_dir}/dropbear" /usr/sbin/

 mkdir -p /root/.ciss/cdlb/backup/usr/bin
 for var_file in dbclient dropbearconvert dropbearkey; do

  mv "/usr/bin/${var_file}" "/root/.ciss/cdlb/backup/usr/bin/${var_file}.trixie"
-  install -m 0755 -o root -g root "/root/build/dropbear-2025.88/${var_file}" /usr/bin/
+  install -m 0755 -o root -g root "${var_dropbear_build_dir}/${var_file}" /usr/bin/

 done

+rm -f "${var_dropbear_env}"
+
 mkdir -p /etc/initramfs-tools/scripts/init-bottom

 cat << 'EOF' >| /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
@@ -17,7 +17,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"

-SOPS_VER="v3.11.0"
+SOPS_VER="v3.13.0"
 ARCH="$(dpkg --print-architecture)"
 case "${ARCH}" in
  amd64)  SOPS_FILE="sops-${SOPS_VER}.linux.amd64" ;;
@@ -122,7 +122,7 @@ x509_extensions	= usr_cert		# The extensions to add to the cert
 name_opt 	= ca_default		# Subject Name options
 cert_opt 	= ca_default		# Certificate field options

-# Extension copying option: use with caution.
+# Extension copying option: use it with caution.
 # copy_extensions = copy

 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
@@ -232,7 +232,7 @@ basicConstraints=CA:FALSE
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment

-# PKIX recommendations harmless if included in all certificates.
+# PKIX recommendations are harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer

@@ -282,7 +282,7 @@ basicConstraints = critical,CA:true

 # DER hex encoding of an extension: beware experts only!
 # obj=DER:02:03
-# Where 'obj' is a standard or added object
+# Where 'obj' is a standard or added object.
 # You can even override a supported extension:
 # basicConstraints= critical, DER:30:03:01:01:FF

@@ -305,7 +305,7 @@ basicConstraints=CA:FALSE
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment

-# PKIX recommendations harmless if included in all certificates.
+# PKIX recommendations are harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer

@@ -418,33 +418,24 @@ ssl_conf = ssl_sect
 system_default = system_default_sect

 [system_default_sect]
-# Protocol floor / ceiling:
-# - only TLS 1.2 and 1.3.
-# - TLS 1.3 is FS by design;
-# - TLS 1.2 FS enforced via the cipher list.
 MinProtocol = TLSv1.2
 MaxProtocol = TLSv1.3

-# TLS 1.2 cipher policy:
-# - Forward secrecy only: ECDHE or DHE (no static RSA kx);
-# - AES-256 *GCM* only (no DHE (dheatattack), no AES-128, no CBC);
-# - Keep distro default SECLEVEL=2 explicitly.
-CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:ECDHE+ARIA256-GCM:ECDHE+CAMELLIA256-GCM:!kRSA:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2
+# TLS 1.2: FS only, AEAD only, no AES128, no static RSA negotiation, no DHE negotiation.
+CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:!AES128:!kRSA:!DHE:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2

-# TLS 1.3 cipher policy: AES-256 and ChaCha20-Poly1305 only:
+# TLS 1.3: only AES-256-GCM and ChaCha20-Poly1305.
 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

-# Prefer strong, widely supported ECDHE groups (first = most preferred):
+# Preferred ECDHE groups.
 Groups = X448:P-521:P-384

-SignatureAlgorithms = rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
-
-# Operational flags:
-# -SessionTicket  : disable TLS session tickets (TLS 1.2 + 1.3)
-# ServerPreference: honor server cipher order (TLS 1.2)
-# NoRenegotiation : disallow TLS 1.2 renegotiation
+# Flags: Tickets off, servers order, renegotiation off.
 Options = -SessionTicket,ServerPreference,NoRenegotiation

+# Permitted signature algorithms.
+SignatureAlgorithms = ecdsa_secp521r1_sha512:ecdsa_secp384r1_sha384:ed448:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF

@@ -0,0 +1,19 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2026-05-16; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,6 +11,8 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

+# ToDo: Unify --integrity hmac-sha512 mode for standalone and runner mode.
+
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

 __umask=$(umask)
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.004.2026.05.17

 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.004.2026.05.17

 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.004.2026.05.17

 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-declare -gr VERSION="Master V8.13.768.2025.12.06"
+declare -gr VERSION="Master V9.14.004.2026.05.17"

 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh

 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.768.2025.12.06 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V9.14.004.2026.05.17 at: 10:18:37.9542
@@ -22,7 +22,7 @@ esac

 run_dropbear() {
    ### CISS.debian.live.builder
-    ### Remove old flags for dropbear version 2025.88-2.
+    ### Remove old flags from the Debian dropbear-initramfs wrapper.
    ### Only accepts flags from '/etc/dropbear/dropbear.conf'.

