V9.14.028.2026.06.18

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
V9.14.026.2026.06.17
2026-06-18 10:49:41 +01:00 · 2026-06-18 06:46:41 +01:00 · 2026-06-17 21:55:52 +01:00 · 2026-06-17 18:44:12 +01:00 · 2026-06-17 17:14:45 +01:00 · 2026-06-17 16:31:47 +01:00
166 changed files with 5367 additions and 825 deletions
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 if [[ ! -d "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp ]]; then
@@ -107,7 +107,7 @@ options edns0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' successfully applied. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -46,11 +46,26 @@ Verify_checksums() {
  LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"
  _CHECKSUM_LOG_DIR="${LIVE_VERIFY_CHECKSUMS_LOG_DIR:-/run}"
  _KEYFILE=""
  _MP=""
  _MANIFEST_FOUND="false"
  _TOOL_FOUND="false"
  _VERIFICATION_EXECUTED="false"
  _VERIFICATION_SUCCEEDED="false"
  _RETURN_PGP=""
  _RETURN_SHA=""
  ### Parse commandline arguments ----------------------------------------------------------------------------------------------
  # shellcheck disable=SC2154
  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
    case "${_PARAMETER}" in
@@ -107,6 +122,14 @@ Verify_checksums() {
  done
  if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ] && [ -z "${_KEYFILE}" ]; then
    printf "\e[91m[FATAL] No pinned GPG key file found while checksum signature verification is enabled. \n\e[0m"
    sleep 8
    panic "No pinned GPG key file found while checksum signature verification is enabled."
  fi
  # shellcheck disable=SC2164
  cd "${_MOUNTPOINT}"
@@ -203,10 +226,14 @@ Verify_checksums() {
      if [ -e "${_CHECKSUM}" ]; then
        _MANIFEST_FOUND="true"
        printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "${_CHECKSUM}"
        if [ -e "/usr/bin/${_DIGEST}sum" ]; then
          _TOOL_FOUND="true"
          printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "/usr/bin/${_DIGEST}sum"
          if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
@@ -234,18 +261,34 @@ Verify_checksums() {
          fi
          # shellcheck disable=SC2312
-          if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then
+          _VERIFICATION_EXECUTED="true"
          _CHECKSUM_LOG="${_CHECKSUM_LOG_DIR}/ciss-${_DIGEST}sum-check.log"
          if ! grep -v '^#' "${_CHECKSUM}" | grep -q '[^[:space:]]'; then
            _RETURN_SHA="254"
            : > "${_CHECKSUM_LOG}"
            printf "\e[91m[FATAL] Checksum manifest has no checksum entries: [%s] \n\e[0m" "${_CHECKSUM}"
          elif grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_CHECKSUM_LOG}" 2>&1; then
            _RETURN_SHA="${?}"
            cat "${_CHECKSUM_LOG}" > "${_TTY}"
            printf "\e[92m[INFO] Found: [%s] successful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
          else
            _RETURN_SHA="${?}"
            cat "${_CHECKSUM_LOG}" > "${_TTY}"
            printf "\e[91m[FATAL] Found: [%s] unsuccessful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
          fi
          if { [ "${_RETURN_PGP}" = "0" ] || [ "${_RETURN_PGP}" = "na" ]; } && [ "${_RETURN_SHA}" = "0" ]; then
            _VERIFICATION_SUCCEEDED="true"
          fi
          # Stop after the first verification.
          break 2
@@ -265,6 +308,36 @@ Verify_checksums() {
  log_end_msg
  printf "\n"
  if [ "${_MANIFEST_FOUND}" != "true" ]; then
    printf "\e[91m[FATAL] No supported checksum manifest found. Checksum verification is fail-closed. \n\e[0m"
    sleep 8
    panic "No supported checksum manifest found. Checksum verification is fail-closed."
  fi
  if [ "${_TOOL_FOUND}" != "true" ]; then
    printf "\e[91m[FATAL] Checksum manifest found, but no supported checksum tool is available. Checksum verification is fail-closed. \n\e[0m"
    sleep 8
    panic "Checksum manifest found, but no supported checksum tool is available. Checksum verification is fail-closed."
  fi
  if [ "${_VERIFICATION_EXECUTED}" != "true" ]; then
    printf "\e[91m[FATAL] Checksum verification was not executed. Checksum verification is fail-closed. \n\e[0m"
    sleep 8
    panic "Checksum verification was not executed. Checksum verification is fail-closed."
  fi
  if [ "${_VERIFICATION_SUCCEEDED}" != "true" ]; then
    printf "\e[91m[FATAL] Checksum verification did not complete successfully. Evaluating fail-closed failure state. \n\e[0m"
  fi
  case "${_RETURN_PGP},${_RETURN_SHA}" in
    "0,0")
@@ -304,6 +377,12 @@ Verify_checksums() {
      panic "Verification of checksum file failed."
      ;;
    *)
      printf "\e[91m[FATAL] Unknown checksum verification state: [%s,%s]. \n\e[0m" "${_RETURN_PGP:-unset}" "${_RETURN_SHA:-unset}"
      sleep 8
      panic "Unknown checksum verification state. Checksum verification is fail-closed."
      ;;
  esac
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -296,7 +296,7 @@ ln -sf /etc/systemd/system/ciss-memwipe.service /etc/systemd/system/multi-user.t
 systemctl enable ciss-memwipe.service
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 mkdir -p /etc/systemd/system/clamav-daemon.service.d
 cat << 'EOF' >| /etc/systemd/system/clamav-daemon.service.d/override.conf
@@ -69,7 +69,7 @@ CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SYS_NICE
 EOF
 chmod 0644 /etc/systemd/system/clamav-freshclam.service.d/override.conf
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
@@ -63,7 +63,7 @@ EOF
 chmod 0644 /etc/network/interfaces
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18
 name: 💙 Generating a PUBLIC Live ISO.
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V9.14.004.2026.05.17"
+      placeholder: "e.g., Master V9.14.028.2026.06.18"
    validations:
      required: true
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18
 FROM debian:bookworm
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18
 name: 🔁 Render README.md to README.html.
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V9.14.004.2026.05.17
+  version: V9.14.028.2026.06.18
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V9.14.004.2026.05.17
+  version: V9.14.028.2026.06.18
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V9.14.004.2026.05.17
+  version: V9.14.028.2026.06.18
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18
 name: 💙 Generating a PUBLIC Live ISO.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18
 # Gitea Workflow: Shell-Script Linting
 #
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18
 name: 🔁 Render Graphviz Diagrams.
@@ -16,5 +16,11 @@ target/
 *.log
 *.ps1
 config.mk
 ciss.secureboot/private/*
 !ciss.secureboot/private/README.md
 ciss.secureboot/manifests/*
 !ciss.secureboot/manifests/.gitkeep
 ciss.secureboot/uki/*
 !ciss.secureboot/uki/.gitkeep
 Thumbs.db
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V9.14.004.2026.05.17"
+properties_version="V9.14.028.2026.06.18"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -1,85 +1,124 @@
 # AGENTS.md
-## Repository purpose
+## Purpose
-This repository builds and maintains Debian-based live/installer infrastructure.
+This repository builds and maintains the CISS Debian Live Builder for Debian 13 Trixie.
-Treat changes as security-sensitive and boot-chain-sensitive.
+Treat every change as security-sensitive and boot-chain-sensitive.
-Follow `docs/CODING_CONVENTION.md` for coding style and `code_review.md` for reviews.
+
 Persistent coding details live in `docs/CODING_CONVENTION.md`.
 Review-only instructions live in `code_review.md`.
 ## Instruction precedence for this repository
 Use this order when instructions differ:
 1. The current user task prompt defines the immediate objective and task-specific acceptance criteria.
 2. This `AGENTS.md` defines repository-wide constraints and routing guidance.
 3. `docs/CODING_CONVENTION.md` defines detailed coding conventions.
 4. `code_review.md` applies when performing a review or final self-review.
 5. Personal/global Codex instructions apply only where they do not conflict with repository rules.
 When in doubt, choose the safer, smaller, more easily reviewable change and explain the uncertainty.
 ## Non-negotiable constraints
- Target distribution: Debian 13 Trixie unless explicitly stated otherwise.
+- Target Debian 13 Trixie unless the task explicitly states otherwise.
 - Do not introduce Ubuntu-specific assumptions.
- Do not invent live-build, initramfs, cryptsetup, systemd, GRUB, or Debian package behavior. Verify against existing files or
+- Do not invent live-build, live-boot, initramfs, cryptsetup, systemd, GRUB, Debian package, or upstream tool behavior.
-  official documentation.
+- Verify uncertain behavior against existing repository code or authoritative upstream documentation.
- Do not add phase-argument gates to live-boot/initramfs scripts. Script execution is controlled by Debian hook placement.
+- Do not add phase-argument gates to live-boot or initramfs scripts. Execution phase is controlled by Debian hook placement.
- Preserve encrypted-root / encrypted-SquashFS architecture unless the task explicitly changes it.
+- Preserve encrypted-root and encrypted-SquashFS architecture unless the task explicitly changes it.
- Prefer simple, inspectable Bash over clever abstractions.
+- Prefer simple, explicit, inspectable Bash over clever abstraction.
 - Do not use `eval`.
 - Do not print secrets, private keys, passphrases, tokens, or sensitive environment values.
-## Repository workflow
+## Repository map
 Common areas:
 - `ciss_live_builder.sh`, `lib/*.sh`: host-side orchestration and argument handling.
 - `makefile`: local wrapper for composing and executing builder invocations.
 - `config/hooks/live/*.chroot`: live-build chroot hooks.
 - `config/hooks/live/*.binary`: live-build binary-image hooks.
 - `config/includes.chroot/etc/initramfs-tools/hooks/*`: initramfs build hooks.
 - `config/includes.chroot/etc/initramfs-tools/scripts/*`: initramfs boot scripts.
 - `config/includes.chroot/usr/lib/live/boot/*`: live-boot runtime scripts.
 - `scripts/*`: helper scripts or files copied into the generated image.
 - `docs/*`: project documentation and conventions.
 ## Working method
 Before editing:
 - Inspect the relevant scripts, hooks, config files, README files, and existing naming conventions.
 - Identify the exact boot/build phase affected by the change.
 - Explain the minimal intended change.
-Boot/build phases:
+1. Inspect the relevant scripts, hooks, configuration files, documentation, tests, and naming conventions.
- host-side orchestration: `ciss_live_builder.sh`, `lib/*.sh`, `makefile`
+2. Identify the affected build or boot phase.
- live-build hooks: `config/hooks/live/*.chroot` and `config/hooks/live/*.binary`
+3. Give a concise implementation plan and list the likely files to touch, unless the change is trivial.
- initramfs hooks/scripts: `config/includes.chroot/etc/initramfs-tools/*`
+
- live-boot runtime scripts: `config/includes.chroot/usr/lib/live/boot/*`
+While editing:
 - Keep changes minimal and local to the task.
 - Preserve existing architecture, naming style, error handling, formatting, and security posture.
 - Do not perform unrelated cleanup or formatting churn.
 - Reuse existing helper functions for logging, fatal errors, validation, downloads, temporary files, and tool checks where available.
 - Do not introduce new runtime dependencies unless technically necessary and justified.
 After editing:
 - Run the most relevant available checks.
 - At minimum, run syntax checks for changed shell scripts:
  - `bash -n <file>`
  - `shellcheck <file>` if available
 - If POSIX shell scripts are changed, run `sh -n <file>` where Bash syntax is not expected.
 - If the make wrapper or builder argument composition changes, run `make dry-run`.
 - If Python files are introduced or changed:
  - `ruff check`
  - `mypy`
  - `pytest` if tests exist
 - If CLI options or user-facing behavior change, update `usage()` and the relevant README/docs.
 - If live-build, initramfs, or ISO behavior changes, describe the required Debian Trixie live-build or ISO validation command.
-## Bash conventions
+- Run only the narrowest checks that prove the change.
 - Changed Bash files: run `bash -n <file>` and `shellcheck <file>` if ShellCheck is available.
 - Changed POSIX shell files, if any exist and must remain POSIX: run `sh -n <file>`.
 - Make wrapper or builder argument-composition changes: run the relevant dry-run or help/parser check, usually `make dry-run` if available.
 - Changed Python files: run the repository's relevant Python checks if present.
 - CLI or user-facing behavior changes: update `usage()` and relevant documentation.
 - Live-build, initramfs, or ISO behavior changes: state the required Debian Trixie validation command. Do not run a full live build unless requested or necessary.
- Use explicit error handling.
+## Bash conventions summary
- Quote expansions.
+
- Prefer arrays where word splitting matters.
+See `docs/CODING_CONVENTION.md` for detail.
- Avoid `eval`.
+
 - Use Bash for new and modified project scripts unless an existing Debian interface file explicitly requires POSIX shell.
 - Prefer `set -Ceuo pipefail` where feasible.
 - Use `declare` for variables inside functions.
 - Quote expansions unless word splitting or globbing is explicitly required.
 - Prefer arrays where argument boundaries matter.
 - Use `[[ ... ]]` for Bash conditionals.
 - Use `case` for option dispatch and multi-branch string handling.
 - Avoid parsing `ls`.
 - Prefer `command -v` over `which`.
 - Keep functions small and readable.
- Use English comments.
+- End functions explicitly with `return 0` where consistent with surrounding code.
- Explain security-sensitive fallbacks.
+- Code comments must be in English.
 - Fail closed where possible.
-## Python conventions
+## Security-sensitive areas
 - Use Python 3.14-compatible code unless the project states otherwise.
 - Use pathlib.
 - Add type hints.
 - Keep ruff and mypy compatibility.
 - Avoid broad `except Exception` unless justified and logged.
 - Prefer explicit models/config objects over unstructured dictionaries for durable interfaces.
 ## Security review checklist
 Before finalizing a change, check whether it affects:
 - boot trust
 - initramfs behavior
 - live-boot runtime behavior
 - cryptsetup/LUKS handling
 - encrypted SquashFS handling
 - key material
 - remote unlock
- TLS/mTLS verification
+- TLS, mTLS, signature, checksum, or provenance verification
- signature/hash verification
+- package sources or remote downloads
 - network exposure
 - file permissions
 - persistence
 - logging of sensitive values
-If affected, document the risk and mitigation in the final response.
+If affected, document the concrete risk and mitigation in the final response.
 ## Final response
 Return a concise implementation report:
 - changed files
 - what changed
 - checks run and result
 - real remaining risks or follow-up steps
 Do not claim success for checks that were not run.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V9.14.004.2026.05.17
+PackageVersion: Master V9.14.028.2026.06.18
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.004.2026.05.17-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.028.2026.06.18-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -12,9 +12,9 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.26.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Runner-1.0.3-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Runner-1.0.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2026.1.1-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2026.1.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.11-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.12-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&logo=x&logoColor=white&logoSize=auto&label=SocialMedia&color=%23000000)](https://x.com/coresecret_eu) &nbsp;
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 **CISS.debian.live.builder — First of its own.**<br>
 **World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
@@ -46,9 +46,10 @@ Beyond a conventional live system, **CISS.debian.live.builder** assembles a **fu
 in a single, deterministic build step: a LUKS2 container backed by `dm-integrity` hosting the SquashFS root filesystem, combined
 with a hardened initramfs chain including a dedicated Dropbear build pipeline for remote LUKS unlock. The resulting ISO ships
 with a hardened kernel configuration, strict sysctl and network tuning, pre-configured SSH hardening and fail2ban, and a
-customised `verify-checksums` path providing both ISO-edge verification and runtime attestation of the live root. All components
+customised `verify-checksums` path providing fail-closed mounted-medium verification plus runtime attestation of the exact
-are aligned with the `CISS.debian.installer` baseline, ensuring a unified cryptographic and security posture from first boot to 
+final SquashFS payload bytes selected for the encrypted live root. All components are aligned with the `CISS.debian.installer`
-an installed system. For an overview of the entire build process, see:
+baseline, ensuring a unified cryptographic and security posture from first boot to an installed system. For an overview of the
 entire build process, see:
 **[MAN_CISS_ISO_BOOT_CHAIN.md](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**
 When built with the ``--dhcp-centurion`` profile, the live system ships with a strict network and resolver policy: 
@@ -60,12 +61,17 @@ and spoofing surfaces.
 Internally, the builder employs a dedicated secret-handling pipeline backed by a tmpfs-only secrets directory
 (`/dev/shm/cdlb_secrets`). Sensitive material such as root passwords, SSH keys, and signing keys never appears on the command
-line, is guarded by strict `0400 root:root` permissions, and any symlink inside the secret path is treated as a hard failure
+line. The secret root must be an existing `root:root` tmpfs or ramfs directory with `0700` permissions and no symlinks or
-that aborts the run. Critical code paths temporarily disable Bash xtrace so that credentials never leak into debug logs, and
+special files below it. Filename-only secret arguments are rejected when they contain path separators, traversal names, shell
-transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed. GNUPG homes used for signing are
+metacharacters, or unsafe leading dashes. Critical code paths temporarily disable Bash xtrace so that credentials never leak
-wiped, unencrypted chroot artifacts and includes are removed after `lb build`, and the final artifact is reduced to the
+into debug logs; the final exact-value sanitization pass runs only after xtrace has been stopped and its debug file descriptor
-encrypted SquashFS inside the LUKS2 container. At runtime, LUKS passphrases in the live ISO and installer are transported via
+has been closed, then redacts still-known secret values from debug, variable, and error logs as defense in depth. Transient
-named pipes inside the initramfs instead of process arguments, further minimizing exposure in process listings.
