V8.13.512.2025.11.26

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-26 10:05:56 +00:00 · 2025-11-26 09:54:11 +00:00
53 changed files with 74 additions and 1692 deletions
--- a/.archive/0022-ciss-overlay-tmpfs
+++ b/.archive/0022-ciss-overlay-tmpfs
@@ -1,52 +0,0 @@
 #!/bin/sh
 # bashsupport disable=BP5007
 # shellcheck disable=SC2249
 # shellcheck shell=sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Purpose: Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
 # Phase  : premount (executed by live-boot inside the initramfs).
 _SAVED_SET_OPTS="$(set +o)"
 set -eu
 sleep 3
 printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] \n\e[0m"
 ### Declare variables ----------------------------------------------------------------------------------------------------------
 OVERLAY_BASE="/run/live/overlay"
 UPPER="${OVERLAY_BASE}/upper"
 WORK="${OVERLAY_BASE}/work"
 ### Size policy: hard ceiling to mitigate RAM-filling DoS; tune to your ISO profile. -------------------------------------------
 : "${CDLB_OVERLAY_TMPFS_SIZE:=70%}"
 ### Create a base dir with restrictive perms. ----------------------------------------------------------------------------------
 # shellcheck disable=SC2174
 mkdir -p -m 0700 "${OVERLAY_BASE}"
 ### Mount dedicated tmpfs with strict flags; 'noexec' here blocks accidental execs from the raw tmpfs path. --------------------
 mount -t tmpfs -o "size=${CDLB_OVERLAY_TMPFS_SIZE},mode=0700,nosuid,nodev,noexec" tmpfs "${OVERLAY_BASE}"
 printf "\e[92m[INFO] Command              : [mount -t tmpfs -o \"size=%s,mode=0700,nosuid,nodev,noexec\" tmpfs %s] \n\e[0m" "${CDLB_OVERLAY_TMPFS_SIZE}" "${OVERLAY_BASE}"
 ### Prepare upper  /work with tight perms. -------------------------------------------------------------------------------------
 # shellcheck disable=SC2174
 mkdir -p -m 0700 "${UPPER}" "${WORK}"
 eval "${_SAVED_SET_OPTS}"
 printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] \n\e[0m"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.archive/0024-ciss-crypt-squash
+++ b/.archive/0024-ciss-crypt-squash
@@ -1,434 +0,0 @@
 #!/bin/sh
 # bashsupport disable=BP5007
 # shellcheck disable=SC2249
 # shellcheck shell=sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Purpose: Open /live/ciss_rootfs.crypt (LUKS) for final processing in '9990-overlay.sh'
 # Phase  : premount (executed by live-boot inside the initramfs)
 _SAVED_SET_OPTS="$(set +o)"
 set -eu
 printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m"
 #######################################
 # Ask for a passphrase on /dev/console, mask input with '*'.
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #   1: on failure / empty
 #######################################
 ask_pass_console() {
  PASSPHRASE=""
  SAVED_STTY=""
  ### Save current console settings.
  SAVED_STTY=$(stty -g </dev/console 2>/dev/null || printf '')
  ### Non-canonical mode, no echo, 1 byte at a time.
  stty -echo -icanon time 0 min 1 </dev/console 2>/dev/null || return 1
  cr=$(printf '\r')
  bs=$(printf '\b')
  del=$(printf '\177')
  while :; do
    ### Read exactly one byte from the console.
    c=$(dd bs=1 count=1 2>/dev/null </dev/console)
    if [ -z "${c}" ]; then
      printf '\n' > /dev/console
      break
    fi
    ### If nothing read (race), loop again.
    [ -z "${c}" ] && continue
    case "${c}" in
      "${cr}")
      ### Enter: finish input.
        printf '\n' > /dev/console
        break
        ;;
      "${bs}"|"${del}")
      ### Backspace, delete: delete one character, if available.
        if [ -n "${PASSPHRASE}" ]; then
          PASSPHRASE=${PASSPHRASE%?}
          printf '\b \b' > /dev/console
        fi
        ;;
      *)
      ### Normal character: append and mask output.
        PASSPHRASE="${PASSPHRASE}${c}"
        printf '*' > /dev/console
        ;;
    esac
  done
  [ -n "${SAVED_STTY}" ] && stty "${SAVED_STTY}" </dev/console 2>/dev/null || :
  printf '%s' "${PASSPHRASE}"