    #local flags="Fs"
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. DNSSEC Status

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. Haveged Audit on Netcup RS 2000 G11

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. Lynis Audit:

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. SSH Audit by ssh-audit.com

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. TLS Audit:
 ````text
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. Hardened Kernel Boot Parameters

@@ -7,11 +7,25 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. Changelog

+## V9.14.004.2026.05.17
+* **Added**: [AGENTS.md](../AGENTS.md)
+* **Added**: [code_review.md](../code_review.md)
+* **Changed**: [CODING_CONVENTION.md](CODING_CONVENTION.md)
+
+## V9.14.002.2026.05.13
+* **Added**: [9935_hardening_ssl.chroot](../config/hooks/live/9935_hardening_ssl.chroot)
+* **Added**: [dropbear-2026.91.tar.bz2](../upgrades/dropbear/dropbear-2026.91.tar.bz2)
+* **Added**: [dropbear-2026.91.tar.bz2.asc](../upgrades/dropbear/dropbear-2026.91.tar.bz2.asc)
+* **Added**: Dropbear Version Argument ``--dropbear-version=*`` and ``--dropbear-version <STRING>``
+* **Changed**: [SHA512SUM.asc](../upgrades/dropbear/SHA512SUM.asc)
+* **Changed**: ``dropbear 2025.88`` to ``dropbear 2026.91``
+* **Changed**: ``sops 3.11.0`` to ``sops 3.13.0``
+
 ## V8.13.768.2025.12.06
 * **Global**: Stable Release

@@ -119,13 +133,13 @@ include_toc: true
 * **Updated**: [AUDIT_LYNIS.md](AUDIT_LYNIS.md) + updated: Lynis Version 3.1.6

 ## V8.13.400.2025.11.08
-* **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) - GPG key handling
-* **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) - Unified naming scheme
-* **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) - Unified naming scheme
-* **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) - Unified naming scheme, added verbosity output
-* **Changed**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) - added verbosity output
-* **Changed**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) - bugfixes
-* **Changed**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) - moved ``update-initramfs`` to:
+* **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) : GPG key handling
+* **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) : Unified naming scheme
+* **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) : Unified naming scheme
+* **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) : Unified naming scheme, added verbosity output
+* **Changed**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) : added verbosity output
+* **Changed**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) : bugfixes
+* **Changed**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) : moved ``update-initramfs`` to:
 * **Changed**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot)

 ## V8.13.392.2025.11.07
@@ -221,7 +235,7 @@ include_toc: true
 * **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) changed var injection
 * **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) changed var injection
 * **Updated**: [lib_hardening_ultra.sh](../lib/lib_hardening_ultra.sh) changed var injection
-* **Removed**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - yq
+* **Removed**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) : yq

 ## V8.13.280.2025.10.23
 * **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot) + 10-ciss-noise-floor.rules
@@ -244,8 +258,8 @@ include_toc: true
 * **Added**: [.zshenv](../config/includes.chroot/root/.zshenv)
 * **Updated**: [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot)
 * **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) updated ignoreip
-* **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) + rsyslog
-* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - haveged, + jitterentropy-rngd
+* **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) added: rsyslog
+* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) removed: haveged, added: jitterentropy-rngd

 ## V8.13.192.2025.10.18
 * **Added**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. Centurion Net - Developer Branch Overview

@@ -6,86 +6,128 @@ include_toc: true
 # 1. CISS.debian.live.builder

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
-*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*

-# 2. Coding Style
+# 2. Purpose

-## 2.1. PR
+This document defines the coding and review conventions for this repository.

-You'd make the life of the maintainers easier if you submit only _one_ patch with _one_ functional change per PR.
+The project builds Debian-based live and installer infrastructure. Treat every change as security-sensitive and
+boot-chain-sensitive, especially changes that affect initramfs behavior, encrypted SquashFS handling, LUKS, Dropbear, GRUB,
+checksums, signatures, package sources, hardening settings, or network exposure.

-## 2.2 Documentation
+# 3. Change discipline

-Some people really read that ! New features would need to be documented in the appropriate section in `usage()` and in
-`~/docs/DOCUMENTATION.md`.
+* Keep changes small, local, and reviewable.
+* Make one functional change per pull request or patch set.
+* Preserve existing architecture, naming style, error handling, formatting, and security posture.
+* Do not introduce Ubuntu-specific assumptions. The default target distribution is Debian 13 Trixie.
+* Do not invent live-build, live-boot, initramfs, cryptsetup, GRUB, systemd, or Debian package behavior. Verify against existing
+  code or authoritative Debian/upstream documentation.
+* Do not weaken cryptography, authentication, sandboxing, permission checks, TLS verification, signature verification, checksum
+  verification, or input validation unless the task explicitly requires it and the risk is documented.
+* Prefer simple, inspectable Bash over clever abstractions.

-## 2.3. Coding
+# 4. Boot and build phases

-### 2.3.1. Shell / bash
+Identify the affected phase before changing behavior:

-Bash is actually quite powerful—not only with respect to sockets. It's not as mighty as perl or python, but there are a lot of
-neat features. Here's how you make use of them. Besides those short hints here, there's a wealth of information there.
+* `ciss_live_builder.sh` and `lib/*.sh`: host-side orchestration and argument handling.
+* `makefile`: local wrapper for composing and executing builder invocations.
+* `config/hooks/live/*.chroot`: live-build chroot hooks.
+* `config/hooks/live/*.binary`: live-build binary-image hooks.
+* `config/includes.chroot/etc/initramfs-tools/hooks/*`: initramfs build hooks.
+* `config/includes.chroot/etc/initramfs-tools/scripts/*`: initramfs boot scripts.
+* `config/includes.chroot/usr/lib/live/boot/*`: live-boot runtime scripts.
+* `scripts/*`: source files copied into the generated image or used by build helpers.

-* Don't use backticks anymore, use `$(..)` instead
-* Use double square `[[]]` brackets (_conditional expressions)_ instead of single square `[]` brackets
-* In double square brackets, avoid quoting at the right-hand side if not necessary. For regex matching (`=~`) you shouldn't
-  quote at all.
-* The [BashPitfalls](http://mywiki.wooledge.org/BashPitfalls) is a good read!
-* Whenever possible try to avoid `tr` `sed` `awk` and use bash internal functions instead, see
-  e.g., [bash shell parameter substitution](http://www.cyberciti.biz/tips/bash-shell-parameter-substitution-2.html). It is
-  slower as it forks, fopens and pipes back the result.
-* `read` often can replace `awk`: `IFS=, read -ra a b c <<< "$line_with_comma"`
-* Bash can also deal perfectly with regular expressions, see