+secret files are shredded (`shred -fzu`) as soon as they are no longer needed; this is best-effort on SSD/NVMe media, so the
 architecture relies primarily on tmpfs for secret staging. GNUPG homes used for signing are wiped,
 unencrypted chroot artifacts and includes are removed after `lb build`, and cleanup is intentionally destructive only inside
 the exact build directory carrying the `.ciss-live-builder-owned` marker. At runtime, LUKS passphrases in the live ISO and
 installer are transported via named pipes inside the initramfs instead of process arguments, further minimizing exposure in
 process listings.
 Check out more leading world-class services powered by Centurion Intelligence Consulting Agency:
 * [CenturionDNS Resolver](https://eddns.eu/)
@@ -123,7 +129,7 @@ lockstep avoids those mismatches and gives me predictable artifacts across build
 The live ISO acts as a sealed, immutable execution environment. All relevant configuration, all installation logic, and all 
 security decisions are rendered into the image at build time and treated as read-only at runtime. On top of that logical 
- immutability, I now layer cryptographic protection of the live root file system itself. The live image contains a LUKS2 container
+immutability, I now layer cryptographic protection of the live root file system itself. The live image contains a LUKS2 container
 file with dm-integrity that wraps the SquashFS payload. The initramfs knows how to locate this container, unlock it, verify its 
 integrity, and then present the decrypted SquashFS as the root component of an OverlayFS stack. The detailed boot and 
 verification chain is documented separately in **[CISS ISO Boot Chain](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**<br>
@@ -131,7 +137,7 @@ verification chain is documented separately in **[CISS ISO Boot Chain](docs/MAN_
 In compact form, my expectations for the system are:<br>
 * Every bit that matters for boot and provisioning is covered by checksums that I control and that are signed with keys under my solely authoritative HSM.
-* The live root runs out of a LUKS2 dm-integrity container so that a tampered or bit-rotted SquashFS never becomes a trusted root.
+* The live root runs out of a LUKS2 dm-integrity container, and the final SquashFS byte stream copied into the decrypted mapper is verified against a signed rootfs attestation manifest, so a tampered or bit-rotted SquashFS never becomes a trusted root. During boot, `0024-ciss-crypt-squash` copies `/live/filesystem.squashfs.sha512sum.txt[.sig]` from the real ISO medium to `/run/ciss-rootfs-attestation/`; `0042_ciss_post_decrypt_attest` then verifies that cached manifest/signature pair against `/etc/ciss/keys/<FPR>.gpg` and the exact bytes read from `/dev/mapper/crypt_liveiso`.
 * Verification steps are not advisory. Any anomaly causes a hard abort during boot.
 * After the live environment has reached a stable, verified state, it can hand off to ``CISS.debian.installer``. The installer operates from the same image, does not pull random payloads from the internet, and keeps the target system behind a hardened firewall until the entire provisioning process has completed.
 * For unattended, headless scenarios I also support builds where the target system is installed without ever exposing a shell over the console. After installation and reboot, the machine waits for a decryption passphrase via an embedded Dropbear SSH instance in the initramfs, limited to public key authentication and guarded by strict cryptographic policies. In such variants even ``/boot`` can be encrypted, with GRUB taking care of unlocking the boot partition.
@@ -175,7 +181,7 @@ installer toolchain.
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V9.14.004.2026.05.17`
+Example: `V9.14.028.2026.06.18`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
@@ -237,7 +243,7 @@ deliberate design decision.
 ### 2.1.2. CPU Vulnerability Mitigations
-I build the kernels with the relevant mitigations for Spectre, Meltdown, L1TF, MDS, TAA, Retbleed, and related families activated. 
+I build the kernels with the relevant mitigations for Specter, Meltdown, L1TF, MDS, TAA, Retbleed, and related families activated. 
 The ``mitigations=auto,nosmt`` flag ensures that new mitigations integrated into the mainline kernel become effective as they 
 are added, instead of requiring that I micromanage every single toggle. The residual performance cost is acceptable in the 
 context I am targeting; stale mitigations can be revisited, but missing mitigations will not be.
@@ -365,6 +371,11 @@ For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-cis
 ## 2.9. UFW Hardening
 * **Description**: Defaults to `deny incoming` and (optionally) `deny outgoing`; automatically opens only whitelisted ports.
 * **Primordial SSH exception**: `--primordial-url <https-git-url>`, `--primordial-key <ssh-identity-filename>` and
  `--primordial-ssh <port>` configure the CDI Primordial overlay clone. `--primordial-ssh` also adds an outgoing-only UFW TCP
  exception for a bootstrap/recovery SSH port when the live system's UFW outgoing policy is `deny`. It adds no incoming firewall
  rule and does not replace `--ssh-port`. If the requested port already matches an existing outgoing SSH exception, the current
  hook still emits the requested labeled rule because this repository has no separate UFW rule deduplication layer.
 * **Rationale**: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after
  deployment.
@@ -488,10 +499,13 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
 2. Preparation:
   1. Ensure you are root.
-   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
+   2. Create the build directory `install -d -m 0755 -o root -g root /opt/cdlb` and the tmpfs secrets directory
      `install -d -m 0700 -o root -g root /dev/shm/cdlb_secrets`.
   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
   4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
-   5. Make any other changes you need to.
+   5. Keep files below `/dev/shm/cdlb_secrets` as regular, non-symlink files owned by `root:root`; the builder normalizes them
      to `0400` before use.
   6. Make any other changes you need to.
 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
@@ -500,7 +514,7 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
   timestamp=$(date -u +%Y-%m-%dT%H:%M:%S%z)
   ./ciss_live_builder.sh \
     --architecture amd64 \
-     --autobuild=6.16.3+deb13-amd64 \
+     --autobuild=7.0.10+deb13-amd64 \
     --build-directory /opt/cdlb \
     --cdi \
     --change-splash hexagon \
@@ -514,15 +528,25 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
     --reionice-priority 1 2 \
     --renice-priority "-19" \
     --root-password-file /dev/shm/cdlb_secrets/password.txt \
     --secure-boot-profile debian-shim \
     --sops-version 3.13.1 \
     --signing_key_fpr=98089A472CCF4601CD51D7C7095D36535296EA14B8DE92198723C4DC606E8F76 \
     --signing_key_pass=signing_key_pass.txt \
     --signing_key=signing_key.asc \
     --ssh-port 4242 \
     --primordial-key SSH-key-filename-for-Primordial-overlay-clone \
     --primordial-ssh SSH-port-for-Primordial-overlay-clone \
     --primordial-url URL-to-Primordial-overlay-clone \
     --ssh-pubkey /dev/shm/cdlb_secrets \
     --sshfp \
     --trixie
   ````
   `--sops-version` selects the upstream SOPS release installed into the live system. If omitted, the builder uses
   `VAR_SOPS_VERSION` from `var/global.var.sh`. The SOPS hook verifies the upstream checksums file with Cosign and supports
   both the newer Sigstore bundle asset, and the legacy-split certificate/signature assets before checking the downloaded
   SOPS binary with `sha256sum -c --ignore-missing`.
 4. Locate your ISO in the `--build-directory`.
 5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
 6. Type `sysp` for the final kernel hardening features.
@@ -544,10 +568,13 @@ preview it or run it.
 2. Preparation:
   1. Ensure you are root.
-   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
+   2. Create the build directory `install -d -m 0755 -o root -g root /opt/cdlb` and the tmpfs secrets directory
      `install -d -m 0700 -o root -g root /dev/shm/cdlb_secrets`.
   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
   4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
-   5. Copy and edit the sample and set your options (no spaces around commas in lists): 
+   5. Keep files below `/dev/shm/cdlb_secrets` as regular, non-symlink files owned by `root:root`; the builder normalizes them
      to `0400` before use.
   6. Copy and edit the sample and set your options (no spaces around commas in lists):
    ````bash
    cp config.mk.sample config.mk
@@ -556,10 +583,15 @@ preview it or run it.
    ````bash
    BUILD_DIR=/opt/cdlb
    ROOT_PASSWORD_FILE=/dev/shm/cdlb_secrets/password.txt
    SECURE_BOOT_PROFILE=debian-shim
    SOPS_VERSION=3.13.1
    SSH_PORT=4242
    SSH_PUBKEY=/dev/shm/cdlb_secrets
    # Optional
    PRIMORDIAL_KEY=SSH-key-filename-for-Primordial-overlay-clone
    PRIMORDIAL_SSH_PORT=SSH-port-for-Primordial-overlay-clone
    PRIMORDIAL_URL=URL-to-Primordial-overlay-clone
    PROVIDER_NETCUP_IPV6=2001:cdb::1
    # comma-separated; IPv6 in [] is fine
    JUMP_HOSTS=[2001:db8::1],[2001:db8::2]     
@@ -569,7 +601,31 @@ preview it or run it.
 4. Execute the build: ````make live````
-## 5.3. CI/CD Gitea Runner Workflow Example
+## 5.3. Secure Boot Profiles
 The default build profile is ``--secure-boot-profile debian-shim``. It keeps the ISO broadly portable: ``lb config`` uses an
 ``iso-hybrid`` image with both ``grub-pc`` and ``grub-efi`` bootloaders, and UEFI Secure Boot remains delegated to live-build's
 standard Microsoft-signed Debian shim plus Debian-signed GRUB path.
 The custom profile is ``--secure-boot-profile ciss-uki``. It is intended for amd64 systems whose firmware trusts the CISS Secure
 Boot key material through the platform Secure Boot database, or a custom PK/KEK/db model. In this profile a late binary hook
 builds a Unified Kernel Image from the final ``binary/live/vmlinuz-*`` and ``binary/live/initrd.img-*`` artifacts, signs it with
 ``ciss.secureboot/private/ciss-efi-image.key`` and ``ciss.secureboot/public/ciss-efi-image.crt``, rebuilds
 ``binary/boot/grub/efi.img``, installs the signed UKI as ``EFI/BOOT/BOOTX64.EFI``, and mirrors it into the ISO EFI tree when
 live-build created one.
 Required files for ``ciss-uki``:
 ````text
 ciss.secureboot/private/ciss-efi-image.key
 ciss.secureboot/public/ciss-efi-image.crt
 ````
 The private directory is ignored by Git. The hooks fail if the CISS EFI image signing key or module signing key appears below
 ``binary/``, ``chroot/`` or ``config/includes.*``. Build-time UKI manifests are written below the build directory in
 ``ciss.secureboot/manifests`` and can be checked with ``ukify inspect`` and ``sbverify``.
 ## 5.4. CI/CD Gitea Runner Workflow Example
 1. Clone the repository:
@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Repository Structure
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **9.14**, Build **V9.14.004.2026.05.17** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.028.2026.06.18** (as of 2025-10-11)
 ## 3.1. Top-Level Layout
@@ -0,0 +1,33 @@
                                          .-=+*###%%###*+=-:.
                                      :=*%%@@@@@@@@@@@@@@@@@%#*-.
                                   :+%@@@@%%%%@@@@@@@@%%%%%%@@@@@%*:
                                 -#@@@%%%%@@@@%#****#%%@@@%%@@%#+=-:.
                               .#@@%%%%%@@#+:..:::-::::-=#@@%=.
                              -%@%%%%%%@#: .=*%@@@@@@%#+-.:=
                             =@%%%%%%%@= .*@@@@%%%%%%%@@@%=
                            :@%%%%%%%@+ :%@%%%%%%%%%%%%%%@@#%+
                            #%%%%%%%%%  #@%%%%%%%%%%%%%%%%%@@%.
                           -@%%%%%%%@#  %%%%%%%%%%%%%%%%%@@@%@*
                           *%%%%%%%%@%  *@%%%%%%%%%%%%%%%#*#%%@:
                           *@%%%%%%%%@- :@%%%%%%%%%%%%%%%%-   ..
                           *%%%%%%%%%%#. +@%%%%%%%%%%%%%%@@*.
                           -@%%%%%%%%%@-  #%%%%%%%%@@@@@%%%@@%%%+
                            %%%%%%%%%%:   -@%%%%%@@%**#%@%%%%@%@%
                            -@%%%%%%@+    :@%%%@@*:     =@%%%%%%:
                             +@%%%%%@.    +@%%@#:        #@%%%@-
                              *@%%@@=    :%%@@+          *%%%@#
                               =@%#-    :%@@#-          :@@%%%-
                                ..     =@%*-            .+#%@%.
                                      :+-.                 .=*
  ____ ___ ____ ____      _      _     _               _ _             _           _ _     _
 / ___|_ _/ ___/ ___|  __| | ___| |__ (_) __ _ _ __   | (_)_   _____  | |__  _   _(_) | __| | ___ _ __
 | |    | |\___ \___ \ / _` |/ _ \ '_ \| |/ _` | '_ \  | | \ \ / / _ \ | '_ \| | | | | |/ _` |/ _ \ '__|
 | |___ | | ___) |__) | (_| |  __/ |_) | | (_| | | | |_| | |\ V /  __/_| |_) | |_| | | | (_| |  __/ |
 \____|___|____/____(_)__,_|\___|_.__/|_|\__,_|_| |_(_)_|_| \_/ \___(_)_.__/ \__,_|_|_|\__,_|\___|_|
 Debian Trixie | Hardened Live ISO Builder | Encrypted Root Path | Verified Boot Chain | LUKS Integrity
 Preparing Builder...
 Please wait...
@@ -0,0 +1,37 @@
                              .:-=++***#####***+==-:.
                        .-=*#%%@@@@@@@@@@@@@@@@@@@@@%%#*=-.
                    .=*#@@@@@@@%%%%%%%%%%%%%%%%%%%%%@@@@@@@%*=:
                 :+#@@@@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@%*=.
              .+#@@@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@#=:
            :*%@@%%%%%%%%%%%%%%%%@@@@@@@@@@@@@%%%%%%%%%%%%%%%%@@@@%%%*=
          :*@@%%%%%%%%%%%%%%@@@@@%%#*******#%%@@@@%%%%%%%%%@@%#+-:.
        .+@@%%%%%%%%%%%%%%@@%#+-.             .-+#%@@%%%%@@#=.
       -%@%%%%%%%%%%%%%@@%*-.    :-+**####**+-:   .-*%@@@*:
      +@@%%%%%%%%%%%%%@%+.   :+#%@@@@@@@@@@@@@@%#+:  .+#:
     *@%%%%%%%%%%%%%%@*.   =#@@@@%%%%%%%%%%%%%%@@@@#-
    *@%%%%%%%%%%%%%%@-   -%@@%%%%%%%%%%%%%%%%%%%%%%@@#-
   +@%%%%%%%%%%%%%%@-   +@@%%%%%%%%%%%%%%%%%%%%%%%%%%@@+-*#
  -@%%%%%%%%%%%%%%@+   +@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@-
  %%%%%%%%%%%%%%%%%   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 -@%%%%%%%%%%%%%%@*   +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@=
 #%%%%%%%%%%%%%%%@=   *@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 .%%%%%%%%%%%%%%%%@+   +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@%%%%%%%=
 -@%%%%%%%%%%%%%%%@*   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@@@@@.
 =@%%%%%%%%%%%%%%%%%.   #@%%%%%%%%%%%%%%%%%%%%%%%%%%%*..:--==+*-
 =@%%%%%%%%%%%%%%%%@=   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%@#:
 =@%%%%%%%%%%%%%%%%%%.   +@%%%%%%%%%%%%%%%%%%%%%%%%%%%@@+
 :@%%%%%%%%%%%%%%%%%@#    #%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@#::::.
 %@%%%%%%%%%%%%%%%%%@=   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@@@%#:
 *%%%%%%%%%%%%%%%%%%-     *@%%%%%%%%%%%%%%%@@@@%%%%%%%%%%%%%%%@@@.
 :@%%%%%%%%%%%%%%%@-      -@%%%%%%%%%%%%@@@%%%%%@@%%%%%%%%%%%%%%%.
  *@%%%%%%%%%%%%%@+       .%%%%%%%%%%%@@*=:.   .-*@%%%%%%%%%%%%@=
  .%%%%%%%%%%%%%%%.       .%%%%%%%%%@@*:          :%%%%%%%%%%%@+
   =@%%%%%%%%%%%@*        -@%%%%%%%@#:             =@%%%%%%%%@*
    +@%%%%%%%%%%@.        *@%%%%%@@+               .@%%%%%%%%%.
     *@%%%%%%%%@+        -@%%%%%@%-                .@%%%%%%%@=
      +@%%%%%@@*        :%%%%%@@*.                 -@%%%%%%%%
       =@@@@@#-        :%%%%@@%-                   #%%%%%%%@+
        :#*+:         :%%%@@%+                    -@@@%%%%%@:
                     =@@@@#=.                      :+#@@@@%%.
                   .*%#*=.                            .=*%@%
                   ::.                                   .-+
@@ -0,0 +1 @@
@@ -0,0 +1,26 @@
 ---
 gitea: none
 include_toc: true
 ---
 # 1. CISS.debian.live.builder
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
 **Build**: V9.14.028.2026.06.18<br>
 # 2. CISS Secure Boot Private Material
 This directory is intentionally ignored except for this README.
 On the air-gapped build host, place the private EFI image signing key here:
 * `ciss-efi-image.key`
 Do not commit private keys. The custom UKI hooks fail if this key is copied into `binary/`, `chroot/`, or
 `config/includes.*`.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -0,0 +1,26 @@
 ---
 gitea: none
 include_toc: true
 ---
 # 1. CISS.debian.live.builder
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
 **Build**: V9.14.028.2026.06.18<br>
 # 2. CISS Secure Boot Public Material
 Place public CISS Secure Boot certificates here on the air-gapped build host.