  return 0
 }
 #######################################
 # Premount logging helper.
 # Globals:
 #   None
 # Arguments:
 #   *: String to log.
 #######################################
 log() {
  msg="$*"
  if [ -w /dev/kmsg ]; then
    printf '<6>%s: %s\n' '0024-ciss-crypt-squash' "${msg}" > /dev/kmsg
  else
    printf '%s: %s\n' '0024-ciss-crypt-squash' "${msg}"
  fi
 }
 ### Declare variables. ---------------------------------------------------------------------------------------------------------
 export CDLB_ISO_LABEL="CISS.debian.live"
 export CDLB_LUKS_FS="/live/ciss_rootfs.crypt"
 export CDLB_MAPPER_NAME="crypt_liveiso"
 export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
 export CDLB_LUKS_ROOTFS_MNT="/run/live/ciss-rootfs"
 CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}"
 MNT_MEDIUM="/run/live/medium"
 MNT_ROOTFS="/run/live/rootfs"
 _PARAMETER=""
 _dev=""
 ### Read the kernel cmdline once. ----------------------------------------------------------------------------------------------
 CMDLINE="$(cat /proc/cmdline 2>/dev/null || printf '')"
 for _PARAMETER in ${CMDLINE}; do
  case "${_PARAMETER}" in
    ciss_crypt_path=*) export CDLB_LUKS_FS="${_PARAMETER#ciss_crypt_path=}";;
    ciss_iso_label=* ) export CDLB_ISO_LABEL="${_PARAMETER#ciss_iso_label=}";;
  esac
 done
 printf "\e[92m[INFO] CDLB_LUKS_FS         : [%s] \n\e[0m" "${CDLB_LUKS_FS}"
 printf "\e[92m[INFO] CDLB_ISO_LABEL       : [%s] \n\e[0m" "${CDLB_ISO_LABEL}"
 mkdir -p "${MNT_MEDIUM}" "${MNT_ROOTFS}"
 ### Mount the live medium (ISO) read-only, unless already mounted. -------------------------------------------------------------
 if ! mountpoint -q "${MNT_MEDIUM}"; then
  if [ -n "${CDLB_ISO_LABEL}" ] && [ -e "/dev/disk/by-label/${CDLB_ISO_LABEL}" ]; then
    mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${MNT_MEDIUM}" 2>/dev/null \
      || mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${MNT_MEDIUM}" 2>/dev/null \
      || log "could not mount label=${CDLB_ISO_LABEL} (iso9660/udf)"
  fi
 fi
 if ! mountpoint -q "${MNT_MEDIUM}"; then
  ### Fallback scan (covers SR drives and loop-mounted ISOs that udev exposed).
  for _dev in /dev/sr* /dev/cdrom /dev/disk/by-label/*; do
    ### Skip non-block entries early.
    [ -b "${_dev}" ] || continue
    ### Try ISO9660 first, then UDF; only unmount on failure.
    if mount -r -t iso9660 "${_dev}" "${MNT_MEDIUM}" 2>/dev/null || mount -r -t udf   "${_dev}" "${MNT_MEDIUM}" 2>/dev/null; then
      mountpoint -q "${MNT_MEDIUM}" 2>/dev/null && break
    else
      umount "${MNT_MEDIUM}" 2>/dev/null || true
    fi
  done
 fi
 if ! mountpoint -q "${MNT_MEDIUM}"; then
  log "No live medium mounted, defer to default live-boot path."