-  e.g., [here](https://www.networkworld.com/article/2693361/unix-tip-using-bash-s-regular-expressions.html)
-  and [here](https://unix.stackexchange.com/questions/421460/bash-regex-and-https-regex101-com).
-* If you still need to use any of `tr`, `sed` and `awk`: try to avoid a mix of several external binaries e.g., if you can
-  achieve the same with e.g. `awk`.
-* Be careful with very advanced bash features. Mac OS X is still using bash version
-  3 ([differences](http://tldp.org/LDP/abs/html/bashver4.html)).
-* Always use a return value for a function/method. 0 means all is fine.
-* Make use of [shellcheck](https://github.com/koalaman/shellcheck) if possible.
-* Follow the [shellformat](https://google.github.io/styleguide/shellguide.html) Shell-Style Guide.
+Do not add ad-hoc phase arguments to live-boot or initramfs scripts. Execution phase must be controlled by the directory and
+hook placement expected by Debian tooling.

-### 2.3.2. Shell specific
+# 5. Bash style

-* Security:
-  * Watch out for any input especially (but not only) supplied from the server. Input should never be trusted.
-  * Unless you're really sure where the values come from, variables need to be put in quotes.
+* Use Bash for builder scripts and live-build hooks when the existing file uses Bash.
+* Use POSIX `sh` only where Debian hook interfaces or neighboring files require it. Keep such files POSIX-compatible.
+* Prefer `set -Ceuo pipefail` for Bash scripts where feasible. If a script cannot use strict mode safely, keep the exception
+  local and make the reason clear.
+* Quote expansions unless word splitting or globbing is explicitly required.
+* Prefer arrays where arguments or file names may contain whitespace.
+* Use `[[ ... ]]` for Bash conditionals. For regular-expression matches with `=~`, do not quote the right-hand regex.
+* Use `$(...)` command substitution, not backticks.
+* Avoid `eval`.
+* Avoid parsing `ls`.
+* Prefer `command -v` over `which`.
+* Check command results explicitly when failure needs custom handling.
+* Use `case` for option dispatch and multi-branch string handling.
+* Keep functions small and readable.
+* Use English comments. Add comments for non-obvious security or boot-chain decisions, not for obvious assignments.

-### 2.3.3. Variables
+# 6. Variables and functions

-* Use **"speaking variables"** but don't overdo it with the length.
-* No _camelCase_, please. We distinguish between lowercase and uppercase only.
-  * Global variables:
-    * use them only when really necessary,
-    * in CAPS,
-    * initialize them (`declare -g VAR_EXAMPLE=""`),
-    * SHOULD start with:
-      * `ARY_`  for Arrays,
-      * `C_`    for Variables defining colored outputs,
-      * `ERR_`  for Error Codes Variables,
-      * `HMP_`  for HashMap Arrays,
-      * `LOG_`  for Logfile Variables,
-      * `PID_`  for PID Variables,
-      * `PIPE_` for PIPE Variables,
-      * `VAR_`  for Variables
-  * Local variables:
-    * are lower case,
-    * declare them before usage (`declare` eq `local`),
-    * initialize them (`declare var_example=""`),
-    * SHOULD start with:
-      * `ary_` for Arrays,
-      * `c_` for Variables defining colored outputs,
-      * `err_` for Error Codes Variables,
-      * `hmp_` for HashMap Arrays,
-      * `log_` for Logfile Variables,
-      * `var_` for Variables.
+Follow the existing repository naming style:

-# 3. Misc
+* Global variables are uppercase and initialized before use.
+* Global arrays use the `ARY_` prefix where this convention already applies.
+* Other established global prefixes include `C_`, `ERR_`, `HMP_`, `LOG_`, `PID_`, `PIPE_`, and `VAR_`.
+* Local variables are lowercase and initialized before use.
+* Local array and helper prefixes include `ary_`, `c_`, `err_`, `hmp_`, `log_`, and `var_`.
+* Function names use lowercase words separated by underscores.
+* Prefer `declare` or `local` consistently with the surrounding file.

-* Test before doing a PR! Best if you check with two bad and two good examples, which should then work as expected.
+# 7. Input, secrets, and files
+
+* Treat CLI arguments, environment variables, generated file paths, network data, package metadata, and user-provided files as
+  untrusted until validated.
+* Validate ports, IP addresses, kernel version strings, paths, package names, and feature flags before use.
+* Fail closed when validation cannot prove that continuing is safe.
+* Do not print secrets, private keys, passphrases, tokens, or sensitive environment values.
+* Use restrictive permissions for generated secret material.
+* Prefer `mktemp` for temporary files and clean them up with traps when appropriate.
+* Do not create persistent state unless the behavior is intentional and documented.
+
+# 8. Dependencies and downloads
+
+* Do not add new runtime dependencies unless the task requires them. Prefer standard Debian tooling or existing project helpers.
+* When a dependency is needed, document why an existing or standard-library alternative is insufficient.
+* Do not add remote downloads, auto-update behavior, telemetry, or network callbacks without explicit justification.
+* For required downloads, use HTTPS where applicable and preserve or add signature/checksum verification.
+* Do not use `curl | sh`, `wget | sh`, or equivalent execution of unaudited remote content.
+
+# 9. Documentation
+
+Update documentation together with behavior:
+
+* New or changed CLI options must update `usage()` and relevant README or documentation sections.
+* Boot parameter changes must update `docs/BOOTPARAMS.md` where applicable.
+* Security-sensitive behavior changes must update the relevant audit, manual, or security documentation.
+* Generated examples must stay valid for Debian 13 Trixie unless the task explicitly targets another release.
+* Code comments, embedded prompts, commit messages, and repository documentation should normally be written in English.
+
+# 10. Formatting
+
+* Preserve SPDX headers and existing file headers where present.
+* New source or configuration files should include the project SPDX header when comparable files already use one.
+* Follow `.editorconfig`: LF line endings, UTF-8 where configured, two-space Markdown indentation, and tabs for `makefile`
+  recipes.
+* Keep line lengths readable and consistent with neighboring files.
+* Do not churn formatting unrelated to the task.
+
+# 11. Checks
+
+Run the narrowest checks that prove the change:
+
+* Shell files: `bash -n <file>` for Bash scripts, and `shellcheck <file>` when ShellCheck is available.
+* POSIX shell files: `sh -n <file>` where Bash syntax is not expected.
+* Make wrapper or argument-composition changes: `make dry-run`.
+* Python files, if introduced or changed: `ruff check`, `mypy`, and `pytest` when tests exist.
+* Live-build, initramfs, or ISO behavior changes: document the required Debian Trixie build validation command, normally
+  `make live` or the equivalent `./ciss_live_builder.sh ...` invocation.
+
+If a relevant check cannot be run in the current environment, state the exact reason and the command that should be run locally.
+
+# 12. Code review
+
+Reviews follow `code_review.md`.

 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. Contributing / participating

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. Credits

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. Download the latest PUBLIC CISS.debian.live.ISO

@@ -7,15 +7,15 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2.1. Usage
 ````text
                        CDLB(1)                        CISS.debian.live.builder                        CDLB(1)