 Expected file for the `ciss-uki` build profile:
 * `ciss-efi-image.crt`
 Public CA and module-signing certificates may also live here, for example `ciss-secureboot-ca.crt` and
 `ciss-module-signing.crt`, but they are not copied into the ISO by the current UKI hooks.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -0,0 +1 @@
@@ -41,6 +41,8 @@ declare -grx  VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)"          # '/roo
 declare -grx  VAR_TMP_SECRET="/dev/shm/cdlb_secrets"                     # Fixed tmpfs path to store securely build artifacts.
 declare -grx  VAR_WORKDIR="$(dirname "${VAR_SETUP_FULL}")"               # '/root/git/CISS.debian.live.builder'
 clear
 ### PRELIMINARY CHECKS.
 ### No ash, dash, ksh, sh.
 # shellcheck disable=SC2292
@@ -111,11 +113,16 @@ source_guard "./var/bash.var.sh"
 ### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG.
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh   ; contact; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh     ; usage  ; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -l|--logo)    . ./lib/lib_logo.sh      ; logo   ; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh   ; version; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done
 ### ALL CHECKS DONE. READY TO START THE SCRIPT.
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+printf '\033[95m'
 cat bootscreen.txt
 printf '\033[0m\n'
 sleep 4
 printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
 declare -grx VAR_SETUP="true"
 ### SECURING SECRETS ARTIFACTS.
@@ -137,6 +144,7 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
 [[ "${VAR_SETUP}" == true ]] && {
  source_guard "./lib/lib_arg_parser.sh"
  source_guard "./lib/lib_arg_priority_check.sh"
  source_guard "./lib/lib_build_dir_safety.sh"
  source_guard "./lib/lib_boot_screen.sh"
  source_guard "./lib/lib_cdi.sh"
  source_guard "./lib/lib_change_splash.sh"
@@ -154,6 +162,7 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
  source_guard "./lib/lib_clean_screen.sh"
  source_guard "./lib/lib_clean_up.sh"
  source_guard "./lib/lib_copy_integrity.sh"
  source_guard "./lib/lib_debug_sanitize.sh"
  source_guard "./lib/lib_gnupg.sh"
  source_guard "./lib/lib_hardening_root_pw.sh"
  source_guard "./lib/lib_hardening_ssh_tcp.sh"
@@ -167,6 +176,8 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
  source_guard "./lib/lib_provider_netcup.sh"
  source_guard "./lib/lib_run_analysis.sh"
  source_guard "./lib/lib_sanitizer.sh"
  source_guard "./lib/lib_secret_validation.sh"
  source_guard "./lib/lib_secureboot_profile.sh"
  source_guard "./lib/lib_trap_on_err.sh"
  source_guard "./lib/lib_trap_on_exit.sh"
  source_guard "./lib/lib_update_microcode.sh"
@@ -198,8 +209,30 @@ if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen; fi
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
 ### Updating Status of Dialog Gauge Bar.
-if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nValidating secrets artifacts ... \nXXX\n20\n" >&3; fi
-### Following the CISS Bash naming and ordering scheme:
+validate_secret_root "${VAR_TMP_SECRET}"
 harden_secret_root_files "${VAR_TMP_SECRET}"
 ### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nPre-Scan Secure-Boot ... \nXXX\n30\n" >&3; fi
 ### PRE-SCAN SECURE BOOT PROFILE FOR BUILD-HOST PACKAGE CHECKS.
 ### Formal validation still happens in arg_parser().
 for ((idx=0; idx<${#ARY_PARAM_ARRAY[@]}; idx++)); do
  case "${ARY_PARAM_ARRAY[idx],,}" in
    --secure-boot-profile=*)
      declare -gx VAR_CISS_SECUREBOOT_PROFILE="${ARY_PARAM_ARRAY[idx]#*=}"
      ;;
    --secure-boot-profile)
      if [[ -n "${ARY_PARAM_ARRAY[idx + 1]:-}" ]]; then
        declare -gx VAR_CISS_SECUREBOOT_PROFILE="${ARY_PARAM_ARRAY[idx + 1]}"
      fi
      ;;
  esac
 done
 unset idx
 ### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nTraps active ... \nXXX\n50\n" >&3; fi
 trap 'trap_on_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT
 trap 'trap_on_err  "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
@@ -210,9 +243,13 @@ declare -ar  ARY_ARG_SANITIZED=("$@")
 declare -grx VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
 ### Updating Status of Dialog Gauge Bar.
-if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nParsing Arguments ... \nXXX\n80\n" >&3; fi
 arg_parser "$@"
 ### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nValidate secret Arguments ... \nXXX\n95\n" >&3; fi
 validate_selected_secret_inputs
 ### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
 clean_ip
@@ -248,6 +285,7 @@ init_primordial
 ### Integrate the CISS.debian.live.builder repository into the build directory.
 ### Modifications from this point onwards must be placed under 'VAR_HANDLER_BUILD_DIR'.
 hardening_ultra
 secureboot_profile_apply
 ### CISS.debian.installer 'GRUB' and 'autostart' generator.
 cdi
@@ -1,49 +1,78 @@
 # code_review.md
-Review priorities, in order:
+Use this file for explicit review tasks and final self-review after implementation.
 Do not treat it as a mandate for an unlimited audit unless the user asks for one.
 ## Review priorities
 Review findings in this order:
 1. Correctness
 2. Security regressions
 3. Boot/build reproducibility
 4. Data loss risk
 5. Error handling
-6. Test coverage
+6. Test or validation coverage
 7. Maintainability
 8. Minimality of diff
 9. Style consistency
-Finding classes:
+## Finding classes
 - BLOCKER: proven correctness bug, security regression, build break, boot break, or data loss risk that must be fixed before
  merge
 - RISK: plausible issue or security concern that is not fully proven from the available context
 - CLEANUP: maintainability, readability, or consistency improvement that is not required for correctness
 - NOTE: observation only; no change requested
-Review output format:
+- `BLOCKER`: proven correctness bug, security regression, build break, boot break, or data loss risk that must be fixed before merge.
- List findings first, ordered by severity.
+- `RISK`: plausible issue or security concern that is not fully proven from the available context.
- Cite file paths and line numbers where possible.
+- `CLEANUP`: maintainability, readability, or consistency improvement that is not required for correctness.
- For each finding, explain the concrete impact, and the smallest reasonable fix.
+- `NOTE`: observation only; no change requested.
 - Separate observations, inferences, and recommendations.
 - After findings, list missing checks or residual risks.
 - If there are no findings, say so explicitly and still mention relevant test gaps.
-Do not nitpick formatting if automated tooling exists.
+## Review output format
-Do not invent requirements not present in the task, repository, or documentation.
+
 List findings first, ordered by severity.
 For each finding include:
 - class
 - file path and line number where possible
 - observation
 - concrete impact
 - smallest reasonable fix
 Then include:
 - missing checks or validation gaps
 - residual risks
 - concise final recommendation
 If there are no findings, say so explicitly and still mention relevant validation gaps.
 ## Scope control
 - Do not nitpick formatting when automated tooling exists.
 - Do not invent requirements not present in the task, repository, or documentation.
 - Do not expand a small implementation task into a broad quality-management audit.
 - Do not request a full live build unless the changed code path affects image generation in a way that cannot be checked narrowly.
 - Prefer a small actionable finding over a broad speculative warning.
 ## Security-sensitive checklist
 Check whether the change affects:
 Security-sensitive review checklist:
 - boot trust
 - initramfs behavior
 - live-boot runtime behavior
 - cryptsetup/LUKS handling
 - encrypted SquashFS handling
 - key material
- remotely unlock
+- remote unlock
- TLS/mTLS verification
+- TLS or mTLS verification
- signature/hash verification
+- signature, checksum, or provenance verification
 - package sources or remote downloads
 - network exposure
 - file permissions
 - persistence
 - logging of sensitive values
 For affected areas, separate observation, inference, and recommendation.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -13,8 +13,16 @@ BUILD_DIR            ?=
 ### Optional Dropbear source override; empty uses VAR_DROPBEAR_VERSION from var/global.var.sh:
 DROPBEAR_VERSION     ?=
 ### Optional SOPS release override; empty uses VAR_SOPS_VERSION from var/global.var.sh:
 SOPS_VERSION         ?=
 ### Optional Primordial CDI overlay settings; all three values are required for automatic overlay bootstrap:
 PRIMORDIAL_URL       ?=
 PRIMORDIAL_KEY       ?=
 PRIMORDIAL_SSH_PORT  ?=
 PROVIDER_NETCUP_IPV6 ?=
 ROOT_PASSWORD_FILE   ?=
 ### Secure Boot profile; debian-shim or ciss-uki:
 SECURE_BOOT_PROFILE  ?= debian-shim
 SSH_PORT             ?=
 SSH_PUBKEY           ?=
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 # shellcheck disable=SC2155
 declare -gx VAR_DATE="$(date +%F)"
@@ -284,7 +284,7 @@ LLMNR=no
 MulticastDNS=no
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 #######################################
 # Get all NIC drivers of the current Host machine.
@@ -345,7 +345,7 @@ chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
 chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
 chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 VAR_DATE="$(date +%F)"
@@ -45,8 +45,10 @@ EOF
 mkdir -p /etc/systemd/system/tmp.mount.d
 cat << EOF >| /etc/systemd/system/tmp.mount.d/override.conf
 # The live ISO runs CISS.debian.installer and must support at least 12 raw plus encrypted LUKS header backups in the installer
 # scratch path.
 [Mount]
-Options=mode=1777,strictatime,nosuid,nodev,noexec,size=1%
+Options=mode=1777,strictatime,nosuid,nodev,noexec,size=2G
 EOF
 mkdir -p /etc/systemd/system/dev-shm.mount.d
@@ -57,7 +59,7 @@ EOF
 systemctl enable ciss-remount-root.service
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 if [[ -f /root/.cdi ]]; then
@@ -48,7 +48,7 @@ EOF
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -72,7 +72,7 @@ include /etc/logrotate.d
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -30,7 +30,7 @@ EOF
 install -d -m 0755 /var/cache/apparmor
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -20,7 +20,7 @@ export INITRD="No"
 ### Declare Arrays, HashMaps, and Variables.
 declare var_dropbear_env="/root/dropbear.env"
 [[ -r "${var_dropbear_env}" ]] || {
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
+  printf "\e[91m❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
  exit 43
 }
@@ -28,7 +28,7 @@ declare var_dropbear_env="/root/dropbear.env"
 . "${var_dropbear_env}"
 declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}"
 [[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || {
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
+  printf "\e[91m❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
  exit 43
 }
@@ -39,7 +39,7 @@ declare var_logfile="/root/.ciss/cdlb/log/0020_dropbear_build.log"
 mkdir -p "/root/build"
 [[ -r "${var_tar}" ]] || {
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Missing Dropbear tarball: [%s] \e[0m\n" "${var_tar}" >&2
+  printf "\e[91m❌ ERROR: Missing Dropbear tarball: [%s] \e[0m\n" "${var_tar}" >&2
  exit 43
 }
@@ -86,7 +86,7 @@ if ! setsid bash -c '
  ' >| "${var_logfile}" 2>&1
 then
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Dropbear build failed. See [%s] \e[0m\n" "${var_logfile}" >&2
+  printf "\e[91m❌ Dropbear build failed. See [%s] \e[0m\n" "${var_logfile}" >&2
  tail -n 42 "${var_logfile}" >&2 || true
  exit 42
@@ -94,7 +94,7 @@ fi
  rm -rf /root/dropbear
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -20,7 +20,7 @@ export INITRD="No"
 ### Declare Arrays, HashMaps, and Variables.
 declare var_dropbear_env="/root/dropbear.env"
 [[ -r "${var_dropbear_env}" ]] || {
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
+  printf "\e[91m❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
  exit 43
 }
@@ -28,7 +28,7 @@ declare var_dropbear_env="/root/dropbear.env"
 . "${var_dropbear_env}"
 declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}"
 [[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || {
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
+  printf "\e[91m❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
  exit 43
 }
@@ -143,7 +143,7 @@ EOF
 systemctl mask dropbear.service dropbear.socket
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -154,7 +154,7 @@ readonly -f write_dropbear_conf
 dropbear_setup
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cat << EOF >> /etc/ssh/ssh_config.d/10-sshfp.conf
 # SPDX-Version: 3.0
@@ -38,7 +38,7 @@ Host git.coresecret.dev
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,13 +11,13 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 if [[ ! -f /root/.pwd ]]; then
-  printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ /root/.pwd NOT found. \e[0m\n"
+  printf "\e[92m❌ /root/.pwd NOT found. \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Exiting Hook ... \e[0m\n"
+  printf "\e[92m❌ Exiting Hook ... \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
+  printf "\e[92m✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
  exit 0
 fi
@@ -39,15 +39,15 @@ unset hashed_pwd safe_hashed_pwd
 if shred -fzu -n 5 /root/.pwd; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n"
+  printf "\e[92m✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n"
 else
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2
+  printf "\e[91m❌ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cat << 'EOF' >| /etc/default/keyboard
 XKBMODEL="pc105"
@@ -26,7 +26,7 @@ export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 dpkg-reconfigure -f noninteractive keyboard-configuration
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -28,7 +28,7 @@ ExecStart=
 ExecStart=/usr/sbin/jitterentropy-rngd --osr=2
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 mv /etc/hostname /root/.ciss/cdlb/backup/hostname.bak
 mv /etc/mailname /root/.ciss/cdlb/backup/mailname.bak
@@ -26,7 +26,7 @@ localhost.local
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root
 if [[ -f /var/lib/dbus/machine-id ]]; then
@@ -32,7 +32,7 @@ b08dfa6083e7567a1921a715000001fb
 EOF
 chmod 644 /etc/machine-id
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root
@@ -147,7 +147,7 @@ unzip /tmp/nerd/Hack.zip -d /root/.local/share/fonts
 fc-cache -fv
 rm -rf /tmp/nerd
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
 echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list
@@ -463,7 +463,7 @@ upload-options=
 #EOF
 EOF_LYNIS
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 mkdir -p /var/log/chrony
@@ -114,7 +114,7 @@ fi
 chronyd -Q -f /etc/chrony/chrony.conf 2>&1
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root/git
 git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 mkdir -p /etc/systemd/system/ssh.service.d
@@ -24,7 +24,7 @@ Wants=network-online.target
 ExecStartPre=/bin/sleep 5
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root/git
 git clone --depth 1 -b master https://github.com/major/MySQLTuner-perl.git
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
 chmod +x /usr/bin/yq
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root/git
 git clone https://github.com/testssl/testssl.sh.git
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -22,7 +22,7 @@ apt-get install -y nodejs
 cd /root/git
 git clone https://github.com/sefinek/UFW-AbuseIPDB-Reporter.git
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root/git
 git clone https://github.com/hardenedlinux/harbian-audit.git
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root/git
 git clone https://github.com/jtesta/ssh-audit.git
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root/git
 git clone https://github.com/dnsviz/dnsviz.git
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,47 +11,307 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
-SOPS_VER="v3.13.0"
+declare SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP="https://github.com/getsops"
-ARCH="$(dpkg --print-architecture)"
+declare SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER="https://token.actions.githubusercontent.com"
 case "${ARCH}" in
  amd64)  SOPS_FILE="sops-${SOPS_VER}.linux.amd64" ;;
  arm64)  SOPS_FILE="sops-${SOPS_VER}.linux.arm64" ;;
  *)  echo "Unsupported arch: ${ARCH}" >&2; exit 1 ;;
 esac
-cd /tmp
+#######################################
 # Print a fatal error and abort the hook.
 # Globals:
 #   None
 # Arguments:
 #   1: Message string
 # Returns:
 #   None
 #######################################
 die() {
  declare message="$1"
  printf "\e[91m❌ ERROR: %s \e[0m\n" "${message}" >&2
  exit 43
 }
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/${SOPS_FILE}"
+#######################################
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.txt"
+# Require an executable tool.
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.pem"
+# Globals:
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.sig"
+#   None
 # Arguments:
 #   1: Tool name
 # Returns:
 #   0: on success
 #######################################
 require_tool() {
  declare tool_name="$1"
-cosign verify-blob "sops-${SOPS_VER}.checksums.txt" \
+  command -v "${tool_name}" >/dev/null 2>&1 || die "Required tool not found: ${tool_name}"
  --certificate    "sops-${SOPS_VER}.checksums.pem" \
  --signature      "sops-${SOPS_VER}.checksums.sig" \
  --certificate-identity-regexp="https://github.com/getsops" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
-sha256sum -c "sops-${SOPS_VER}.checksums.txt" --ignore-missing
+  return 0
 }
-install -m 0755 "${SOPS_FILE}" /usr/local/bin/sops
+#######################################
-sops --version --check-for-updates >| /root/.ciss/cdlb/log/sops.log
+# Validate and normalize a SOPS semantic version.