  printf "\e[91m[FATAL] Boot failure        : No live medium mounted, defer to default live-boot path. \n\e[0m"
  exit 42
 fi
 printf "\e[92m[INFO] MNT_MEDIUM           : [%s] \n\e[0m" "${MNT_MEDIUM}"
 ### Locate the encrypted root container on the medium. -------------------------------------------------------------------------
 if [ ! -f "${MNT_MEDIUM}${CDLB_LUKS_FS}" ]; then
  log "Encrypted root not found at: [${MNT_MEDIUM}${CDLB_LUKS_FS}]"
  printf "\e[91m[FATAL] Boot failure        : Encrypted root not found at: [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}"
  exit 42
 fi
 printf "\e[92m[INFO] CISS LUKS FS         : [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}"
 ### Attach a loop device read-only to the encrypted file. ----------------------------------------------------------------------
 LOOP="$(losetup -f --show -r "${MNT_MEDIUM}${CDLB_LUKS_FS}")" || { log "losetup failed"; exit 42; }
 printf "\e[92m[INFO] Loop device          : [%s] \n\e[0m" "${LOOP}"
 ### Expose the loop device for unlock-wrapper.sh, dropbear forced-command. -----------------------------------------------------
 mkdir -p /run 2>/dev/null || true
 echo "${LOOP}" > /run/ciss-loopdev 2>/dev/null || true
 chmod 0600 /run/ciss-loopdev 2>/dev/null || true
 printf "\e[92m[INFO] Exposed LOOP         : [/run/ciss-loopdev] -> [%s]\n\e[0m" "${LOOP}"
 ### Prepare fifo for passphrase. -----------------------------------------------------------------------------------------------
 mkdir -p /lib/cryptsetup 2>/dev/null || true
 if [ -p /lib/cryptsetup/passfifo ]; then
  rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
 fi
 if ! mkfifo /lib/cryptsetup/passfifo 2>/dev/null; then
  printf "\e[92m[WARN] Boot failure         : Failed to create /lib/cryptsetup/passfifo \n\e[0m"
  exit 42
 fi
 chmod 0600 /lib/cryptsetup/passfifo 2>/dev/null || true
 ### Background broker: read FIFO, try cryptsetup per line. ---------------------------------------------------------------------
 (
  set +e
  PASS=""
  while :; do
    if [ -b "${CDLB_MAPPER_DEV}" ]; then
      break
    fi
    if ! IFS= read -r PASS < /lib/cryptsetup/passfifo; then
      sleep 1
      continue
    fi
    [ -n "${PASS}" ] || continue
    printf "\e[93m[INFO] CISS LUKS decryption : LUKS mapper [%s] trying to unlock via cryptsetup ... \n\e[0m" "${CDLB_MAPPER_DEV}" >/dev/console 2>/dev/null || true
    KEYLEN=${#PASS}
    printf '%s' "${PASS}" | cryptsetup open --tries 1 \
      --type luks \
      --keyfile-size="${KEYLEN}" \
      --readonly "${LOOP}" "${CDLB_MAPPER_NAME}" --key-file - 2>/dev/console
    if [ -b "${CDLB_MAPPER_DEV}" ]; then
      printf "\e[92m[INFO] CISS LUKS decryption : LUKS mapper [%s] successfully opened. \n\e[0m" "${CDLB_MAPPER_DEV}" >/dev/console 2>/dev/null || true
      break
    fi
  done
 ) &
 PID_BROKER="$!"
 ### Background process console-prompt feed passphrases into FIFO. --------------------------------------------------------------
 (
  set +e
  PASS=""
  PASS_SENT=0
  WAIT_LOOP=0
  while :; do
    if [ -b "${CDLB_MAPPER_DEV}" ]; then
      break
    fi
    if [ "${PASS_SENT}" -eq 0 ]; then
      printf '\e[93m[INFO] Enter LUKS passphrase: \n\e[0m' > /dev/console
      # shellcheck disable=SC2310
      PASS="$(ask_pass_console)" || continue
      printf '%s\n' "${PASS}" >| /lib/cryptsetup/passfifo 2>/dev/null || :
      PASS_SENT=1
      WAIT_LOOP=0
    else
      WAIT_LOOP=$((WAIT_LOOP + 1))
      if [ "${WAIT_LOOP}" -ge 160 ]; then
        printf '\e[91m[WARN] Please try again     : \n\e[0m' > /dev/console
        PASS_SENT=0
        WAIT_LOOP=0
      fi
    fi
    sleep 0.1
  done
  return 0
 ) &
 PID_PROMPT="$!"