 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V8.13.768.2025.12.06
+Master V9.14.004.2026.05.17
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.

 (c) Marc S. Weidner, 2018 - 2025
@@ -65,6 +65,12 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
      - https://dns02.eddns.de/
      - https://dns03.eddns.eu/
      
+  --dropbear-version <STRING>
+    Selects the bundled Dropbear source tarball version used for the hardened initramfs build.
+    The matching file MUST exist as:
+    <./upgrades/dropbear/dropbear-<STRING>.tar.bz2>
+    If omitted defaults to VAR_DROPBEAR_VERSION from <./var/global.var.sh>.
+
  --jump-host <IP | IP | ... >
    Provide up to 10 IPs for '/etc/host.allow' whitelisting of SSH access. Could be either IPv4 and / or IPv6
    addresses and / or CCDIR notation. If provided, than it MUST be a <SPACE> separated list.
@@ -146,7 +152,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/

-                        V8.13.768.2025.12.06                        2025-11-06                         CDLB(1)
+                        V9.14.004.2026.05.17                        2025-11-06                         CDLB(1)
 ````

 # 3. Booting
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)

@@ -220,7 +220,7 @@ cryptsetup luksFormat \
  * Root FS (for 0042): `/etc/ciss/keys/<FPR>.gpg`
 * **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay`

-# 13. Diagram: CISS Live ISO Build, Boot and Run Time Trust Chain & Verification Paths
+# 13. Diagram: CISS Live ISO Build, Boot, and Run Time Trust Chain & Verification Paths
 ```mermaid
 flowchart TD

@@ -261,7 +261,7 @@ I -- FAIL --> X;

 # 14. Closing Remarks

-This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases make the state transparent and deterministic.
+This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot, and active attacks **both before and after decryption**. The dual-verification phases make the state transparent and deterministic.