-age --version                      >| /root/.ciss/cdlb/log/age.log
+# Globals:
 #   None
 # Arguments:
 #   1: SOPS version string
 # Outputs:
 #   Normalized bare semantic version
 # Returns:
 #   0: on success
 #######################################
 normalize_sops_version() {
  declare sops_version="${1#v}"
-rm -f "/tmp/${SOPS_FILE}"
+  [[ "${sops_version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]] || \
-rm -f "/tmp/sops-${SOPS_VER}.checksums.txt"
+    die "Invalid SOPS version '${1}'. Expected '<MAJOR>.<MINOR>.<PATCH>' without prerelease metadata."
 rm -f "/tmp/sops-${SOPS_VER}.checksums.pem"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.sig"
-chmod 0400 /root/.config/sops/age/keys.txt
+  printf '%s' "${sops_version}"
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+  return 0
 }
 #######################################
 # Download a mandatory release asset.
 # Globals:
 #   None
 # Arguments:
 #   1: Asset URL
 #   2: Target filename
 # Returns:
 #   0: on success
 #######################################
 download_required_asset() {
  declare asset_url="$1"
  declare target_file="$2"
  if ! curl -fsSLo "${target_file}" "${asset_url}"; then
    die "Failed to download required SOPS asset '${target_file}' from '${asset_url}'."
  fi
  [[ -s "${target_file}" ]] || die "Downloaded SOPS asset is empty: ${target_file}"
  return 0
 }
 #######################################
 # Download an optional release asset and distinguish absence from download errors.
 # Globals:
 #   None
 # Arguments:
 #   1: Asset URL
 #   2: Target filename
 # Returns:
 #   0: asset was downloaded
 #   1: asset is absent upstream
 #######################################
 download_optional_asset() {
  declare asset_url="$1"
  declare target_file="$2"
  declare http_code=""
  if ! http_code=$(curl -sSLo "${target_file}" -w '%{http_code}' "${asset_url}"); then
    rm -f -- "${target_file}"
    die "Failed to query optional SOPS asset '${target_file}' from '${asset_url}'."
  fi
  case "${http_code}" in
    200)
      [[ -s "${target_file}" ]] || die "Optional SOPS asset is empty after HTTP 200: ${target_file}"
      return 0
      ;;
    404)
      rm -f -- "${target_file}"
      return 1
      ;;
    *)
      rm -f -- "${target_file}"
      die "Unexpected HTTP status ${http_code} for optional SOPS asset '${target_file}' from '${asset_url}'."
      ;;
  esac
 }
 #######################################
 # Verify the SOPS checksums file with Cosign.
 # Globals:
 #   SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP
 #   SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER
 # Arguments:
 #   1: Checksums filename
 #   2: Bundle filename
 #   3: Certificate filename
 #   4: Signature filename
 # Returns:
 #   0: on success
 #######################################
 verify_sops_checksums_signature() {
  declare checksums_file="$1"
  declare bundle_file="$2"
  declare certificate_file="$3"
  declare signature_file="$4"
  if [[ -f "${bundle_file}" ]]; then
    printf "\e[95m[INFO] Verifying SOPS checksums with Cosign bundle: %s \e[0m\n" "${bundle_file}"
    cosign verify-blob "${checksums_file}" \
      --bundle "${bundle_file}" \
      --certificate-identity-regexp="${SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP}" \
      --certificate-oidc-issuer="${SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER}" || \
      die "SOPS checksum signature verification failed in bundle mode for '${checksums_file}' using '${bundle_file}'."
    return 0
  fi
  if [[ -f "${certificate_file}" && -f "${signature_file}" ]]; then
    printf "\e[95m[INFO] Verifying SOPS checksums with Cosign split certificate/signature: %s %s \e[0m\n" "${certificate_file}" "${signature_file}"
    cosign verify-blob "${checksums_file}" \
      --certificate "${certificate_file}" \
      --signature "${signature_file}" \
      --certificate-identity-regexp="${SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP}" \
      --certificate-oidc-issuer="${SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER}" || \
      die "SOPS checksum signature verification failed in legacy split mode for '${checksums_file}' using '${certificate_file}' and '${signature_file}'."
    return 0
  fi
  if [[ -f "${certificate_file}" || -f "${signature_file}" ]]; then
    die "Incomplete legacy SOPS signature layout for '${checksums_file}'. Expected both '${certificate_file}' and '${signature_file}'."
  fi
  die "No supported SOPS checksum signature layout found for '${checksums_file}'. Expected bundle or split certificate/signature assets."
 }
 #######################################
 # Verify the SOPS artifact checksum and ensure the expected artifact was covered.
 # Globals:
 #   None
 # Arguments:
 #   1: Checksums filename
 #   2: Artifact filename
 # Returns:
 #   0: on success
 #######################################
 verify_sops_artifact_checksum() {
  declare checksums_file="$1"
  declare artifact_file="$2"
  declare checksum_output=""
  if ! checksum_output=$(sha256sum -c "${checksums_file}" --ignore-missing 2>&1); then
    printf '%s\n' "${checksum_output}" >&2
    die "SOPS artifact checksum verification failed for '${artifact_file}' using '${checksums_file}'."
  fi
  printf '%s\n' "${checksum_output}"
  if ! grep -Fxq "${artifact_file}: OK" <<< "${checksum_output}" && \
     ! grep -Fxq "./${artifact_file}: OK" <<< "${checksum_output}"; then
    die "SOPS checksum verification did not cover expected artifact '${artifact_file}' from '${checksums_file}'."
  fi
  return 0
 }
 #######################################
 # Install SOPS from an upstream GitHub release after signature and checksum verification.
 # Globals:
 #   CISS_SOPS_VERSION
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 main() {
  require_tool curl
  require_tool cosign
  require_tool sha256sum
  declare sops_env="/root/sops.env"
  [[ -r "${sops_env}" ]] || die "Missing SOPS environment file: ${sops_env}"
  # shellcheck disable=SC1090
  . "${sops_env}"
  declare ciss_sops_version
  ciss_sops_version=$(normalize_sops_version "${CISS_SOPS_VERSION:?CISS_SOPS_VERSION is not set}")
  declare architecture
  architecture="$(dpkg --print-architecture)"
  declare sops_tag="v${ciss_sops_version}"
  declare sops_file=""
  case "${architecture}" in
    amd64)
      sops_file="sops-${sops_tag}.linux.amd64"
      ;;
    arm64)
      sops_file="sops-${sops_tag}.linux.arm64"
      ;;
    *)
      die "Unsupported architecture '${architecture}' for SOPS version '${ciss_sops_version}'. Expected amd64 or arm64."
      ;;
  esac
  declare release_base_url="https://github.com/getsops/sops/releases/download/${sops_tag}"
  declare checksums_file="sops-${sops_tag}.checksums.txt"
  declare bundle_file="sops-${sops_tag}.checksums.sigstore.json"
  declare certificate_file="sops-${sops_tag}.checksums.pem"
  declare signature_file="sops-${sops_tag}.checksums.sig"
  declare bundle_available="false"
  declare certificate_available="false"
  declare signature_available="false"
  cd /tmp
  printf "\e[95m[INFO] Downloading SOPS %s asset: %s \e[0m\n" "${ciss_sops_version}" "${sops_file}"
  download_required_asset "${release_base_url}/${sops_file}" "${sops_file}"
  download_required_asset "${release_base_url}/${checksums_file}" "${checksums_file}"
  # shellcheck disable=SC2310
  if download_optional_asset "${release_base_url}/${bundle_file}" "${bundle_file}"; then
    bundle_available="true"
  fi
  if [[ "${bundle_available}" == "false" ]]; then
    # shellcheck disable=SC2310
    if download_optional_asset "${release_base_url}/${certificate_file}" "${certificate_file}"; then
      certificate_available="true"
    fi
    # shellcheck disable=SC2310
    if download_optional_asset "${release_base_url}/${signature_file}" "${signature_file}"; then
      signature_available="true"
    fi
    if [[ "${certificate_available}" != "${signature_available}" ]]; then
      die "Incomplete legacy SOPS signature assets for version '${ciss_sops_version}'. Expected both '${certificate_file}' and '${signature_file}'."
    fi
  fi
  verify_sops_checksums_signature "${checksums_file}" "${bundle_file}" "${certificate_file}" "${signature_file}"
  verify_sops_artifact_checksum "${checksums_file}" "${sops_file}"
  install -m 0755 "${sops_file}" /usr/local/bin/sops
  sops --version >| /root/.ciss/cdlb/log/sops.log
  age --version  >| /root/.ciss/cdlb/log/age.log
  rm -f -- "/tmp/${sops_file}"
  rm -f -- "/tmp/${checksums_file}"
  rm -f -- "/tmp/${bundle_file}"
  rm -f -- "/tmp/${certificate_file}"
  rm -f -- "/tmp/${signature_file}"
  if [[ -f /root/.config/sops/age/keys.txt ]]; then
    chmod 0400 /root/.config/sops/age/keys.txt
  fi
  printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
  return 0
 }
 if [[ "${CISS_SOPS_TEST_MODE:-false}" != "true" ]]; then
  main "$@"
  exit 0
 fi
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -21,7 +21,7 @@ wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O
 yq --version
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 umask 0077
@@ -31,7 +31,7 @@ apt-get purge -y texinfo
 apt-get autoremove --purge -y
 apt-get autoclean -y
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,10 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 declare -r UFW_OUT_POLICY="deny"
 declare -r SSHPORT="SSHPORT_MUST_BE_SET"
 # PRIMORDIAL_SSH_PORT_DECLARATION_MUST_BE_SET
 ufw --force reset
@@ -44,7 +45,8 @@ if [[ ${UFW_OUT_POLICY,,} == "deny"  ]]; then
  ufw allow out  853/tcp comment 'Outgoing DoT'
  ufw allow out  993/tcp comment 'Outgoing IMAPS'
  ufw allow out 4460/tcp comment 'Outgoing NTS'
-  ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH (Custom-Port)'
+  ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH Custom-Port'
  # PRIMORDIAL_SSH_RULE_MUST_BE_SET
  ufw allow out   53/udp comment 'Outgoing DNS'
  ufw allow out  123/udp comment 'Outgoing NTP'
  ufw allow out  443/udp comment 'Outgoing QUIC'
@@ -61,7 +63,7 @@ sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type
 sed -i 's/^ENABLED=no/ENABLED=yes/' /etc/ufw/ufw.conf
 ln -sf /lib/systemd/system/ufw.service /etc/systemd/system/multi-user.target.wants/ufw.service
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -26,15 +26,15 @@ fi
 if ln -s /lib/systemd/system/acct.service /etc/systemd/system/multi-user.target.wants/acct.service; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'Process Accounting' enabled successful. \e[0m\n"
+  printf "\e[92m✅ 'Process Accounting' enabled successful. \e[0m\n"
 else
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'Process Accounting' already enabled. \e[0m\n" >&2
+  printf "\e[91m❌ 'Process Accounting' already enabled. \e[0m\n" >&2
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 mkdir -p /root/.ciss/cdlb/backup/update-motd.d
 cp -af /etc/update-motd.d/* /root/.ciss/cdlb/backup/update-motd.d
@@ -23,7 +23,7 @@ EOF
 chmod 0755 /etc/update-motd.d/10-uname
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt")
 declare backup_dir="/root/.ciss/cdlb/backup/certificates"
@@ -29,7 +29,7 @@ declare -ax expired_certificates=()
 #   None
 #######################################
 create_backup() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}"
+  printf "\e[95m🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}"
  mkdir -p "${backup_dir}"
  declare dir=""
@@ -44,7 +44,7 @@ create_backup() {
  done
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}"
+  printf "\e[92m✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}"
 }
 #######################################
@@ -104,7 +104,7 @@ delete_expired_from_all_bundles() {
    if [[ -f ${bundle} ]]; then
-      printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}"
+      printf "\e[95m🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}"
      declare tmp_bundle="${bundle}.tmp"
      declare -a block=()
      declare expired=0
@@ -149,7 +149,7 @@ delete_expired_from_all_bundles() {
          else
-            printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅  Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}"
+            printf "\e[92m✅  Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}"
          fi
@@ -161,29 +161,29 @@ delete_expired_from_all_bundles() {
      mv -f "${tmp_bundle}" "${bundle}"
-      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}"
+      printf "\e[92m✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}"
    fi
  done
 }
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Check certificates in: '%s'.\e[0m\n" "${search_dirs[*]}"
+printf "\e[95m🧪 Check certificates in: '%s'.\e[0m\n" "${search_dirs[*]}"
 create_backup
 delete_expired_from_all_bundles
 check_certificates
 if [[ ${#expired_certificates[@]} -eq 0 ]]; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No expired certificates found.\e[0m\n"
+  printf "\e[92m✅ No expired certificates found.\e[0m\n"
 else
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Expired certificates found:\e[0m\n"
+  printf "\e[95m🧪 Expired certificates found:\e[0m\n"
  for exp_cert in "${expired_certificates[@]}"; do
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ '%s'. \e[0m\n" "${exp_cert}"
+    printf "\e[92m'%s'. \e[0m\n" "${exp_cert}"
  done
@@ -191,7 +191,7 @@ else
    rm -f "${exp_cert}"
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}"
+    printf "\e[92m✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}"
    basename=$(basename "${exp_cert}")
    mozilla_entry="mozilla/${basename%.pem}.crt"
    mozilla_entry="${mozilla_entry%.crt}.crt"
@@ -200,19 +200,19 @@ else
    if grep -Fxq "${mozilla_entry}" "${ca_conf}"; then
      sed -i "s|^${mozilla_entry}$|#${mozilla_entry}|" "${ca_conf}"
-      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}"
+      printf "\e[92m✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}"
    fi
  done
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache ... \e[0m\n"
+  printf "\e[95m✅ Updating the certificate cache ... \e[0m\n"
  update-ca-certificates --fresh
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache done.\e[0m\n"
+  printf "\e[92m✅ Updating the certificate cache done.\e[0m\n"
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 declare _key=""
 cd /etc/ssh
@@ -115,7 +115,7 @@ fi
 /usr/sbin/sshd -t || exit 42
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 mkdir -p /root/.ciss/cdlb/backup/etc/ssl
@@ -439,7 +439,7 @@ SignatureAlgorithms = ecdsa_secp521r1_sha512:ecdsa_secp384r1_sha384:ed448:rsa_ps
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cp -u /etc/security/limits.conf /root/.ciss/cdlb/backup/limits.conf.bak
 chmod 0644 /root/.ciss/cdlb/backup/limits.conf.bak
@@ -82,7 +82,7 @@ KeepFree=0
 EOF
 chmod 0644 /etc/systemd/coredump.conf.d/9999-ciss-coredump-disable.conf
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root
@@ -235,7 +235,7 @@ EOF
 touch /var/log/fail2ban/fail2ban.log
 chmod 0640 /var/log/fail2ban/fail2ban.log
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 ###########################################################################################
 # Remarks: Turn off Energy saving mode and ctrl-alt-del                                   #
@@ -23,7 +23,7 @@ done
 unset target
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -33,7 +33,7 @@ if [[ -d /etc/exim4 ]]; then
  rm -rf /etc/exim4
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -41,7 +41,7 @@ cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/cdlb/backup/usbguard-daemon
 rm -f /tmp/rules.conf
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
@@ -29,7 +29,7 @@ dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
 if [[ -s /tmp/deinstall.log ]]; then
  printf "\n"
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Packages to purge ... \e[0m\n"
+  printf "\e[95m🧪 Packages to purge ... \e[0m\n"
  sed -i 's!deinstall!!' /tmp/deinstall.log
  while IFS= read -r line; do
@@ -37,16 +37,16 @@ if [[ -s /tmp/deinstall.log ]]; then
    declare trimmed_string
    trimmed_string=$(echo "${line}" | awk '{$1=$1};1')
    echo "y" | apt-get purge "${trimmed_string}"
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Package '%s' purged. \e[0m\n" "${trimmed_string}"
+    printf "\e[92m✅ Package '%s' purged. \e[0m\n" "${trimmed_string}"
  done < /tmp/deinstall.log
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Packages to purge done. \e[0m\n"
+  printf "\e[92m✅ Packages to purge done. \e[0m\n"
 else
  printf "\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Packages to purge, proceeding with clean up. \e[0m\n"
+  printf "\e[92m✅ No Packages to purge, proceeding with clean up. \e[0m\n"
 fi
@@ -60,7 +60,7 @@ apt-get autopurge -y
 updatedb
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 chmod 0644 /etc/banner
 chmod 0644 /etc/issue
@@ -26,8 +26,8 @@ fi
 touch /etc/motd
 cat << EOF >| /etc/motd
-      (c) Marc S. Weidner, 2018 - 2025
+      (c) Marc S. Weidner, 2018 - 2026
-      (p) Centurion Press, 2018 - 2025
+      (p) Centurion Press, 2018 - 2026
          Centurion Intelligence Consulting Agency (tm)
          https://coresecret.eu/
          Please consider making a donation:
@@ -109,7 +109,7 @@ find /root -xdev -exec chown -h root:root {} +
 rm -f /etc/tmpfiles.d/legacy.conf
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -10,6 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 #######################################
 # Iterates all '/etc/shadow' entries and sets:
 #   4=min age=0, 5=max age=16384, 6=warn=128, 7=inactive=42, 8=expire=17.09.2102
@@ -92,12 +93,12 @@ update_shadow() {
 # shellcheck disable=SC2034
 readonly -f update_shadow
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 if ! command -v chage &>/dev/null; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n"
+  printf "\e[92m✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+  printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
  exit 0
@@ -111,8 +112,8 @@ mapfile -t users_to_update < <(
 if [[ ${#users_to_update[@]} -eq 0 ]]; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n"
+  printf "\e[92m✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+  printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
  exit 0
@@ -120,7 +121,7 @@ fi
 declare user
 for user in "${users_to_update[@]}"; do
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}"
+  printf "\e[92m✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}"
  chage --maxdays "${max_days}" "${user}"
 done
@@ -128,11 +129,11 @@ unset max_days user users_to_update
 awk -F: '$2 !~ /^\$[0-9]/ && length($2)==13 { print $1,$2 }' /etc/shadow
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ All applicable accounts have been updated. \e[0m\n"
+printf "\e[92m✅ All applicable accounts have been updated. \e[0m\n"
 update_shadow
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -23,15 +23,15 @@ sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf
 if aideinit > /dev/null 2>&1; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'aideinit' successful. \e[0m\n"
+  printf "\e[92m✅ 'aideinit' successful. \e[0m\n"
 else
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'aideinit' NOT successful. \e[0m\n" >&2
+  printf "\e[91m❌ 'aideinit' NOT successful. \e[0m\n" >&2
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -15,7 +15,7 @@
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
@@ -130,7 +130,7 @@ local_users_only
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,11 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -21,7 +21,7 @@ set -Ceuo pipefail
 #######################################
 log() { printf '[auditd-build] %s\n' "${*}" >&2; }
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root
@@ -42,13 +42,13 @@ cat << EOF >| /etc/audit/rules.d/00-base-config.rules
 ## Increase the buffers to survive stress events.
 ## Make this bigger for busy systems.
-b 16384
+-b 262144
 ## Rate Limit. Cap kernel->userspace message rate (0 = unlimited).
 -r 200
 ## This determine how long to wait in burst of events. How long to wait in bursts (us).
--backlog_wait_time 1024
+--backlog_wait_time 16384
 ## Set failure mode to syslog.
 -f 1
@@ -374,7 +374,7 @@ ExecStart=/usr/sbin/augenrules --load
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root
@@ -26,16 +26,16 @@ sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
 if debsums -g > /dev/null 2>&1; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'debsums -g' successful. \e[0m\n"
+  printf "\e[92m✅ 'debsums -g' successful. \e[0m\n"
 else
  # Omit false negative error output to stdout and stderr, as no problematic errors occur on startup.
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'debsums -g' NOT successful. \e[0m\n"  > /dev/null 2>&1
+  printf "\e[91m❌ 'debsums -g' NOT successful. \e[0m\n"  > /dev/null 2>&1
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -130,7 +130,7 @@ apt-get dist-upgrade -y        # (= apt full-upgrade) allow installs/replacement
 apt-get autoremove --purge -y  # 'autopurge' == 'autoremove --purge'.
 apt-get clean -y               # Stronger than autoclean: removes the entire '.deb'-cache.