 ### Main process: wait bounded time for the mapper to appear. ------------------------------------------------------------------
 REMAINING="${CDLB_REMOTE_WAIT_SECS}"
 if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
  printf "\e[93m[INFO] CISS LUKS decryption : Waiting up to %s seconds for [%s] to be unlocked ... \n\e[0m" "${REMAINING}" "${CDLB_MAPPER_DEV}"
 fi
 while [ "${REMAINING}" -gt 0 ]; do
  if [ -b "${CDLB_MAPPER_DEV}" ]; then
    break
  fi
  sleep 1
  REMAINING=$((REMAINING - 1))
 done
 if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
  printf "\e[91m[WARN] CISS LUKS decryption : Timeout LUKS mapper [%s] not present after %s seconds. \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_REMOTE_WAIT_SECS}"
  kill "${PID_PROMPT}" 2>/dev/null || true
  kill "${PID_BROKER}" 2>/dev/null || true
  rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
  exit 42
 fi
 kill "${PID_PROMPT}" 2>/dev/null || true
 wait "${PID_BROKER}" 2>/dev/null || true
 rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
 printf "\e[92m[INFO] CISS LUKS decryption : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}"
 ### Mount the decrypted root device to use as the PLAIN_ROOT artifact in '9990-main.sh'. ---------------------------------------
 if ! mount -t squashfs -o ro "${CDLB_MAPPER_DEV}" "${CDLB_LUKS_ROOTFS_MNT}"; then
  log "Failed to mount SquashFS from [${CDLB_MAPPER_DEV}] on [${CDLB_LUKS_ROOTFS_MNT}]"
  printf "\e[91m[WARN] CISS LUKS decryption  : SquashFS mount failed: [%s] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_LUKS_ROOTFS_MNT}"
  exit 42
 else
  printf "\e[92m[INFO] CISS LUKS decryption  : Mounted SquashFS: [%s] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_LUKS_ROOTFS_MNT}"
 fi
 ### Expose the decrypted root device for live-boot overlay. The live-boot components will pick this up in '9990-overlay.sh'. ---
 cat << EOF >| /run/ciss-rootdev
 export CDLB_ISO_LABEL=${CDLB_ISO_LABEL}
 export CDLB_LUKS_FS=${CDLB_LUKS_FS}
 export CDLB_MAPPER_NAME=${CDLB_MAPPER_NAME}
 export CDLB_MAPPER_DEV=${CDLB_MAPPER_DEV}
 export CDLB_LUKS_ROOTFS_MNT=${CDLB_LUKS_ROOTFS_MNT}
 MNT_MEDIUM="/run/live/medium"
 MNT_ROOTFS="/run/live/rootfs"
 EOF
 chmod 0644 /run/ciss-rootdev 2>/dev/null || true
 export CISS_ROOT_DEV="${CDLB_MAPPER_DEV}"
 export CISS_ROOT_DIR=""
 # TODO: Remove Debug
 if [ -e /conf/param.conf ]; then
  printf "\e[92m[INFO] CISS LUKS decryption : Printing existing [/conf/param.conf] \n\e[0m"
  cat /conf/param.conf >/dev/console 2>&1 || :
  {
    printf '\n'
    printf 'PLAIN_ROOT=1\n'
    printf 'ROOT=%s\n' "${MNT_ROOTFS}"
  } >> /conf/param.conf 2>/dev/null || true
 else
  printf "\e[92m[INFO] CISS LUKS decryption : Not existing [/conf/param.conf] \n\e[0m"
  {
    printf '\n'
    printf 'PLAIN_ROOT=1\n'
    printf 'ROOT=%s\n' "${MNT_ROOTFS}"
  } >| /conf/param.conf 2>/dev/null || true
 fi
 printf "\e[92m[INFO] CISS LUKS decryption : Final state [/conf/param.conf] \n\e[0m"
 cat /conf/param.conf >/dev/console 2>&1 || :
 log "Decrypted root device exposed at [/run/ciss-rootdev] -> [${CDLB_MAPPER_DEV}]"
 printf "\e[92m[INFO] CISS LUKS decryption : Decrypted root device exposed at: [/run/ciss-rootdev] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}"
 ### Final sanity check. --------------------------------------------------------------------------------------------------------
 if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
  log "Failed to unlock encrypted root [${CDLB_LUKS_FS}] via dropbear and console."
  printf "\e[91m[WARN] Failed unlock        : [%s] via dropbear and console. \n\e[0m" "${CDLB_LUKS_FS}"
  exit 42
 fi
 eval "${_SAVED_SET_OPTS}"
 printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.archive/0026-ciss-early-sysctl
+++ b/.archive/0026-ciss-early-sysctl
@@ -1,39 +0,0 @@
 #!/bin/sh
 # bashsupport disable=BP5007
 # shellcheck disable=SC2249
 # shellcheck shell=sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Purpose: Enforce early sysctls before services start.