 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. Resources

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. ``30-ciss-hardening.conf``

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. ``90-ciss-local.hardened``

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.004.2026.05.17<br>

 # 2. ``ciss_live_builder.sh``

@@ -21,7 +21,9 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   VAR_AGE_KEY
 #   VAR_ARCHITECTURE
 #   VAR_BUILD_LOG
+#   VAR_DROPBEAR_VERSION
 #   VAR_EARLY_DEBUG
+#   VAR_GITEA_RUNNER
 #   VAR_HANDLER_AUTOBUILD
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_HANDLER_CDI
@@ -38,6 +40,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   VAR_REIONICE_CLASS
 #   VAR_REIONICE_PRIORITY
 #   VAR_SIGNER
+#   VAR_SIGNING_CA
 #   VAR_SIGNING_KEY
 #   VAR_SIGNING_KEY_FPR
 #   VAR_SIGNING_KEY_PASS
@@ -51,6 +54,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   0: on success
 #   ERR_ARG_MSMTCH: on failure
 #   ERR_CONTROL_CT: on failure
+#   ERR_DROPBEAR_V: on failure
 #   ERR_MISS_PWD_F: on failure
 #   ERR_MISS_PWD_P: on failure
 #   ERR_NOTABSPATH: on failure
@@ -205,6 +209,32 @@ arg_parser() {
          shift 1
          ;;

+        --dropbear-version)
+          if [[ -n "${2-}" && "${2}" =~ ^[0-9]{4}\.[0-9]+$ ]]; then
+            # shellcheck disable=SC2034
+            declare -gx VAR_DROPBEAR_VERSION="${2}"
+            shift 2
+          else
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            printf "\e[91m❌ ERROR: --dropbear-version MUST match '<YYYY>.<NUMBER>'.\e[0m\n" >&2
+            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            exit "${ERR_DROPBEAR_V}"
+          fi
+          ;;
+
+        --dropbear-version=*)
+          if [[ "${1#*=}" =~ ^[0-9]{4}\.[0-9]+$ ]]; then
+            # shellcheck disable=SC2034
+            declare -gx VAR_DROPBEAR_VERSION="${1#*=}"
+            shift 1
+          else
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            printf "\e[91m❌ ERROR: --dropbear-version MUST match '<YYYY>.<NUMBER>'.\e[0m\n" >&2
+            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            exit "${ERR_DROPBEAR_V}"
+          fi
+          ;;
+
        --jump-host)
          if [[ -n "${2-}" && "${2}" != -* ]]; then
            declare -i count=0
@@ -72,8 +72,8 @@ lb_config_write_trixie() {
    --initramfs-compression gzip \
    --initsystem systemd \
    --iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20250505 - Debian-Installer: trixie" \
-    --iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
-    --iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
+    --iso-preparer '(C) 2018-2026, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
+    --iso-publisher '(P) 2018-2026, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
    --iso-volume 'CISS.debian.live' \
    --linux-flavours "${VAR_KERNEL}" \
    --linux-packages linux-image \
@@ -108,11 +108,9 @@ lb_config_write_trixie() {

  sleep 1

-
  sed -i 's/^LB_CHECKSUMS=.*/LB_CHECKSUMS="sha512 sha384 sha256"/' ./config/binary
  sed -i 's/^LB_DM_VERITY=.*/LB_DM_VERITY="false"/'                ./config/binary

-
  ### https://wiki.debian.org/ReproducibleInstalls/LiveImages
  ### https://reproducible-builds.org/docs/system-images/
  ### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes
@@ -18,6 +18,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   BASH_SOURCE
 #   VAR_AGE
 #   VAR_AGE_KEY
+#   VAR_DROPBEAR_VERSION
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_SSHFP
 #   VAR_TMP_SECRET
@@ -31,13 +32,32 @@ init_primordial() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"

  ### Prepare CISS dropbear integration ----------------------------------------------------------------------------------------
-  declare var_dropbear_version="2025.88"
+  declare var_dropbear_version="${VAR_DROPBEAR_VERSION}"
+  declare var_dropbear_tar="${VAR_WORKDIR}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
+
+  if [[ ! "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]]; then
+
+    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
+    return "${ERR_DROPBEAR_V}"
+
+  fi
+
+  if [[ ! -r "${var_dropbear_tar}" ]]; then
+
+    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Dropbear tarball not found: [%s] \e[0m\n" "${var_dropbear_tar}" >&2
+    return "${ERR_DROPBEAR_V}"
+
+  fi

  install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/initramfs-tools/files"
  install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/build"
  install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear"

-  install    -m 0444 "${VAR_WORKDIR}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2" \
+  printf 'DROPBEAR_VERSION="%s"\n' "${var_dropbear_version}" \
+    >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear.env"
+  chmod 0444 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear.env"
+
+  install    -m 0444 "${var_dropbear_tar}" \
    "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
  install    -m 0444 "${VAR_WORKDIR}/upgrades/dropbear/localoptions.h" \
    "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/localoptions.h"
@@ -39,17 +39,17 @@ usage() {
  # shellcheck disable=SC2155
  declare var_header=$(center "CDLB(1)                        CISS.debian.live.builder                        CDLB(1)" "${var_cols}")
  # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.13.768.2025.12.06                        2025-12-05                         CDLB(1)" "${var_cols}")
+  declare var_footer=$(center "V9.14.004.2026.05.17                        2026-05-13                         CDLB(1)" "${var_cols}")