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 ### Declare Arrays, HashMaps, and Variables.
 declare -ar ary_logrotate=(
@@ -53,15 +53,15 @@ done
 if ! logrotate -d /etc/logrotate.conf; then
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' failed. \e[0m\n"
+  printf "\e[91m✅ 'logrotate -d /etc/logrotate.conf' failed. \e[0m\n"
 else
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' successful. \e[0m\n"
+  printf "\e[92m✅ 'logrotate -d /etc/logrotate.conf' successful. \e[0m\n"
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+# Final live-build chroot cleanup hook. Removes transient build artifacts, tightens permissions on CISS root/key material,
 # regenerates initramfs images, prepares systemd-resolved DNS configuration, and forces the live system to boot into
 # multi-user.target by masking common display managers.
 printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target"
@@ -92,7 +96,7 @@ for var_dm in "${ary_dm_units[@]}"; do
 done
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -1,4 +1,5 @@
 #!/bin/bash
 # shellcheck disable=SC2154
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
@@ -11,9 +12,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-# ToDo: Unify --integrity hmac-sha512 mode for standalone and runner mode.
+# Final live-build binary hook for encrypted root filesystem packaging. It creates and signs a deterministic attestation
 # manifest for the final filesystem.squashfs byte stream, preallocates a LUKS2 container, formats it with the generated build
 # secret, copies the generated filesystem.squashfs into the opened encrypted mapping, then closes the container, shreds the
 # temporary LUKS secret, and removes the plaintext SquashFS from the ISO payload.
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 __umask=$(umask)
 umask 0077
@@ -36,23 +40,23 @@ preallocate() {
  if fallocate -l "${size}" -- "${file}" 2>/dev/null; then
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [fallocate -l %s -- %s] successful. \e[0m\n" "${size}" "${file}"
+    printf "\e[92m✅ [fallocate -l %s -- %s] successful. \e[0m\n" "${size}" "${file}"
    return 0
  else
-    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [fallocate -l %s -- %s] NOT successful. \e[0m\n" "${size}" "${file}"
+    printf "\e[91m❌ [fallocate -l %s -- %s] NOT successful. \e[0m\n" "${size}" "${file}"
  fi
  if dd if=/dev/zero of="${file}" bs="${blocksize}" count="${blockcounter}" status=progress conv=fsync; then
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
+    printf "\e[92m✅ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
    return 0
  else
-    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] NOT successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
+    printf "\e[91m❌ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] NOT successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
    return 42
  fi
@@ -61,12 +65,163 @@ preallocate() {
 # shellcheck disable=SC2034
 readonly -f preallocate
-declare ROOTFS="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs"
+#######################################
-declare LUKSFS="${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt"
+# Validate that the rootfs attestation artifacts exist in the final ISO payload tree.
-declare KEYFD=""
+# Globals:
 #   None
 # Arguments:
 #   1: Rootfs attestation manifest path
 # Returns:
 #   0: on success
 #   42: on failure
 #######################################
 require_rootfs_attestation_artifacts() {
  declare manifest="${1}"
  declare signature="${manifest}.sig"
  declare artifact=""
  for artifact in "${manifest}" "${signature}"; do
    if [[ ! -e "${artifact}" ]]; then
      printf "\e[91m❌ Required rootfs attestation artifact missing: [%s]. \e[0m\n" "${artifact}" >&2
      return 42
    fi
    if [[ -L "${artifact}" || ! -f "${artifact}" ]]; then
      printf "\e[91m❌ Required rootfs attestation artifact is not a regular file: [%s]. \e[0m\n" "${artifact}" >&2
      return 42
    fi
    if [[ ! -s "${artifact}" ]]; then
      printf "\e[91m❌ Required rootfs attestation artifact is empty: [%s]. \e[0m\n" "${artifact}" >&2
      return 42
    fi
    if [[ ! -r "${artifact}" ]]; then
      printf "\e[91m❌ Required rootfs attestation artifact is not readable: [%s]. \e[0m\n" "${artifact}" >&2
      return 42
    fi
  done
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f require_rootfs_attestation_artifacts
 #######################################
 # Create and sign the rootfs attestation manifest for the exact SquashFS payload copied into the LUKS mapper.
 # Globals:
 #   VAR_SIGNING_KEY_FPR
 #   VAR_SIGNING_KEY_PASSFILE
 #   VAR_VERIFY_KEYRING
 # Arguments:
 #   1: Final SquashFS payload file
 #   2: Manifest path below binary/live
 # Returns:
 #   0: on success
 #   42: on failure
 #######################################
 create_attestation() {
  declare rootfs_file="${1}"
  declare rootfs_attestation="${2}"
  declare rootfs_hash=""
  declare rootfs_size=""
  rootfs_size="$(stat -c%s -- "${rootfs_file}")"
  rootfs_hash="$(LC_ALL=C sha512sum "${rootfs_file}")"
  rootfs_hash="${rootfs_hash%% *}"
  if printf '%s  %s\n' "${rootfs_hash}" "${rootfs_file}" | LC_ALL=C sha512sum -c --strict --quiet; then
    printf "\e[92m✅ [LC_ALL=C sha512sum -c --strict --quiet of %s] successful. \e[0m\n" "${rootfs_file}"
  else
    printf "\e[91m❌ [LC_ALL=C sha512sum -c --strict --quiet of %s] NOT successful. \e[0m\n" "${rootfs_file}"
    return 42
  fi
  # The attested boundary is the final SquashFS byte stream before LUKS wrapping. The boot verifier reads exactly this many
  # bytes from the decrypted mapper and intentionally excludes the LUKS allocation slack after the SquashFS payload.
  cat << EOF >| "${rootfs_attestation}"
 # CISS.debian.live.builder Master ${VAR_VERSION}
 # Attestation file for filesystem.squashfs Version 1.0.0
 # Boundary : Final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso
 # Bytes    : Final filesystem.squashfs ${rootfs_size}
 ${rootfs_hash}  filesystem.squashfs
 EOF
  chmod 0444 "${rootfs_attestation}"
  if gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
    --detach-sign --output "${rootfs_attestation}.sig" "${rootfs_attestation}"; then
    printf "\e[92m✅ [gpg of %s] successful. \e[0m\n" "${rootfs_attestation}"
  else
    printf "\e[91m❌ [gpg of %s] NOT successful. \e[0m\n" "${rootfs_attestation}"
    return 42
  fi
  chmod 0444 "${rootfs_attestation}.sig"
  if gpgv --keyring "${VAR_VERIFY_KEYRING}" "${rootfs_attestation}.sig" "${rootfs_attestation}"; then
    printf "\e[92m✅ [gpgv of %s] successful. \e[0m\n" "${rootfs_attestation}.sig"
  else
    printf "\e[91m❌ [gpgv of %s] NOT successful. \e[0m\n" "${rootfs_attestation}.sig"
    return 42
  fi
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f create_attestation
 declare    LIVE_PAYLOAD_DIR="${VAR_HANDLER_BUILD_DIR}/binary/live"
 declare    ROOTFS_ATTESTATION_NAME="filesystem.squashfs.sha512sum.txt"
 declare    ROOTFS_ATTESTATION_REL="live/${ROOTFS_ATTESTATION_NAME}"
 declare    LUKSFS="${LIVE_PAYLOAD_DIR}/ciss_rootfs.crypt"
 declare    ROOTFS="${LIVE_PAYLOAD_DIR}/filesystem.squashfs"
 declare    ROOTFS_ATTESTATION="${VAR_HANDLER_BUILD_DIR}/binary/${ROOTFS_ATTESTATION_REL}"
 declare    DM_LAB="crypt_liveiso"
 declare    DEVMAP="/dev/mapper/${DM_LAB}"
 declare    LUKS_KEY_FILE="${VAR_TMP_SECRET}/${VAR_LUKS_KEY:-luks.txt}"
 declare    KEYFD=""
 # Keep Argon2 keyslot memory and parallel costs bounded for later initramfs unlocks on smaller systems.
 declare -i LUKS_PBKDF_MEMORY_KIB=262144
 declare -i LUKS_PBKDF_PARALLEL=1
 # shellcheck disable=SC2155
-declare -i VAR_ROOTFS_SIZE=$(stat -c%s -- "${ROOTFS}")
+declare -i VAR_ROOTFS_SIZE="$(stat -c%s -- "${ROOTFS}")"
 ### Attestation Boundary
 #   - The attested boundary is the final SquashFS byte stream before LUKS wrapping.
 #   - The boot verifier reads exactly this many bytes from the decrypted mapper and intentionally excludes the LUKS allocation
 #     slack after the SquashFS payload.
 printf "\e[95m🧪 Attestation of filesystem.squashfs ... \e[0m\n"
 create_attestation "${ROOTFS}" "${ROOTFS_ATTESTATION}"
 require_rootfs_attestation_artifacts "${ROOTFS_ATTESTATION}"
 printf "\e[92m✅ Attestation of filesystem.squashfs successful: ISO paths [/%s] and [/%s.sig]. \e[0m\n" \
  "${ROOTFS_ATTESTATION_REL}" "${ROOTFS_ATTESTATION_REL}"
 ### Safety margin:
 #   - LUKS2-Header and Metadata
@@ -80,7 +235,7 @@ declare -i VAR_LUKSFS_SIZE=$(( ( (BASE_SIZE + ALIGN_BYTES - 1) / ALIGN_BYTES ) *
 preallocate "${LUKSFS}" "${VAR_LUKSFS_SIZE}"
-exec {KEYFD}<"${VAR_TMP_SECRET}/luks.txt"
+exec {KEYFD}<"${LUKS_KEY_FILE}"
 if [[ "${VAR_CDLB_INSIDE_RUNNER}" == "false" ]]; then
@@ -91,10 +246,12 @@ if [[ "${VAR_CDLB_INSIDE_RUNNER}" == "false" ]]; then
    --iter-time 1000 \
    --key-file "/proc/$$/fd/${KEYFD}" \
    --key-size 512 \
-    --label crypt_liveiso \
+    --label "${DM_LAB}" \
    --luks2-keyslots-size 16777216 \
    --luks2-metadata-size 4194304 \
    --pbkdf argon2id \
    --pbkdf-memory "${LUKS_PBKDF_MEMORY_KIB}" \
    --pbkdf-parallel "${LUKS_PBKDF_PARALLEL}" \
    --sector-size 4096 \
    --type luks2 \
    --use-random \
@@ -106,13 +263,16 @@ elif [[ "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
  cryptsetup luksFormat \
    --batch-mode \
    --cipher aes-xts-plain64 \
    --integrity hmac-sha512 \
    --iter-time 1000 \
    --key-file "/proc/$$/fd/${KEYFD}" \
    --key-size 512 \
-    --label crypt_liveiso \
+    --label "${DM_LAB}" \
    --luks2-keyslots-size 16777216 \
    --luks2-metadata-size 4194304 \
    --pbkdf argon2id \
    --pbkdf-memory "${LUKS_PBKDF_MEMORY_KIB}" \
    --pbkdf-parallel "${LUKS_PBKDF_PARALLEL}" \
    --sector-size 4096 \
    --type luks2 \
    --use-random \
@@ -121,37 +281,39 @@ elif [[ "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
 fi
-cryptsetup open --key-file "/proc/$$/fd/${KEYFD}" "${LUKSFS}" crypt_liveiso
+cryptsetup open --key-file "/proc/$$/fd/${KEYFD}" "${LUKSFS}" "${DM_LAB}"
 # shellcheck disable=SC2155
-declare -i LUKS_FREE=$(blockdev --getsize64 /dev/mapper/crypt_liveiso)
+declare -i LUKS_FREE=$(blockdev --getsize64 "${DEVMAP}")
 declare -i SQUASH_FS="${VAR_ROOTFS_SIZE}"
 if (( LUKS_FREE >= SQUASH_FS )); then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ LUKS_FREE '%s' >= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}"
+  printf "\e[92m✅ LUKS_FREE '%s' >= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}"
 else
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ LUKS_FREE '%s' <= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" >&2
+  printf "\e[91m❌ LUKS_FREE '%s' <= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" >&2
  exit 42
 fi
-dd if="${ROOTFS}" of=/dev/mapper/crypt_liveiso bs=8M status=progress conv=fsync
+dd if="${ROOTFS}" of="${DEVMAP}" bs=8M status=progress conv=fsync
 sync
-cryptsetup close crypt_liveiso
+cryptsetup close "${DM_LAB}"
 exec {KEYFD}<&-
-shred -fzu -n 5 -- "${VAR_TMP_SECRET}/luks.txt"
+shred -fzu -n 5 -- "${LUKS_KEY_FILE}"
 rm -f -- "${ROOTFS}"
 require_rootfs_attestation_artifacts "${ROOTFS_ATTESTATION}"
 umask "${__umask}"
 __umask=""
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -0,0 +1,396 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2026-06-04; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # shellcheck disable=SC2312
 set -Ceuo pipefail
 # Final live-build binary hook for the CISS UKI build. When the ciss-uki Secure Boot profile is active, this hook selects the
 # complete kernel/initrd pair, reads the live kernel command line, optionally embeds separate early microcode, creates unsigned
 # and signed Unified Kernel Images with ukify, verifies the signed UKI with 'sbverify', writes a manifest, and refuses private
 # Secure Boot key material in build artifact paths.
 #######################################
 # Prints a fatal error message and terminates the hook.
 # Globals:
 #   None
 # Arguments:
 #   1: Error message
 # Returns:
 #   42: always exits with failure
 #######################################
 die() {
  declare message="${1}"
  printf "\e[91m❌ %s \e[0m\n" "${message}" >&2
  exit 42
 }
 #######################################
 # Checks whether a required command exists.
 # Globals:
 #   None
 # Arguments:
 #   1: Command name
 # Returns:
 #   0: on success
 #   42: if the command is missing
 #######################################
 require_command() {
  declare command_name="${1}"
  command -v "${command_name}" >/dev/null 2>&1 || die "Required command not found: '${command_name}'."
  return 0
 }
 #######################################
 # Checks whether a required file exists.
 # Globals:
 #   None
 # Arguments:
 #   1: File path
 #   2: Human-readable file description
 # Returns:
 #   0: on success
 #   42: if the file is missing
 #######################################
 require_file() {
  declare file_path="${1}"
  declare description="${2}"
  [[ -f "${file_path}" ]] || die "Missing ${description}: '${file_path}'."
  return 0
 }
 #######################################
 # Reads the single LB_BOOTAPPEND_LIVE value from a live-build binary configuration file.
 # Globals:
 #   None
 # Arguments:
 #   1: live-build binary configuration file
 #   2: Output variable name for the kernel command line
 # Returns:
 #   0: on success
 #   42: if the file is missing, the entry is ambiguous, or the value is empty
 #######################################
 read_bootappend_live() {
  declare config_file="${1}"
  declare output_var="${2}"
  declare -a matches=()
  declare value=""
  require_file "${config_file}" "live-build binary configuration"
  mapfile -t matches < <(grep -E '^LB_BOOTAPPEND_LIVE=' "${config_file}" || true)
  if (( ${#matches[@]} != 1 )); then
    die "Expected exactly one LB_BOOTAPPEND_LIVE entry in '${config_file}', found '${#matches[@]}'."
  fi
  value="${matches[0]#LB_BOOTAPPEND_LIVE=}"
  if [[ "${value}" == \"*\" ]]; then
    value="${value#\"}"
    value="${value%\"}"
  fi
  [[ -n "${value}" ]] || die "LB_BOOTAPPEND_LIVE in '${config_file}' is empty."