 # Phase  : premount (executed by live-boot inside the initramfs).
 _SAVED_SET_OPTS="$(set +o)"
 set -eu
 printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m"
 echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true
 echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true
 echo 0 > /proc/sys/fs/suid_dumpable 2>/dev/null || true
 echo 1 > /proc/sys/kernel/kexec_load_disabled 2>/dev/null || true
 echo 1 > /proc/sys/fs/protected_symlinks 2>/dev/null || true
 echo 1 > /proc/sys/fs/protected_hardlinks 2>/dev/null || true
 echo 2 > /proc/sys/fs/protected_regular 2>/dev/null || true
 echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true
 eval "${_SAVED_SET_OPTS}"
 printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.archive/0030-ciss-verify-checksums
+++ b/.archive/0030-ciss-verify-checksums
@@ -1,335 +0,0 @@
 #!/bin/sh
 # bashsupport disable=BP5007
 # shellcheck disable=SC2249
 # shellcheck shell=sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: GPL-3.0-or-later
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Modified Version of the original file:
 ### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums'
 ### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
 #######################################
 # Modified checksum-integrity and authenticity-verification-script depending on pinned GPG FPR for boot process verification.
 # Globals:
 #   LIVE_BOOT_CMDLINE
 #   _TTY
 # Arguments:
 #   1: _MOUNTPOINT
 # Returns:
 #   0 : Successful verification
 #######################################
 Verify_checksums() {
  printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/0030-ciss-verify-checksums] \n\e[0m"
  ### Declare variables --------------------------------------------------------------------------------------------------------
  ### Will be replaced at build time:
  export CDLB_EXP_FPR="@EXP_FPR@"
  export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
  ### Declare functions --------------------------------------------------------------------------------------------------------
  #######################################
  # Helper for colored text output on stdout.
  # Globals:
  #   None
  # Arguments:
  #   *: String to print
  #######################################
  log_in() { printf '\e[95m[INFO]  %s \n\e[0m' "$*"; }
  #######################################
  # Helper for colored text output on stdout.
  # Globals:
  #   None
  # Arguments:
  #   *: String to print
  #######################################
  log_ok() { printf '\e[92m[INFO]  %s \n\e[0m' "$*"; }
  #######################################
  # Helper for colored text output on stdout.
  # Globals:
  #   None
  # Arguments:
  #   *: String to print
  #######################################
  log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
  _MOUNTPOINT="${1}"
  _PARAMETER=""
  _TTY="/dev/tty8"
  LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
  LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"
  _KEYFILE=""
  _MP=""
  ### Parse commandline arguments ----------------------------------------------------------------------------------------------
  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
    case "${_PARAMETER}" in
      live-boot.verify-checksums=* | verify-checksums=*)
        LIVE_VERIFY_CHECKSUMS="true"
        LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
        ;;
      live-boot.verify-checksums | verify-checksums)
        LIVE_VERIFY_CHECKSUMS="true"
        ;;
      live-boot.verify-checksums-signatures | verify-checksums-signatures)
        LIVE_VERIFY_CHECKSUMS_SIGNATURES="true"
        ;;
    esac
  done
  ### Check if the function should be skipped ----------------------------------------------------------------------------------
  case "${LIVE_VERIFY_CHECKSUMS}" in
    true)
      :
      ;;
    *)
      return 0
      ;;
  esac
  ### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
  for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
    if [ -e "${_MP}/${CDLB_EXP_FPR}.gpg" ]; then
      _KEYFILE="${_MP}/${CDLB_EXP_FPR}.gpg"
      if [ -e "${_MP}/${CDLB_EXP_CA_FPR}.gpg" ]; then
        _CA_KEYFILE="${_MP}/${CDLB_EXP_CA_FPR}.gpg"
      fi
      break
    fi
  done
  # shellcheck disable=SC2164
  cd "${_MOUNTPOINT}"
  ### CDLB verification of script integrity itself -----------------------------------------------------------------------------
  if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
    log_begin_msg "Verifying integrity of: [0030-ciss-verify-checksums]"
    printf "\n"
    _CAND=""
    CDLB_SCRIPT_SELF=""  CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_SIG_FILE=""
    CDLB_CMD="/usr/bin/sha512sum"
    CDLB_SHA="sha512"
    for _CAND in /scripts/live-bottom/0030-ciss-verify-checksums /usr/lib/live/boot/0030-ciss-verify-checksums ; do
      [ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; }
    done
    CDLB_SCRIPT_FILE="${CDLB_SCRIPT_SELF##*/}"
    CDLB_SCRIPT_PATH="${CDLB_SCRIPT_SELF%/*}"
    CDLB_SCRIPT_FULL="${CDLB_SCRIPT_PATH%/}/${CDLB_SCRIPT_FILE}"
    CDLB_HASHFILE="/etc/ciss/hashes/${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt"
    CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
    _STATUS="$(/usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 --verify "${CDLB_SIG_FILE}" "${CDLB_SCRIPT_FULL}" 2>/dev/null)"