  {
    echo -e "\e[1;97m${var_header}\e[0m"
    echo
    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.13.768.2025.12.06\e[0m"
+    echo -e "\e[92mMaster V9.14.004.2026.05.17\e[0m"
    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
    echo
-    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
-    echo -e "\e[97m(p) Centurion Press, 2024 - 2025 \e[0m"
+    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m"
+    echo -e "\e[97m(p) Centurion Press, 2024 - 2026 \e[0m"
    echo
    echo -e "\e[97m${0} <option>, where <option> is one or more of: \e[0m"
    echo
@@ -95,6 +95,12 @@ usage() {
    echo "      - https://dns02.eddns.de/"
    echo "      - https://dns03.eddns.eu/"
    echo
+    echo -e "\e[97m  --dropbear-version <STRING> \e[0m"
+    echo "    Selects the bundled Dropbear source tarball version used for the hardened initramfs build."
+    echo "    The matching file MUST exist as:"
+    echo "    <./upgrades/dropbear/dropbear-<STRING>.tar.bz2>"
+    echo "    If omitted defaults to VAR_DROPBEAR_VERSION from <./var/global.var.sh>."
+    echo
    echo -e "\e[97m  --jump-host <IP | IP | ... > \e[0m"
    echo "    Provide up to 10 IPs for '/etc/host.allow' whitelisting of SSH access. Could be either IPv4 and / or IPv6 "
    echo "    addresses and / or CCDIR notation. If provided, than it MUST be a <SPACE> separated list."
@@ -27,6 +27,7 @@ TIMESTAMP            ?= $(shell date -u +%Y-%m-%dT%H-%M-%S)
 ARCH                 ?= amd64
 AUTOBUILD            ?= 6.16.3+deb13-amd64
 CONTROL              ?= $(TIMESTAMP)
+DROPBEAR_VERSION     ?= 2026.91

 ### Nice/ionice settings:
 RENICE               ?= -19
@@ -53,6 +54,7 @@ define COMPOSE_AND
 	cmd+=( --ssh-pubkey '$(SSH_PUBKEY)' )
 	### Optional flags:
 	[[ -n '$(AUTOBUILD)'            ]] && cmd+=( --autobuild=$(AUTOBUILD) )
+	[[ -n '$(DROPBEAR_VERSION)'     ]] && cmd+=( --dropbear-version '$(DROPBEAR_VERSION)' )
 	[[ -n '$(FLAG_CDI)'             ]] && cmd+=( --cdi )
 	[[ -n '$(FLAG_DEBUG)'           ]] && cmd+=( --debug )
 	[[ -n '$(FLAG_DHCP_CENTURION)'  ]] && cmd+=( --dhcp-centurion )
@@ -130,7 +130,7 @@ main() {
  touch "${var_log}"


-  printf "CISS.debian.installer Master V8.13.768.2025.12.06 is up! \n" >> "${var_log}"
+  printf "CISS.debian.installer Master V9.14.004.2026.05.17 is up! \n" >> "${var_log}"

  ### Sleep a moment to settle boot artifacts.
  sleep 8
@@ -209,7 +209,7 @@ main() {

  ### Timeout reached without acceptable semaphore.
  logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.installer Master V8.13.768.2025.12.06: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.installer Master V9.14.004.2026.05.17: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"

  exit 0
 }
@@ -1,24 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512

-eb16a13aa44732cab4db009bd55903e45f8756598683377bfe55185fbf0e3265  CHANGES
-738b7f358547f0c64c3e1a56bbc5ef98d34d9ec6adf9ccdf01dc0bf2caa2bc8d  dropbear-2025.87.tar.bz2
-af24198895f604c2e114abe29a2f0c3fe30831e6db26e0f93fd5f78e734b61be  dropbear-2025.87.tar.bz2.asc
-783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4  dropbear-2025.88.tar.bz2
-fe40fd8f40a7c5498025cc2058eaecbcd9e649a833d6cdecdab35f1156f4d411  dropbear-2025.88.tar.bz2.asc
+16be820347723271b0fea6049ffeed6d6680d7429c65406d8af37776393a0250  dropbear-2026.90.tar.bz2
+594ac6bd51f361890f6bd829bfe1ce92d241e5f8662d595c13a789e31563f5f7  dropbear-2026.90.tar.bz2.asc
+defa924475abf6bc1e74abc00173e46bfdc804bd47caafa14f5a4ef0cc76da34  dropbear-2026.91.tar.bz2
+26888fbc9cca8ae8026ea754d711edeb5fdbde0a31f897164695bf59035693fb  dropbear-2026.91.tar.bz2.asc
 -----BEGIN PGP SIGNATURE-----

-iQIzBAEBCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmgbUOIACgkQRJMUlPKc
-Z3OS6w//bPQkIfs5ErkEBNRJDkYCDGekydYur0e2KtA2FX+vgPYI289FM4tXaD5f
-hlBBT5oBQ740ekTLWMMnKcJV3Ut0QYnaXwiH2dHKtT4OEgRQIYqFlbAimpNPMZOL
-IiBv+v9g71XJ3MrFyJSUo00mryIIIeuVQEWl8zxzsG8sf5usOUDwiJNWPul3fOJL
-Ur+vTmCr7XYuq9kFG4YdJNLPLwDZ68e2u1fEpxpsnBmYFx5VS/WvD+qyuUfkR81h
-HmcDgQJUJgx6Taq0OQJa4KnE4+HWjMd6V6JsDTsfYp4CjASO6HP2bON4zJWyphqL
-cyrHAxiADtfU3RO59+XQ6AhTzhtGpZRgHLqetv40DjGN2lOGOdRk3TbE3/dbDl4W
-f9zaPFGXyTA49iiVMMz2GVWlydpjs9HKsIKwwO7vU/EIi4S/USNJRI9wKUji3qKH
-HO09YNoO0XuWzIpeGwfqbeaQ+SCPRPAMQMM0a2Mt10VzympY6w2kHAVbMV48kJ2i
-AMtkgsxLUFdptDSdGKc/KHkbWRR22YCSSUXr1lxCA3fuCUWkS/2pAGzfbd+sd9BS
-QkAiGVCWeFQML61aaoNxMT2+MbS80zrOWm8fjXblg3wCU6F3+TTmmDUNKI3NFi8z
-4TVeAM0oGqeI+PX4hP7pyBy06dGiWiYEAGMiyno6vRXWJrwTVzI=
-=/DnI
+iQIzBAEBCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmoAZXsACgkQRJMUlPKc
+Z3NxYA//TmgdzpN6Jh8zNCL3cjK9J3IgJWIxgtPnoPDb0GxMt5rSME9uAQLggVut
+310OAJ9CCfVYyCECm9ZpgbaeXPHP02Xx6sccpU7bU3nMa1W+Pu0dea3ToFWGFv5i
+52INS0UGP+R58JJzGlxlwm1oRNXoG3tfJHR7FHof5G0a60jdcxqjW2JfkN4x28kR
+RLXCqCWfJOjVMIVVQLsVmjZQlBkXLuykg2rbocqBu2dNH4nOuekDWFUpLXoGm2Zd
+OhdFmWGIJfLFybPersLBGSO6LJFhzi5KoloeesaCQ26X2ld8R+cu6rKae2f0zDQi
+O63yQIg7Oxr4XUnthziZdYA4karVrUdx97I39xTP9ioYxnEWHSdWk2iwKWsLhrPd
+X9TEcsmTMia0RSNqarNlsnXiloWFIRKuxlEBO1SMHG45Fr5mXsPxFLc81acQlGtl
+Kvwl3O5vxaa8Qd46EtLJXsNQW09tW0j1yM3JyAoLZs69/N8iB5lk74nYT+jZhI0b
+9/+tfHLRoa+ccJdNfCdfWzCTZpFxG0D6ah6SJY8CgMMvITBT5OfYTR4tvSbt1Sa4
+y65YOPB4QabxuaUC6p0JQ57STUX6D8NtvJwpoZUDb6XDovpXsVb3T0di9eKKYQSv
+/TsSRvf57OiCL9u/C5bIV2g0N5pkN9Bsddye0wUqfEdYH/NwXBs=
+=OTzQ
 -----END PGP SIGNATURE-----
@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmgbTlUACgkQRJMUlPKc
-Z3PY2xAAkSmMipofQkVDE8owIY1VrXGICpFFby7oIzog1oiWrTWlqjGPBwxrLEAa
-W5qXPez0mu9CMs0eGgqHnpUCOR2OJKXzlllSwWcO2Q9Ioi+fSYB//A/+FRK5Jyvf
-P3H6Iq4N4vCbOGS0zHwmlAhTMh1ezKuqnjCrP9z6gvOj6hiiI0DtX2YtYfXml4o8
-Xgvv+w3uReC/Pf7Z7Zia18tWlLIC1DoVC18CmLmnnyqE032Cn8HsE/scboTehgJd
-SKfpztf8/9IjAJpkoeuh3VEXeq5gUjdaW13cBvaPBg798+GsnY7ot7g2PLgnpc7w
-Y1Npg2QZebKE2KHSEGhvIfHeGC6uSEekQnNbck6/ge8ytRzvfzxtTFCMWlGVdgd4
-dFLNajFRt1VOYXMgm7w725cndXYjpvi7zNgGI/kuOQG92hGR8ZaQYYHUTI+B9sr1
-Fit8VmaOsLN7ES8UcNlWeRPHAlvkhdfjltcCSVBziJWGW5rYsuT03X/gbjSiflA5
-kwB/5A2Bf5DHtORbdtx9kfd5yqsnWaLczEKRjyikJqDUXW6CcclbEiucWIgR75cS
-Ee9cf8ILKn/Dr6z+h60y0VQ+1gUcVDnK9yxoqywS5/QoUFXltzu032ZmhyDdgfex
-93NbacgaVtges8t0S0s7PgfzpUSLgNte6aHOYwl5mDAh0zLGpoo=
-=uS3y
-----END PGP SIGNATURE-----
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmn22d8ACgkQRJMUlPKc
+Z3Ndlg//Vj21j/hlAIPD0AOAgYYLvudvR2bA1gJBHrlAQB4FQSWWgW+C0xdHks7X
+YUkKFhLMMP8twemA2EApfMtEp+YayfN/djiwCTfhrCI2ObTZJZU6FwyKiENviKGo
+hH7rFeh1HdSJuU+HExF9bCq+1oGFjhpOKh982R0hasLzKgN2PmF1v/jEqNpibyIc
+o7/7xXFGne39xTrwIuvhjl44iCrIKrcqpObt2cHKRx3D5E1b5nz1JriceCQr4zPa
+tRBXyvl7Ub/N0xZ0K81LA5cDuP2h5H1W1X0BEVTMi+4vIJhaFfOCZhFp9vjlKuuW
+vLhPJWakaLOM2o0PawHW3pVQfq9vOPOGUYcQoSCjgplEsvySbIHS33/nHrPq9ncb
+S6kYQnXtNmWOuWoZfUmGNSBItzd9aOWJ/CukhtovJHRCvM9W68GhR4kqNhZpfvhY
+NL35NC3IydxvzZUZzW6OvaBzGnAVshILyVnlrGkI9ikc8BJUY6GllcMopD5+vCbt
+YYKZhThckaHmtZL4bkyA1v8KN7uVprCKQSgC56lbXD+fr7qM/sjNLmp+UVCnjTuU
+XDFnS7dELDZCXweTmxIowwPetaDtnfBPuYWmGtSezG63Zbsv32/UMAy3YCT7vg/V
+9dzK0h2/EG6GCZ9UfYj/uYCuvb8HhbVji0fMYbzo1eT4NAJwPpY=
+=/+S8
+-----END PGP SIGNATURE-----
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmoAZREACgkQRJMUlPKc
+Z3P87g//ZamgpADh+1CziP9UJ8iiQSi+6lGDcNmkLwNfw1dXA7zAJ2L10uz1We5V
+ercshPNSurf/rYCQJIvav1JE2x4oHXAgnzO1pnrIDriBmCa17EJD2udDHImE1A4K
+KP6JxeaaZTkPYCQftIh3bj7kyJnjpRIptN41GHLeyfQ9bD/ikpGm7uVVqOv1y08O
+Z1pBlZ4IeKrdN7ghHclTTS7+w9nDcYuP62B+KOg7U2oE6+hTfO6PZnHxumUqFlck
+iDEOpdjWixp62ju5ad2o+qWsV4QDg5y/smb51ZDIiFkQh3BJKs6qS83ZNBseGdCX
+vtfKLBSpH/k28WlIwzNq3xiwD7xLR1niX4IrNFUF71eFZhFt6FAMk7oBhSse86qs
+TUUDsssQBAGgNbyRAGSkjBKQ9hdrGXuqV7r8PnDGo+n+EF7pRBJTObM29jshgnjm
+CZ8zMu8LB5cCzWJCXUhNX9HqcW4LIDPGI6v24ychxGqLS5ekKHbv7Pr/xguHyVJq
+U7HXsUtA43HAXnk1RaVYV3I9CzLinJ9Cs3sNBRpcIEKQfpYXTDL58lEg/mJRloqC
+EIBgb9pB8EvFbIz3mbOayvrLnMzmyL1ujsc1CYUcEti1MV6IrgOjGxi/kUrcrZaQ
+1kPA/eRcG1iRpyYk19/cD1JyI477HRnRQDeqMPRO9VTeCMOXO2s=
+=PPW+
+-----END PGP SIGNATURE-----
@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V8.13.768.2025.12.06"
+declare -grx VAR_VERSION="Master V9.14.004.2026.05.17"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
  # Print $4 and $5; include $6 only if it exists
  out = $4
@@ -28,6 +28,7 @@ touch "${LOG_ERROR}" && chmod 0600 "${LOG_ERROR}"