  printf -v "${output_var}" "%s" "${value}"
  return 0
 }
 #######################################
 # Collects kernel and initrd candidates from one artifact directory.
 # Globals:
 #   None
 # Arguments:
 #   1: Artifact directory
 #   2: Output variable name for the selected kernel path
 #   3: Output variable name for the selected initrd path
 # Returns:
 #   0: on success, including when the directory does not exist
 #   42: if more than one kernel or initrd candidate exists
 #######################################
 collect_artifacts_from_dir() {
  declare artifact_dir="${1}"
  declare kernel_output_var="${2}"
  declare initrd_output_var="${3}"
  declare -a kernels=()
  declare -a initrds=()
  if [[ ! -d "${artifact_dir}" ]]; then
    printf -v "${kernel_output_var}" "%s" ""
    printf -v "${initrd_output_var}" "%s" ""
    return 0
  fi
  mapfile -d '' -t kernels < <(find "${artifact_dir}" -maxdepth 1 -type f -name "vmlinuz-*" -print0 | LC_ALL=C sort -z)
  mapfile -d '' -t initrds < <(find "${artifact_dir}" -maxdepth 1 -type f -name "initrd.img-*" -print0 | LC_ALL=C sort -z)
  if (( ${#kernels[@]} > 1 )); then
    die "Ambiguous kernel candidates in '${artifact_dir}'. Refusing to select automatically."
  fi
  if (( ${#initrds[@]} > 1 )); then
    die "Ambiguous initrd candidates in '${artifact_dir}'. Refusing to select automatically."
  fi
  printf -v "${kernel_output_var}" "%s" "${kernels[0]:-}"
  printf -v "${initrd_output_var}" "%s" "${initrds[0]:-}"
  return 0
 }
 #######################################
 # Selects the kernel/initrd pair used to build the UKI.
 # Globals:
 #   None
 # Arguments:
 #   1: Output variable name for the selected kernel path
 #   2: Output variable name for the selected initrd path
 # Returns:
 #   0: on success
 #   42: if no complete pair exists, the final pair is incomplete, or candidates are ambiguous
 #######################################
 select_kernel_initrd_pair() {
  declare kernel_output_var="$1"
  declare initrd_output_var="$2"
  declare binary_kernel=""
  declare binary_initrd=""
  declare fallback_kernel=""
  declare fallback_initrd=""
  collect_artifacts_from_dir "binary/live" binary_kernel binary_initrd
  if [[ -n "${binary_kernel}" && -n "${binary_initrd}" ]]; then
    printf "\e[92m✅ Using final binary/live kernel and initrd artifacts. \e[0m\n"
    printf -v "${kernel_output_var}" "%s" "${binary_kernel}"
    printf -v "${initrd_output_var}" "%s" "${binary_initrd}"
    return 0
  fi
  if [[ -n "${binary_kernel}" || -n "${binary_initrd}" ]]; then
    die "Incomplete binary/live kernel/initrd pair. Refusing to mix final and fallback artifacts."
  fi
  printf "\e[93m❌ No complete binary/live kernel/initrd pair found; checking chroot/boot fallback. \e[0m\n"
  collect_artifacts_from_dir "chroot/boot" fallback_kernel fallback_initrd
  if [[ -n "${fallback_kernel}" && -n "${fallback_initrd}" ]]; then
    printf "\e[93m❌ Using chroot/boot fallback artifacts because binary/live has no complete pair. \e[0m\n"
    printf -v "${kernel_output_var}" "%s" "${fallback_kernel}"
    printf -v "${initrd_output_var}" "%s" "${fallback_initrd}"
    return 0
  fi
  die "No complete kernel/initrd pair found in binary/live or chroot/boot."
 }
 #######################################
 # Finds an optional separate early microcode cpio next to the selected initrd.
 # Globals:
 #   None
 # Arguments:
 #   1: Artifact directory
 #   2: Output variable name for the selected microcode cpio path
 # Returns:
 #   0: on success, including when no separate microcode cpio exists
 #   42: if more than one separate microcode cpio candidate exists
 #######################################
 collect_optional_microcode() {
  declare artifact_dir="${1}"
  declare output_var="${2}"
  declare -a microcode_candidates=()
  mapfile -d '' -t microcode_candidates < <(
    find "${artifact_dir}" -maxdepth 1 -type f \( -name "*microcode*.cpio" -o -name "*ucode*.cpio" \) -print0 | LC_ALL=C sort -z
  )
  if (( ${#microcode_candidates[@]} > 1 )); then
    die "Ambiguous separate early microcode cpio candidates in '${artifact_dir}'. Refusing to select automatically."
  fi
  printf -v "${output_var}" "%s" "${microcode_candidates[0]:-}"
  return 0
 }
 #######################################
 # Refuses private Secure Boot key material in generated artifact paths.
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #   42: if a private Secure Boot key is found below a guarded path
 #######################################
 guard_private_key_leaks() {
  declare -a guard_roots=(binary chroot config/includes.binary config/includes.chroot config/includes.installer)
  declare guard_root=""
  declare private_file=""
  for guard_root in "${guard_roots[@]}"; do
    if [[ ! -d "${guard_root}" ]]; then
      continue
    fi
    while IFS= read -r -d '' private_file; do
      die "Refusing private Secure Boot key inside build artifact path: '${private_file}'."
    done < <(find "${guard_root}" -xdev -type f \( -name "ciss-efi-image.key" -o -name "ciss-module-signing.key" \) -print0)
  done
  return 0
 }
 #######################################
 # Builds unsigned and signed CISS UKIs for the ciss-uki Secure Boot profile.
 # Globals:
 #   PWD
 #   VAR_CISS_SECUREBOOT_DIR
 #   VAR_CISS_SECUREBOOT_EFI_CERT
 #   VAR_CISS_SECUREBOOT_EFI_KEY
 #   VAR_CISS_SECUREBOOT_PROFILE
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_WORKDIR
 # Arguments:
 #   None
 # Returns:
 #   0: on success or when the active Secure Boot profile does not require a CISS UKI
 #   42: on validation, artifact selection, UKI build, signing, or verification failure
 #######################################
 main() {
  declare profile="${VAR_CISS_SECUREBOOT_PROFILE:-debian-shim}"
  declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
  declare secureboot_dir="${VAR_CISS_SECUREBOOT_DIR:-${VAR_WORKDIR:-${build_dir}}/ciss.secureboot}"
  declare secureboot_key="${VAR_CISS_SECUREBOOT_EFI_KEY:-${secureboot_dir}/private/ciss-efi-image.key}"
  declare secureboot_cert="${VAR_CISS_SECUREBOOT_EFI_CERT:-${secureboot_dir}/public/ciss-efi-image.crt}"
  declare stub="/usr/lib/systemd/boot/efi/linuxx64.efi.stub"
  declare os_release="chroot/usr/lib/os-release"
  declare kernel_path=""
  declare initrd_path=""
  declare kernel_base=""
  declare initrd_base=""
  declare kernel_version=""
  declare initrd_version=""
  declare cmdline=""
  declare microcode_initrd=""
  declare output_root=""
  declare uki_dir=""
  declare manifest_dir=""
  declare unsigned_uki=""
  declare signed_uki=""
  declare manifest=""
  declare -a ukify_args=()
  if [[ "${profile}" != "ciss-uki" ]]; then
    printf "\e[92m✅ Secure Boot profile '%s'; skipping CISS UKI build. \e[0m\n" "${profile}"
    return 0
  fi
  printf "\e[95m🧪 Building CISS Secure Boot UKI ... \e[0m\n"
  cd "${build_dir}"
  require_command ukify
  require_command sbverify
  require_command sha512sum
  require_file "${stub}" "systemd EFI stub"
  require_file "${secureboot_key}" "CISS EFI image signing key"
  require_file "${secureboot_cert}" "CISS EFI image signing certificate"
  require_file "${os_release}" "target os-release metadata"
  guard_private_key_leaks
  select_kernel_initrd_pair kernel_path initrd_path
  kernel_base="${kernel_path##*/}"
  initrd_base="${initrd_path##*/}"
  kernel_version="${kernel_base#vmlinuz-}"
  initrd_version="${initrd_base#initrd.img-}"
  [[ -n "${kernel_version}" && "${kernel_base}" != "${kernel_version}" ]] || die "Kernel artifact name does not match vmlinuz-<version>: '${kernel_path}'."
  [[ -n "${initrd_version}" && "${initrd_base}" != "${initrd_version}" ]] || die "Initrd artifact name does not match initrd.img-<version>: '${initrd_path}'."
  if [[ "${kernel_version}" != "${initrd_version}" ]]; then
    die "Kernel/initrd version mismatch: kernel='${kernel_version}', initrd='${initrd_version}'."
  fi
  read_bootappend_live "config/binary" cmdline
  collect_optional_microcode "${initrd_path%/*}" microcode_initrd
  output_root="${build_dir}/ciss.secureboot"
  uki_dir="${output_root}/uki"
  manifest_dir="${output_root}/manifests"
  unsigned_uki="${uki_dir}/CISS-LIVE-${kernel_version}.unsigned.efi"
  signed_uki="${uki_dir}/CISS-LIVE-${kernel_version}.signed.efi"
  manifest="${manifest_dir}/CISS-LIVE-${kernel_version}.uki-build.txt"
  install -d -m 0755 "${uki_dir}" "${manifest_dir}"
  rm -f -- "${unsigned_uki}" "${signed_uki}" "${manifest}"
  ukify_args=(
    build
    --stub="${stub}"
    --linux="${kernel_path}"
    --cmdline="${cmdline}"
    --os-release="@${os_release}"
    --uname="${kernel_version}"
  )
  if [[ -n "${microcode_initrd}" ]]; then
    printf "\e[92m✅ Embedding separate early microcode cpio before normal initrd: '%s'. \e[0m\n" "${microcode_initrd}"
    ukify_args+=(--initrd="${microcode_initrd}")
  else
    printf "\e[92m✅ No separate early microcode cpio found; using normal initrd only. \e[0m\n"
  fi
  ukify_args+=(--initrd="${initrd_path}")
  printf "\e[95m🧪 Creating unsigned UKI: '%s'. \e[0m\n" "${unsigned_uki}"
  ukify "${ukify_args[@]}" --output="${unsigned_uki}"
  printf "\e[95m🧪 Creating signed UKI: '%s'. \e[0m\n" "${signed_uki}"
  ukify "${ukify_args[@]}" \
    --secureboot-private-key="${secureboot_key}" \
    --secureboot-certificate="${secureboot_cert}" \
    --output="${signed_uki}"
  require_file "${unsigned_uki}" "unsigned CISS UKI"
  require_file "${signed_uki}" "signed CISS UKI"
  {
    printf "CISS Secure Boot UKI build manifest\n"
    printf "Kernel: %s\n" "${kernel_path}"
    printf "Initrd: %s\n" "${initrd_path}"
    printf "Microcode initrd: %s\n" "${microcode_initrd:-none}"
    printf "Uname: %s\n" "${kernel_version}"
    printf "OS release: %s\n" "${os_release}"
    printf "Command line: %s\n" "${cmdline}"
    printf "\nSHA512:\n"
    sha512sum "${unsigned_uki}" "${signed_uki}"
    printf "\nukify inspect:\n"
    ukify inspect "${signed_uki}"
    printf "\nsbverify:\n"
    sbverify --cert "${secureboot_cert}" "${signed_uki}"
  } >| "${manifest}" 2>&1
  printf "\e[92m✅ UKI inspection and signature verification written to '%s'. \e[0m\n" "${manifest}"
  printf "\e[92m✅ CISS Secure Boot UKI build completed. \e[0m\n"
  return 0
 }
 main "$@"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -0,0 +1,347 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2026-06-04; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # shellcheck disable=SC2312
 set -Ceuo pipefail
 # Final live-build binary hook for CISS UKI installation. When the ciss-uki Secure Boot profile is active, this hook selects
 # the single signed CISS UKI, rebuilds the FAT EFI boot image with it as EFI/BOOT/BOOTX64.EFI, verifies the installed copy,
 # mirrors it into the ISO EFI tree when available, writes an installation manifest, and refuses private Secure Boot key
 # material in build artifact paths.
 declare TMP_DIR=""
 #######################################
 # Removes the temporary EFI image work directory if it is inside the expected Secure Boot output tree.
 # Globals:
 #   PWD
 #   TMP_DIR
 #   VAR_HANDLER_BUILD_DIR
 # Arguments:
 #   None
 # Returns:
 #   0: on success or when no temporary directory exists
 #   42: if the temporary directory is outside the expected cleanup root
 #   non-zero: if removal of the expected temporary directory fails under strict mode
 #######################################
 cleanup() {
  declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
  if [[ -n "${TMP_DIR}" && -d "${TMP_DIR}" ]]; then
    case "${TMP_DIR}" in
      "${build_dir}/ciss.secureboot/"*)
        rm -rf -- "${TMP_DIR}"
        ;;
      *)
        printf "\e[91m❌ Refusing to clean unexpected temporary path: '%s'. \e[0m\n" "${TMP_DIR}" >&2
        return 42
        ;;
    esac
  fi
  return 0
 }
 #######################################
 # Prints a fatal error message and terminates the hook.
 # Globals:
 #   None
 # Arguments:
 #   1: Error message
 # Returns:
 #   42: always exits with failure
 #######################################
 die() {
  declare message="$1"
  printf "\e[91m❌ %s \e[0m\n" "${message}" >&2
  exit 42
 }
 #######################################
 # Checks whether a required command exists.
 # Globals:
 #   None
 # Arguments:
 #   1: Command name
 # Returns:
 #   0: on success
 #   42: if the command is missing
 #######################################
 require_command() {
  declare command_name="$1"
  command -v "${command_name}" >/dev/null 2>&1 || die "Required command not found: '${command_name}'."
  return 0
 }
 #######################################
 # Checks whether a required file exists.
 # Globals:
 #   None
 # Arguments:
 #   1: File path
 #   2: Human-readable file description
 # Returns:
 #   0: on success
 #   42: if the file is missing
 #######################################
 require_file() {
  declare file_path="$1"
  declare description="$2"
  [[ -f "${file_path}" ]] || die "Missing ${description}: '${file_path}'."
  return 0
 }
 #######################################
 # Selects the single signed CISS UKI generated by the CISS UKI build hook.
 # Globals:
 #   None
 # Arguments:
 #   1: CISS UKI output directory
 #   2: Output variable name for the selected signed UKI path
 # Returns:
 #   0: on success
 #   42: if the UKI directory is missing or does not contain exactly one signed UKI
 #######################################
 select_signed_uki() {
  declare uki_dir="$1"
  declare output_var="$2"
  declare -a signed_ukis=()
  [[ -d "${uki_dir}" ]] || die "Missing CISS UKI output directory: '${uki_dir}'."
  mapfile -d '' -t signed_ukis < <(find "${uki_dir}" -maxdepth 1 -type f -name "CISS-LIVE-*.signed.efi" -print0 | LC_ALL=C sort -z)
  if (( ${#signed_ukis[@]} != 1 )); then
    die "Expected exactly one signed CISS UKI in '${uki_dir}', found '${#signed_ukis[@]}'."
  fi
  printf -v "${output_var}" "%s" "${signed_ukis[0]}"
  return 0
 }
 #######################################
 # Refuses private Secure Boot key material in generated artifact paths.
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #   42: if a private Secure Boot key is found below a guarded path
 #######################################
 guard_private_key_leaks() {
  declare -a guard_roots=(binary chroot config/includes.binary config/includes.chroot config/includes.installer)
  declare guard_root=""
  declare private_file=""
  for guard_root in "${guard_roots[@]}"; do
    if [[ ! -d "${guard_root}" ]]; then
      continue
    fi
    while IFS= read -r -d '' private_file; do
      die "Refusing private Secure Boot key inside build artifact path: '${private_file}'."