    _CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
    ### Compare against pinned and expected fingerprint.
    if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then
      log_ok "Signature FPR valid: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
    else
      log_er "Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
      sleep 8
      panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
    fi
    ### Script self-integrity and authenticity checks --------------------------------------------------------------------------
    ### Assumption: initramfs itself is not altered.
    log_in "Verifying signature of: [${CDLB_SIG_FILE}] ..."
    if ! /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
      log_er "Verifying signature of: [${CDLB_SIG_FILE}] failed."
      sleep 8
      panic  "[FATAL] Verifying signature of: [${CDLB_SIG_FILE}] failed."
    else
      log_ok "Verifying signature of: [${CDLB_SIG_FILE}] successful."
    fi
    log_in "Recomputing hash for: [${CDLB_SHA}] ..."
    CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT_FULL}" | { read -r first _ || exit 1; printf '%s\n' "${first}"; })
    IFS=' ' read -r CDLB_EXPECTED _ < "${CDLB_HASHFILE}"
    if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
      log_er "Recomputing hash for: [${CDLB_SHA}] failed."
      sleep 8
      panic  "[FATAL] Recomputing hash for: [${CDLB_SHA}] failed."
    fi
    log_ok "Recomputing hash for: [${CDLB_SHA}] successful."
    log_ok "Verification of authenticity and integrity of [${CDLB_SCRIPT_FULL}] successfully completed."
    log_end_msg
    printf "\n"
  fi
  ### Checksum and checksum signature verification -----------------------------------------------------------------------------
  log_begin_msg "Verifying checksums"
  printf "\n"
  log_in "Verifying checksums ..."
  # shellcheck disable=SC2001
  for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
    # shellcheck disable=SC2060
    _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
    for _CHECKSUM in ${_CHECKSUMS}; do
      if [ -e "${_CHECKSUM}" ]; then
        log_in "Found: [${_CHECKSUM}] ..."
        if [ -e "/usr/bin/${_DIGEST}sum" ]; then
          log_in "Found: [/usr/bin/${_DIGEST}sum] ..."
          if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
            log_in "Checking signature of: [${_CHECKSUM}] ..."
            _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
            if /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"; then
              _RETURN_PGP="${?}"
              log_in "Checking signature of: [${_CHECKSUM}] successful."
            else
              _RETURN_PGP="${?}"
              log_er "Checking signature of: [${_CHECKSUM}] failed."
            fi
          else
            _RETURN_PGP="na"
          fi
          # shellcheck disable=SC2312
          if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then
            _RETURN_SHA="${?}"
            log_ok "Found: [/usr/bin/${_DIGEST}sum] successful verified: [${_CHECKSUM}]"
          else
            _RETURN_SHA="${?}"
            log_er "Found: [/usr/bin/${_DIGEST}sum] unsuccessful verified: [${_CHECKSUM}]"
          fi
          # Stop after the first verification.
          break 2
        else
          _RETURN_SHA="255"
          log_er "NOT Found [/usr/bin/${_DIGEST}sum]."
        fi
      fi
    done
  done
  log_end_msg
  printf "\n"
  case "${_RETURN_PGP},${_RETURN_SHA}" in
    "0,0")
      log_ok "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds."
      log_success_msg "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds."
      sleep 8
      return 0
      ;;
    "na,0")
      log_ok "Verification of [sha checksum] file successful; continuing booting in 8 seconds."
      log_success_msg "Verification of [sha checksum] file successful; continuing booting in 8 seconds."
      sleep 8
      return 0
      ;;
    "0,"*)
      log_er "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
      sleep 8
      panic  "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
      ;;
    *",0")
      log_er "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
      sleep 8
      panic  "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
      ;;
    "na,"*)
      log_er "Verification of [sha checksum] file failed."
      sleep 8
      panic  "Verification of [sha checksum] file failed."