 declare -g  __umask=""
 declare -g  VAR_ARCHITECTURE=""
+declare -g  VAR_DROPBEAR_VERSION="2026.91"
 declare -g  VAR_HANDLER_BUILD_DIR=""
 declare -g  VAR_HANDLER_CDI="false"
 declare -g  VAR_HANDLER_NETCUP_IPV6="false"
@@ -48,14 +49,14 @@ declare -gi VAR_REIONICE_CLASS=2
 declare -gi VAR_REIONICE_PRIORITY=4
 declare -gr VAR_CHROOT_DIR="chroot"
 declare -gr VAR_PACKAGES_FILE="chroot.packages.live"
-declare -gx VAR_AGE="false"
 declare -gx VAR_AGE_KEY=""
+declare -gx VAR_AGE="false"
 declare -gx VAR_CDLB_INSIDE_RUNNER="${VAR_CDLB_INSIDE_RUNNER:-false}"
-declare -gx VAR_LUKS="false"
 declare -gx VAR_LUKS_KEY=""
+declare -gx VAR_LUKS="false"
 declare -gx VAR_SIGNER="false"
-declare -gx VAR_SIGNING_CA=""
 declare -gx VAR_SIGNING_CA_FPR=""
+declare -gx VAR_SIGNING_CA=""
 declare -gx VAR_SIGNING_KEY_FPR=""
 declare -gx VAR_SIGNING_KEY_PASS=""
 declare -gx VAR_SIGNING_KEY_PASSFILE=""
@@ -83,6 +84,7 @@ declare -gir ERR_PASS_LENGH=210 # --root-password-file password MUST be between
 declare -gir ERR_PASS_PLICY=211 # --root-password-file password MUST NOT contain double quotes
 declare -gir ERR__SSH__PORT=212 # --ssh-port MUST be an integer between '1' and '65535'
 declare -gir ERR_ARG_MSMTCH=213 # Wrong Number of optional Arguments provided
+declare -gir ERR_DROPBEAR_V=214 # --dropbear-version MUST match the bundled Dropbear tarball version format
 declare -gir ERR_SECRETSSYM=251 # VAR_TMP_SECRET is a symlink.
 declare -gir ERR_NOTABSPATH=252 # Not an absolute path
 declare -gir ERR_INVLD_CHAR=253 # Invalid Character
Author	SHA256	Message	Date
msw	c80b45417f	V9.14.004.2026.05.17 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-05-17 14:28:12 +01:00
msw	6307bc2b7c	V9.14.002.2026.05.13 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-05-17 13:34:00 +01:00