    done < <(find "${guard_root}" -xdev -type f \( -name "ciss-efi-image.key" -o -name "ciss-module-signing.key" \) -print0)
  done
  return 0
 }
 #######################################
 # Mirrors the signed UKI into the ISO EFI tree as the removable-media bootloader when that tree exists.
 # Globals:
 #   None
 # Arguments:
 #   1: Signed UKI path
 #   2: Output variable name for the ISO EFI tree BOOTX64 path, or an empty value when no tree exists
 # Returns:
 #   0: on success, including when no ISO EFI tree exists
 #   non-zero: if directory creation or file installation fails under strict mode
 #######################################
 install_iso_tree_bootx64() {
  declare signed_uki="$1"
  declare output_var="$2"
  declare iso_tree_bootx64=""
  if [[ -d "binary/EFI/boot" ]]; then
    iso_tree_bootx64="binary/EFI/boot/bootx64.efi"
  elif [[ -d "binary/EFI/BOOT" ]]; then
    iso_tree_bootx64="binary/EFI/BOOT/BOOTX64.EFI"
  elif [[ -d "binary/EFI" ]]; then
    install -d -m 0755 "binary/EFI/BOOT"
    iso_tree_bootx64="binary/EFI/BOOT/BOOTX64.EFI"
  fi
  if [[ -n "${iso_tree_bootx64}" ]]; then
    install -m 0644 "${signed_uki}" "${iso_tree_bootx64}"
    printf "\e[92m✅ Mirrored signed UKI into ISO EFI tree: '%s'. \e[0m\n" "${iso_tree_bootx64}"
  else
    printf "\e[93m❌ No binary/EFI tree found; only EFI boot image was updated. \e[0m\n"
  fi
  printf -v "${output_var}" "%s" "${iso_tree_bootx64}"
  return 0
 }
 #######################################
 # Installs the signed CISS UKI into the EFI boot image for the ciss-uki Secure Boot profile.
 # Globals:
 #   PWD
 #   SOURCE_DATE_EPOCH
 #   TMP_DIR
 #   VAR_CISS_SECUREBOOT_DIR
 #   VAR_CISS_SECUREBOOT_EFI_CERT
 #   VAR_CISS_SECUREBOOT_PROFILE
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_WORKDIR
 # Arguments:
 #   None
 # Returns:
 #   0: on success or when the active Secure Boot profile does not require CISS UKI installation
 #   42: on explicit validation, comparison, or signature verification failure
 #   non-zero: if an external tool, installation command, or manifest write fails under strict mode
 #######################################
 main() {
  declare profile="${VAR_CISS_SECUREBOOT_PROFILE:-debian-shim}"
  declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
  declare secureboot_dir="${VAR_CISS_SECUREBOOT_DIR:-${VAR_WORKDIR:-${build_dir}}/ciss.secureboot}"
  declare secureboot_cert="${VAR_CISS_SECUREBOOT_EFI_CERT:-${secureboot_dir}/public/ciss-efi-image.crt}"
  declare output_root=""
  declare uki_dir=""
  declare manifest_dir=""
  declare signed_uki=""
  declare efi_img="binary/boot/grub/efi.img"
  declare uki_name=""
  declare kernel_version=""
  declare manifest=""
  declare tmp_img=""
  declare extracted_uki=""
  declare iso_tree_bootx64=""
  declare uki_size=""
  declare -i uki_kib=0
  declare -i blocks=0
  declare source_epoch="${SOURCE_DATE_EPOCH:-0}"
  declare volid=""
  if [[ "${profile}" != "ciss-uki" ]]; then
    printf "\e[92m✅ Secure Boot profile '%s'; skipping CISS UKI EFI installation. \e[0m\n" "${profile}"
    return 0
  fi
  printf "\e[95m🧪 Installing CISS signed UKI into EFI boot image ... \e[0m\n"
  cd "${build_dir}"
  require_command cmp
  require_command mcopy
  require_command mdir
  require_command mkfs.msdos
  require_command sbverify
  require_command sha512sum
  require_command stat
  require_command ukify
  require_file "${secureboot_cert}" "CISS EFI image signing certificate"
  require_file "${efi_img}" "live-build EFI boot image"
  guard_private_key_leaks
  output_root="${build_dir}/ciss.secureboot"
  uki_dir="${output_root}/uki"
  manifest_dir="${output_root}/manifests"
  select_signed_uki "${uki_dir}" signed_uki
  uki_name="${signed_uki##*/}"
  kernel_version="${uki_name#CISS-LIVE-}"
  kernel_version="${kernel_version%.signed.efi}"
  [[ -n "${kernel_version}" && "${kernel_version}" != "${uki_name}" ]] || die "Signed UKI name does not match CISS-LIVE-<version>.signed.efi: '${signed_uki}'."
  install -d -m 0755 "${manifest_dir}"
  TMP_DIR="$(mktemp -d -p "${output_root}" "efi-img.XXXXXXXX")"
  tmp_img="${TMP_DIR}/efi.img"
  extracted_uki="${TMP_DIR}/BOOTX64.EFI"
  manifest="${manifest_dir}/CISS-LIVE-${kernel_version}.efi-install.txt"
  rm -f -- "${manifest}"
  uki_size="$(stat -c %s -- "${signed_uki}")"
  uki_kib=$(( (uki_size + 1023) / 1024 ))
  blocks=$(( (uki_kib + 8192 + 31) / 32 * 32 ))
  if (( blocks < 32768 )); then
    blocks=32768
  fi
  if [[ ! "${source_epoch}" =~ ^[0-9]+$ ]]; then
    source_epoch="0"
  fi
  printf -v volid "%08x" "$((source_epoch % 4294967296))"
  printf "\e[95m🧪 Rebuilding EFI boot image with signed UKI as EFI/BOOT/BOOTX64.EFI. \e[0m\n"
  mkfs.msdos -C "${tmp_img}" "${blocks}" -i "${volid}" >/dev/null
  mmd -i "${tmp_img}" "::EFI"
  mmd -i "${tmp_img}" "::EFI/BOOT"
  mcopy -m -o -i "${tmp_img}" "${signed_uki}" "::EFI/BOOT/BOOTX64.EFI"
  mcopy -o -i "${tmp_img}" "::EFI/BOOT/BOOTX64.EFI" "${extracted_uki}"
  cmp -s "${signed_uki}" "${extracted_uki}" || die "Extracted BOOTX64.EFI differs from signed UKI before EFI image installation."
  sbverify --cert "${secureboot_cert}" "${extracted_uki}" >/dev/null
  install -m 0644 "${tmp_img}" "${efi_img}"
  rm -f -- "${extracted_uki}"
  mcopy -o -i "${efi_img}" "::EFI/BOOT/BOOTX64.EFI" "${extracted_uki}"
  cmp -s "${signed_uki}" "${extracted_uki}" || die "Installed EFI/BOOT/BOOTX64.EFI differs from signed UKI."
  sbverify --cert "${secureboot_cert}" "${extracted_uki}" >/dev/null
  install_iso_tree_bootx64 "${signed_uki}" iso_tree_bootx64
  if [[ -n "${iso_tree_bootx64}" ]]; then
    cmp -s "${signed_uki}" "${iso_tree_bootx64}" || die "ISO EFI tree BOOTX64.EFI differs from signed UKI."
    sbverify --cert "${secureboot_cert}" "${iso_tree_bootx64}" >/dev/null
  fi
  guard_private_key_leaks
  {
    printf "CISS Secure Boot EFI image installation manifest\n"
    printf "EFI image: %s\n" "${efi_img}"
    printf "Installed path: EFI/BOOT/BOOTX64.EFI\n"
    printf "ISO EFI tree mirror: %s\n" "${iso_tree_bootx64:-none}"
    printf "Signed UKI: %s\n" "${signed_uki}"
    printf "FAT image blocks KiB: %s\n" "${blocks}"
    printf "FAT volume id: %s\n" "${volid}"
    printf "\nSHA512:\n"
    sha512sum "${efi_img}" "${signed_uki}" "${extracted_uki}"
    if [[ -n "${iso_tree_bootx64}" ]]; then
      sha512sum "${iso_tree_bootx64}"
    fi
    printf "\nEFI directory:\n"
    mdir -i "${efi_img}" "::EFI/BOOT"
    printf "\nukify inspect installed BOOTX64.EFI:\n"
    ukify inspect "${extracted_uki}"
    printf "\nsbverify installed BOOTX64.EFI:\n"
    sbverify --cert "${secureboot_cert}" "${extracted_uki}"
  } >| "${manifest}" 2>&1
  printf "\e[92m✅ EFI image installation verification written to '%s'. \e[0m\n" "${manifest}"
  printf "\e[92m✅ CISS signed UKI installed as EFI/BOOT/BOOTX64.EFI. \e[0m\n"
  return 0
 }
 main "$@"
 cleanup
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -39,7 +39,7 @@ install -d -m 0755  "${DESTDIR}/usr/sbin"
 ### Include binaries -----------------------------------------------------------------------------------------------------------
-for bin in bash blkid busybox dd dmsetup gpgv losetup lsblk mkpasswd mountpoint sha384sum sha512sum sort stty timeout tr tree udevadm whois; do
+for bin in awk bash blkid busybox dd dmsetup gawk gpgv losetup lsblk mkpasswd mountpoint sha384sum sha512sum sort stty timeout tr tree udevadm whois; do
  path="$(command -v "${bin}" 2>/dev/null || true)"
@@ -123,7 +123,6 @@ if [ -d "${src_dir}" ]; then
 fi
 ### Install Dropbear configuration ---------------------------------------------------------------------------------------------
 install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/dropbear.conf %s/etc/dropbear/dropbear.conf] \n\e[0m" "${DESTDIR}"
@@ -146,6 +145,13 @@ printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/ba
 install -m 0444 /etc/banner "${DESTDIR}/etc/dropbear/banner"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/banner %s/etc/dropbear/banner] \n\e[0m" "${DESTDIR}"
 ### Ensure live-boot runtime scripts in the initramfs are executable -----------------------------------------------------------
 if [ -d "${DESTDIR}/usr/lib/live/boot" ]; then
  find "${DESTDIR}/usr/lib/live/boot" -type f -exec chmod +x -- {} +
  printf "\e[92mSuccessfully executed: [find %s/usr/lib/live/boot -type f -exec chmod +x -- {} +] \n\e[0m" "${DESTDIR}"
 fi
 ### EOS
 printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh] \n\e[0m"
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V9.14.004.2026.05.17"
+declare -gr VERSION="Master V9.14.028.2026.06.18"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V9.14.004.2026.05.17 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V9.14.028.2026.06.18 at: 10:18:37.9542
@@ -25,8 +25,8 @@ cat << 'EOF'
 EOF
 echo ""
-echo -e "\e[97m      (c) Marc S. Weidner, 2018 - 2025 \e[0m"
+echo -e "\e[97m      (c) Marc S. Weidner, 2018 - 2026 \e[0m"
-echo -e "\e[97m      (p) Centurion Press, 2018 - 2025 \e[0m"
+echo -e "\e[97m      (p) Centurion Press, 2018 - 2026 \e[0m"
 echo -e "\e[97m          Centurion Intelligence Consulting Agency (tm) \e[0m"
 echo -e "\e[97m          https://coresecret.eu/ \e[0m"
 echo -e "\e[95m          Please consider making a donation: \e[0m"
@@ -14,8 +14,10 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Purpose: Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
+# Module summary:
-# Phase  : premount (executed by live-boot inside the initramfs).
+# - Reserve a dedicated /run/live/overlay tmpfs with a configurable size limit.
 # - Mount it with restrictive flags and permissions before OverlayFS uses it.
 # - Prepare the upper and work directories required by the later live-boot overlay setup.
 _SAVED_SET_OPTS="$(set +o)"
@@ -14,13 +14,171 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Purpose: Open /live/ciss_rootfs.crypt (LUKS) for final processing in '9990-overlay.sh'
+# Module summary:
-# Phase  : premount (executed by live-boot inside the initramfs)
+# - Read CISS boot parameters for the encrypted root path and live ISO label.
 # - Mount the live medium read-only and locate the encrypted SquashFS container.
 # - Attach the encrypted container through a read-only loop device.
 # - Accept a LUKS passphrase from the local console or remotely unlock FIFO.
 # - Open the decrypted root mapper and expose the handoff state for later live-boot overlay processing.
 _SAVED_SET_OPTS="$(set +o)"
 set -eu
 #######################################
 # Ensure the minimal device nodes required by this early boot script exist.
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: Always. Device-node setup is best-effort only
 #######################################
 ensure_minimal_dev_nodes() {
  mknod_cmd=""
  busybox_cmd=""
  [ -d /dev ] || mkdir -p /dev || return 0
  if [ -c /dev/null ] && [ -c /dev/console ]; then
    return 0
  fi
  mknod_cmd="$(command -v mknod 2>&- || printf '')"
  if [ -z "${mknod_cmd}" ]; then
    busybox_cmd="$(command -v busybox 2>&- || printf '')"
  fi
  if [ ! -c /dev/null ]; then
    rm -f /dev/null || true
    if [ -n "${mknod_cmd}" ]; then
      "${mknod_cmd}" -m 666 /dev/null c 1 3 || true
    elif [ -n "${busybox_cmd}" ]; then
      "${busybox_cmd}" mknod -m 666 /dev/null c 1 3 || true
    fi
  fi
  if [ ! -c /dev/console ]; then
    rm -f /dev/console || true
    if [ -n "${mknod_cmd}" ]; then
      "${mknod_cmd}" -m 600 /dev/console c 5 1 || true
    elif [ -n "${busybox_cmd}" ]; then
      "${busybox_cmd}" mknod -m 600 /dev/console c 5 1 || true
    fi
  fi
  return 0
 }
 #######################################
 # Console logging helper that does not assume /dev/console is always present.
 # Globals:
 #   None
 # Arguments:
 #   1: printf format
 #   *: printf arguments
 # Returns:
 #   0: always, logging failure is not fatal
 #######################################
 console_printf() {
  console_format="$1"
  shift
  if [ -c /dev/console ]; then
    # shellcheck disable=SC2059
    printf "${console_format}" "$@" > /dev/console || :
  elif [ -e /proc/1/fd/1 ]; then
    # shellcheck disable=SC2059
    printf "${console_format}" "$@" > /proc/1/fd/1 || :
  fi
  return 0
 }
 #######################################
 # Clear the current console line without making cleanup fatal.
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: Always. Console cleanup failure is not fatal.
 #######################################
 console_clear_line() {
  console_printf '\r\033[K'
  return 0
 }
 #######################################
 # Wait for an explicit local-console unlock activation.
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: local console activation was requested
 #   1: console unavailable or activation read failed
 #######################################
 wait_for_local_unlock_activation() {
  LOCAL_UNLOCK_SAVED_STTY=""
  LOCAL_UNLOCK_READ_STATUS=0
  ensure_minimal_dev_nodes
  [ -c /dev/console ] || return 1
  exec 9<>/dev/console || return 1
  LOCAL_UNLOCK_SAVED_STTY=$(stty -g <&9 2>&- || printf '')
  trap 'if [ -n "${LOCAL_UNLOCK_SAVED_STTY}" ]; then stty "${LOCAL_UNLOCK_SAVED_STTY}" <&9 2>&- || :; fi; printf "\r\033[K" >&9 2>&- || :; exec 9>&-; exit 143' TERM INT HUP
  if [ -n "${LOCAL_UNLOCK_SAVED_STTY}" ]; then
    stty -echo <&9 2>&- || :
  fi
  printf '\e[93m[INFO] CISS LUKS decryption : Press Enter for local unlock: \n\e[0m' >&9 || :
  IFS= read -r _ <&9
  LOCAL_UNLOCK_READ_STATUS="$?"
  if [ -n "${LOCAL_UNLOCK_SAVED_STTY}" ]; then
    stty "${LOCAL_UNLOCK_SAVED_STTY}" <&9 2>&- || :
  fi
  printf '\r\033[K' >&9 || :
  exec 9>&-
  trap - TERM INT HUP
  [ "${LOCAL_UNLOCK_READ_STATUS}" -eq 0 ] || return 1
  return 0
 }
 ensure_minimal_dev_nodes
 printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m"
 #######################################
@@ -37,11 +195,21 @@ ask_pass_console() {
  PASSPHRASE=""
  SAVED_STTY=""
  ensure_minimal_dev_nodes
  [ -c /dev/console ] || return 1
  exec 8<>/dev/console || return 1
  ### Save current console settings.
-  SAVED_STTY=$(stty -g </dev/console 2>/dev/null || printf '')
+  SAVED_STTY=$(stty -g <&8 2>&- || printf '')
  ### Non-canonical mode, no echo, 1 byte at a time.
-  stty -echo -icanon time 0 min 1 </dev/console 2>/dev/null || return 1
+  if ! stty -echo -icanon time 0 min 1 <&8 2>&-; then
    exec 8>&-
    return 1
  fi
  cr=$(printf '\r')
  bs=$(printf '\b')
@@ -50,11 +218,11 @@ ask_pass_console() {
  while :; do
    ### Read exactly one byte from the console.
-    c=$(dd bs=1 count=1 2>/dev/null </dev/console)
+    c=$(dd bs=1 count=1 2>&- <&8)
    if [ -z "${c}" ]; then
-      printf '\n' > /dev/console
+      printf '\n' >&8
      break
    fi
@@ -66,7 +234,7 @@ ask_pass_console() {
      "${cr}")
      ### Enter: finish input.
-        printf '\n' > /dev/console
+        printf '\n' >&8
        break
        ;;
@@ -75,7 +243,7 @@ ask_pass_console() {
        if [ -n "${PASSPHRASE}" ]; then
          PASSPHRASE=${PASSPHRASE%?}
-          printf '\b \b' > /dev/console
+          printf '\b \b' >&8
        fi
        ;;
@@ -83,14 +251,20 @@ ask_pass_console() {
      *)
      ### Normal character: append and mask output.
        PASSPHRASE="${PASSPHRASE}${c}"
-        printf '*' > /dev/console
+        printf '*' >&8
        ;;
    esac
  done
-  [ -n "${SAVED_STTY}" ] && stty "${SAVED_STTY}" </dev/console 2>/dev/null || :
+  if [ -n "${SAVED_STTY}" ]; then
    stty "${SAVED_STTY}" <&8 2>&- || :
  fi
  exec 8>&-
  printf '%s' "${PASSPHRASE}"
@@ -121,12 +295,16 @@ export CDLB_MAPPER_NAME="crypt_liveiso"
 export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
 export CDLB_MNT_MEDIUM="/run/live/medium"
 export CDLB_MNT_ROOTFS="/run/live/rootfs"
 export CDLB_ROOTFS_ATTEST_NAME="filesystem.squashfs.sha512sum.txt"
 export CDLB_ROOTFS_ATTEST_CACHE_DIR="/run/ciss-rootfs-attestation"
 export CDLB_ROOTFS_ATTEST_MANIFEST="${CDLB_ROOTFS_ATTEST_CACHE_DIR}/${CDLB_ROOTFS_ATTEST_NAME}"
 export CDLB_ROOTFS_ATTEST_SIGNATURE="${CDLB_ROOTFS_ATTEST_MANIFEST}.sig"
 export CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}"
 _PARAMETER=""
 _dev=""
 ### Read the kernel cmdline once. ----------------------------------------------------------------------------------------------
-CMDLINE="$(cat /proc/cmdline 2>/dev/null || printf '')"
+CMDLINE="$(cat /proc/cmdline 2>&- || printf '')"
 for _PARAMETER in ${CMDLINE}; do
@@ -149,8 +327,8 @@ if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then
  if [ -n "${CDLB_ISO_LABEL}" ] && [ -e "/dev/disk/by-label/${CDLB_ISO_LABEL}" ]; then
-    mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>/dev/null \
+    mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>&- \
-      || mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>/dev/null \
+      || mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>&- \
      || log "could not mount label=${CDLB_ISO_LABEL} (iso9660/udf)"
  fi
@@ -166,13 +344,13 @@ if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then
    [ -b "${_dev}" ] || continue
    ### Try ISO9660 first, then UDF; only unmount on failure.
-    if mount -r -t iso9660 "${_dev}" "${CDLB_MNT_MEDIUM}" 2>/dev/null || mount -r -t udf   "${_dev}" "${CDLB_MNT_MEDIUM}" 2>/dev/null; then
+    if mount -r -t iso9660 "${_dev}" "${CDLB_MNT_MEDIUM}" 2>&- || mount -r -t udf   "${_dev}" "${CDLB_MNT_MEDIUM}" 2>&-; then
-      mountpoint -q "${CDLB_MNT_MEDIUM}" 2>/dev/null && break
+      mountpoint -q "${CDLB_MNT_MEDIUM}" 2>&- && break
    else
-      umount "${CDLB_MNT_MEDIUM}" 2>/dev/null || true
+      umount "${CDLB_MNT_MEDIUM}" 2>&- || true
    fi
@@ -203,6 +381,66 @@ fi
 printf "\e[92m[INFO] CISS LUKS FS         : [%s%s] \n\e[0m" "${CDLB_MNT_MEDIUM}" "${CDLB_LUKS_FS}"
 ### Preserve rootfs attestation evidence before live-boot may replace or unmount the medium view. -----------------------------
 CDLB_ROOTFS_ATTEST_SOURCE="${CDLB_MNT_MEDIUM}/live/${CDLB_ROOTFS_ATTEST_NAME}"
 CDLB_ROOTFS_ATTEST_SOURCE_SIG="${CDLB_ROOTFS_ATTEST_SOURCE}.sig"
 if [ ! -f "${CDLB_ROOTFS_ATTEST_SOURCE}" ] || [ ! -f "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}" ]; then
  printf "\e[91m[FATAL] Boot failure        : Rootfs attestation artifacts not found on live medium: [%s] [%s] \n\e[0m" \
    "${CDLB_ROOTFS_ATTEST_SOURCE}" "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}"
  sleep 8
  log   "[FATAL] Boot failure        : Rootfs attestation artifacts not found on live medium: [${CDLB_ROOTFS_ATTEST_SOURCE}] [${CDLB_ROOTFS_ATTEST_SOURCE_SIG}]"
  panic "[FATAL] Boot failure        : Rootfs attestation artifacts not found on live medium: [${CDLB_ROOTFS_ATTEST_SOURCE}] [${CDLB_ROOTFS_ATTEST_SOURCE_SIG}]"
 fi
 if ! mkdir -p "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"; then
  printf "\e[91m[FATAL] Boot failure        : Failed to create rootfs attestation cache directory: [%s] \n\e[0m" \
    "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
  sleep 8
  log   "[FATAL] Boot failure        : Failed to create rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
  panic "[FATAL] Boot failure        : Failed to create rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
 fi
 if ! chmod 0755 "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"; then
  printf "\e[91m[FATAL] Boot failure        : Failed to permission rootfs attestation cache directory: [%s] \n\e[0m" \
    "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
  sleep 8
  log   "[FATAL] Boot failure        : Failed to permission rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
  panic "[FATAL] Boot failure        : Failed to permission rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
 fi
 if ! cp "${CDLB_ROOTFS_ATTEST_SOURCE}" "${CDLB_ROOTFS_ATTEST_MANIFEST}" || \
   ! cp "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"; then
  printf "\e[91m[FATAL] Boot failure        : Failed to preserve rootfs attestation artifacts in: [%s] \n\e[0m" \
    "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
  sleep 8
  log   "[FATAL] Boot failure        : Failed to preserve rootfs attestation artifacts in: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
  panic "[FATAL] Boot failure        : Failed to preserve rootfs attestation artifacts in: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
 fi
 if ! chmod 0444 "${CDLB_ROOTFS_ATTEST_MANIFEST}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"; then
  printf "\e[91m[FATAL] Boot failure        : Failed to make rootfs attestation cache read-only: [%s] \n\e[0m" \
    "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
  sleep 8
  log   "[FATAL] Boot failure        : Failed to make rootfs attestation cache read-only: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
  panic "[FATAL] Boot failure        : Failed to make rootfs attestation cache read-only: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
 fi
 chmod 0555 "${CDLB_ROOTFS_ATTEST_CACHE_DIR}" 2>&- || true
 printf "\e[92m[INFO] Rootfs attestation   : Preserved [%s] and [%s] \n\e[0m" \
  "${CDLB_ROOTFS_ATTEST_MANIFEST}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"
 ### Attach a loop device read-only to the encrypted file. ----------------------------------------------------------------------
 if ! LOOP="$(losetup -f --show -r "${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}")"; then
@@ -216,24 +454,24 @@ fi
 printf "\e[92m[INFO] Loop device          : [%s] \n\e[0m" "${LOOP}"
 ### Expose the loop device for unlock-wrapper.sh, dropbear forced-command. -----------------------------------------------------
-mkdir -p /run 2>/dev/null || true
+mkdir -p /run 2>&- || true
-echo "${LOOP}" > /run/ciss-loopdev 2>/dev/null || true
+echo "${LOOP}" > /run/ciss-loopdev 2>&- || true
-chmod 0600 /run/ciss-loopdev 2>/dev/null || true
+chmod 0600 /run/ciss-loopdev 2>&- || true
 printf "\e[92m[INFO] Exposed LOOP         : [/run/ciss-loopdev] -> [%s]\n\e[0m" "${LOOP}"
 ### Prepare fifo for passphrase. -----------------------------------------------------------------------------------------------
-mkdir -p /lib/cryptsetup 2>/dev/null || true
+mkdir -p /lib/cryptsetup 2>&- || true
 if [ -p /lib/cryptsetup/passfifo ]; then
-  rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
+  rm -f /lib/cryptsetup/passfifo 2>&- || true
 fi
-if ! mkfifo /lib/cryptsetup/passfifo 2>/dev/null; then
+if ! mkfifo /lib/cryptsetup/passfifo 2>&-; then
  printf "\e[92m[WARN] Boot failure         : Failed to create [/lib/cryptsetup/passfifo] \n\e[0m"
  sleep 60
@@ -242,7 +480,7 @@ if ! mkfifo /lib/cryptsetup/passfifo 2>/dev/null; then
 fi
-chmod 0600 /lib/cryptsetup/passfifo 2>/dev/null || true
+chmod 0600 /lib/cryptsetup/passfifo 2>&- || true
 ### Background broker: read FIFO, try cryptsetup per line. ---------------------------------------------------------------------
 (
@@ -267,18 +505,29 @@ chmod 0600 /lib/cryptsetup/passfifo 2>/dev/null || true
    [ -n "${PASS}" ] || continue
-    printf "\e[93m[INFO] CISS LUKS decryption : LUKS mapper [%s] trying to unlock via cryptsetup ... \n\e[0m" "${CDLB_MAPPER_DEV}" >/dev/console 2>/dev/null || true
+    console_printf "\e[93m[INFO] CISS LUKS decryption : LUKS mapper [%s] trying to unlock via cryptsetup ... \n\e[0m" "${CDLB_MAPPER_DEV}"
    KEYLEN=${#PASS}
    if [ -c /dev/console ]; then
      printf '%s' "${PASS}" | cryptsetup open --tries 1 \
        --type luks \
        --keyfile-size="${KEYLEN}" \
        --readonly "${LOOP}" "${CDLB_MAPPER_NAME}" --key-file - 2>/dev/console
    else
      printf '%s' "${PASS}" | cryptsetup open --tries 1 \
        --type luks \
        --keyfile-size="${KEYLEN}" \
        --readonly "${LOOP}" "${CDLB_MAPPER_NAME}" --key-file - 2>&-
    fi
    if [ -b "${CDLB_MAPPER_DEV}" ]; then
-      printf "\e[92m[INFO] CISS LUKS decryption : LUKS mapper [%s] successfully opened. \n\e[0m" "${CDLB_MAPPER_DEV}" >/dev/console 2>/dev/null || true
+      console_printf "\e[92m[INFO] CISS LUKS decryption : LUKS mapper [%s] successfully opened. \n\e[0m" "${CDLB_MAPPER_DEV}"
      break
    fi
@@ -305,12 +554,15 @@ PID_BROKER="$!"
    if [ "${PASS_SENT}" -eq 0 ]; then
-      printf '\e[93m[INFO] Enter LUKS passphrase: \n\e[0m' > /dev/console
+      # shellcheck disable=SC2310
      wait_for_local_unlock_activation || continue
      console_printf '\e[93m[INFO] Enter LUKS passphrase: \n\e[0m'
      # shellcheck disable=SC2310
      PASS="$(ask_pass_console)" || continue
-      printf '%s\n' "${PASS}" >| /lib/cryptsetup/passfifo 2>/dev/null || :
+      printf '%s\n' "${PASS}" >| /lib/cryptsetup/passfifo 2>&- || :
      PASS_SENT=1
      WAIT_LOOP=0
@@ -321,7 +573,7 @@ PID_BROKER="$!"
      if [ "${WAIT_LOOP}" -ge 160 ]; then
-        printf '\e[91m[WARN] Please try again     : \n\e[0m' > /dev/console
+        console_printf '\e[91m[WARN] Please try again     : \n\e[0m'
        PASS_SENT=0
        WAIT_LOOP=0
@@ -365,12 +617,13 @@ if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
  printf "\e[91m[WARN] CISS LUKS decryption : Timeout LUKS mapper [%s] not present after %s seconds. \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_REMOTE_WAIT_SECS}"
-  kill "${PID_PROMPT}" 2>/dev/null || true
+  kill "${PID_PROMPT}" 2>&- || true
-  kill "${PID_BROKER}" 2>/dev/null || true
+  kill "${PID_BROKER}" 2>&- || true
-  wait "${PID_PROMPT}" 2>/dev/null || true
+  wait "${PID_PROMPT}" 2>&- || true
-  wait "${PID_BROKER}" 2>/dev/null || true
+  wait "${PID_BROKER}" 2>&- || true
  console_clear_line
-  rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
+  rm -f /lib/cryptsetup/passfifo 2>&- || true
  sleep 60
@@ -379,12 +632,13 @@ if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
 fi
-kill "${PID_PROMPT}" 2>/dev/null || true
+kill "${PID_PROMPT}" 2>&- || true
-kill "${PID_BROKER}" 2>/dev/null || true
+kill "${PID_BROKER}" 2>&- || true
-wait "${PID_PROMPT}" 2>/dev/null || true
+wait "${PID_PROMPT}" 2>&- || true
-wait "${PID_BROKER}" 2>/dev/null || true
+wait "${PID_BROKER}" 2>&- || true
 console_clear_line
-rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
+rm -f /lib/cryptsetup/passfifo 2>&- || true
 printf "\e[92m[INFO] CISS LUKS decryption : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}"
@@ -397,9 +651,13 @@ export CDLB_MAPPER_NAME=${CDLB_MAPPER_NAME}
 export CDLB_MAPPER_DEV=${CDLB_MAPPER_DEV}
 export CDLB_MNT_MEDIUM=${CDLB_MNT_MEDIUM}
 export CDLB_MNT_ROOTFS=${CDLB_MNT_ROOTFS}
 export CDLB_ROOTFS_ATTEST_NAME=${CDLB_ROOTFS_ATTEST_NAME}
 export CDLB_ROOTFS_ATTEST_CACHE_DIR=${CDLB_ROOTFS_ATTEST_CACHE_DIR}
 export CDLB_ROOTFS_ATTEST_MANIFEST=${CDLB_ROOTFS_ATTEST_MANIFEST}
 export CDLB_ROOTFS_ATTEST_SIGNATURE=${CDLB_ROOTFS_ATTEST_SIGNATURE}
 export CDLB_REMOTE_WAIT_SECS=${CDLB_REMOTE_WAIT_SECS}
 EOF
-chmod 0444 /run/ciss-rootdev 2>/dev/null || true
+chmod 0444 /run/ciss-rootdev 2>&- || true
 ### Override '9990-main.sh' behavior to ensure 'Verify_checksums()' functions properly. ----------------------------------------
 if [ ! -e /conf/param.conf ]; then
@@ -409,20 +667,28 @@ if [ ! -e /conf/param.conf ]; then
 fi
-if ! grep -q '^PLAIN_ROOT=' /conf/param.conf 2>/dev/null; then
+if ! grep -q '^PLAIN_ROOT=' /conf/param.conf 2>&-; then
  printf 'PLAIN_ROOT=1\n' >> /conf/param.conf
 fi
-if ! grep -q '^livefs_root=' /conf/param.conf 2>/dev/null; then
+if ! grep -q '^livefs_root=' /conf/param.conf 2>&-; then
  printf 'livefs_root=%s\n' "/run/live/medium" >> /conf/param.conf
 fi
 printf "\e[92m[INFO] CISS LUKS decryption : Final state [/conf/param.conf] \n\e[0m"
-cat /conf/param.conf >/dev/console 2>&1 || :
+if [ -c /dev/console ]; then
  cat /conf/param.conf >/dev/console 2>&1 || :
 elif [ -e /proc/1/fd/1 ]; then
  cat /conf/param.conf >/proc/1/fd/1 2>&1 || :
 fi
 log "Decrypted root device exposed at [/run/ciss-rootdev] -> [${CDLB_MAPPER_DEV}]"
 printf "\e[92m[INFO] CISS LUKS decryption : Decrypted root device exposed at: [/run/ciss-rootdev] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}"
@@ -14,8 +14,11 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Purpose: Enforce early sysctls before services start.
+# Module summary:
-# Phase  : premount (executed by live-boot inside the initramfs).
+# - Runs during live-boot premount while the system is still inside the initramfs.
 # - Applies early kernel hardening before the real root and regular services are active.
 # - Restricts ptrace, unprivileged BPF, core dumps, kexec, unsafe link handling, regular-file protections, and kernel pointer
 #   exposure where supported.
 _SAVED_SET_OPTS="$(set +o)"
--- a/Show More
+++ b/Show More
Author	SHA256	Message	Date
msw	a8454eeadf	V9.14.028.2026.06.18 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-18 10:49:41 +01:00
msw	f31ac3503f	V9.14.026.2026.06.17 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-18 06:46:41 +01:00
msw	0f28dad6c2	V9.14.026.2026.06.17 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-17 21:55:52 +01:00
msw	784c088c0e	V9.14.026.2026.06.17 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-17 18:44:12 +01:00
msw	1d130a7027	V9.14.026.2026.06.17 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-17 17:14:45 +01:00
msw	7fb6ca2cd2	V9.14.026.2026.06.17 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-17 16:31:47 +01:00
msw	009f92aea1	V9.14.026.2026.06.17 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-17 15:49:17 +01:00
msw	e11b6285ca	V9.14.026.2026.06.12 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-12 06:26:46 +01:00
msw	b59bca727e	V9.14.026.2026.06.12 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-12 05:30:51 +01:00
msw	7bb871e3f7	V9.14.026.2026.06.12 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-12 05:24:03 +01:00
msw	4633ff5ea7	V9.14.026.2026.06.12 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-12 04:52:18 +01:00
msw	bd5c7729a2	V9.14.024.2026.06.11 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 21:15:37 +01:00
msw	666111df0e	V9.14.024.2026.06.11 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 20:39:50 +01:00
msw	5cc2110ecb	V9.14.024.2026.06.11 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 20:14:31 +01:00
msw	f6ca83fb26	V9.14.024.2026.06.11 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 18:54:19 +01:00
msw	ab827e9c05	V9.14.024.2026.06.11 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 18:13:13 +01:00
msw	b81b9bf836	V9.14.024.2026.06.11 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 17:29:59 +01:00
msw	487d2b3ba8	V9.14.024.2026.06.11 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 17:12:23 +01:00
msw	97596fbcba	V9.14.024.2026.06.11 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 17:11:22 +01:00
msw	9ef535554a	V9.14.022.2026.06.10 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-10 18:57:46 +01:00
msw	800cd175fc	V9.14.022.2026.06.10 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-10 17:57:31 +01:00
msw	ae87d7ac54	V9.14.020.2026.06.08 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-09 18:11:15 +01:00
msw	0b1bfe2978	V9.14.020.2026.06.08 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-09 18:07:45 +01:00
msw	314c1178c3	V9.14.020.2026.06.08 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-09 18:04:02 +01:00
msw	9179031a80	V9.14.020.2026.06.08 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-09 16:41:50 +01:00
msw	7956e5861d	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 20:02:23 +01:00
msw	8c37efcff6	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 19:58:06 +01:00
msw	a53d52bf38	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 17:06:05 +01:00
msw	250f1700cf	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 15:43:24 +01:00
msw	574411d9b0	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 15:23:19 +01:00
msw	a469dbf595	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 11:44:48 +01:00
msw	a37a16d86e	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 11:42:19 +01:00
msw	421589285f	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 10:59:37 +01:00
msw	0a091fb9a6	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 10:54:44 +01:00
msw	3fc5003676	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 09:11:26 +01:00
msw	9cdcc0a9ec	V9.14.018.2026.06.07 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 07:24:22 +01:00
msw	8b6731f1be	V9.14.016.2026.06.06 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-06 18:37:43 +01:00
msw	fa1a31ef64	V9.14.016.2026.06.06 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-06 15:40:02 +01:00
msw	e42fdff89b	V9.14.016.2026.06.06 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-06 14:39:12 +01:00
msw	83f6f8488c	V9.14.008.2026.06.04 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-04 20:14:02 +01:00
msw	ec3aca7fc8	V9.14.008.2026.06.04 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-04 18:19:09 +01:00