      ;;
  esac
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.archive/9990-main.sh
+++ b/.archive/9990-main.sh
@@ -1,259 +0,0 @@
 #!/bin/sh
 # bashsupport disable=BP5007
 # shellcheck disable=SC2249
 # shellcheck shell=sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: GPL-3.0-or-later
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Modified Version of the original file:
 ### https://salsa.debian.org/live-team/live-boot 'components/9990-main.shh'
 ### Change behavior to mount already opened ciss_rootfs.crypt (0024-ciss-crypt-squash).
 # set -e
 printf "\e[95m[INFO] Sourcing             : [/usr/lib/live/boot/9990-main.sh] \n\e[0m"
 Live ()
 {
  printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/9990-main.sh] \n\e[0m"
  if [ -x /scripts/local-top/cryptroot ]
  then
    /scripts/local-top/cryptroot
  fi
  exec 6>&1
  exec 7>&2
  exec > boot.log
  exec 2>&1
  tail -f boot.log >&7 &
  tailpid="${!}"
  # shellcheck disable=SC2034
  LIVE_BOOT_CMDLINE="${LIVE_BOOT_CMDLINE:-$(cat /proc/cmdline)}"
  Cmdline_old
  Debug
  Read_only
  Select_eth_device
  if [ -e /conf/param.conf ]
  then
    . /conf/param.conf
  fi
  # Needed here too because some things (*cough* udev *cough*)
  # change the timeout
  printf "\e[93m[DEBUG] live(): Before do_netmount() pp. \e[0m\n"
  if [ -n "${NETBOOT}" ] || [ -n "${FETCH}" ] || [ -n "${HTTPFS}" ] || [ -n "${FTPFS}" ]
  then
    if do_netmount
    then
      printf "\e[93m[DEBUG] live(): [livefs_root=%s] \e[0m\n" "${mountpoint?}"
      livefs_root="${mountpoint?}"
    else
      panic "Unable to find a live file system on the network"
    fi
  else
    if [ -n "${ISCSI_PORTAL}" ]
    then
      printf "\e[93m[DEBUG] live(): [do_iscsi && livefs_root=%s] \e[0m\n" "${mountpoint?}"
      do_iscsi && livefs_root="${mountpoint}"
    elif [ -n "${PLAIN_ROOT}" ] && [ -n "${ROOT}" ]
    then
      # Do a local boot from hd
      printf "\e[93m[DEBUG] live(): Do a local boot from hd [livefs_root=%s] \e[0m\n" "${ROOT?}"
      livefs_root=${ROOT}
    else
      printf "\e[93m[DEBUG] live(): [Setup_Memdisk] starting ... \e[0m\n"
      Setup_Memdisk
      printf "\e[93m[DEBUG] live(): [Setup_Memdisk] finished. \e[0m\n"
      # If the live media location is given via command line and access to it
      # involves LVM volumes, the corresponding volumes need to be activated.
      IFS=','
      # shellcheck disable=SC2116
      for dev in $(echo "${LIVE_MEDIA}")
      do
        printf "\e[93m[DEBUG] live(): [%s] -> dev \e[0m\n" "${dev}"
        case "${dev}" in
          /dev/mapper/*)
            # shellcheck disable=SC2046,SC2312
            eval $(dmsetup splitname --nameprefixes --noheadings --rows "${dev#/dev/mapper/}")
            # shellcheck disable=SC2244
            if [ "${DM_VG_NAME}" ] && [ "${DM_LV_NAME}" ]
            then
              lvm lvchange -aay -y --sysinit --ignoreskippedcluster "${DM_VG_NAME}/${DM_LV_NAME}"
            fi
            ;;
          /dev/*/*)
          # Could be /dev/VG/LV; use lvs to check
            if lvm lvs -- "${dev}" >/dev/null 2>&1
            then
              lvm lvchange -aay -y --sysinit --ignoreskippedcluster "${dev}"
            fi
            ;;
        esac
      done
      unset IFS
      # Scan local devices for the image
      i=0
      while [ "${i}" -lt 60 ]
      do
        # shellcheck disable=SC2086
        livefs_root=$(find_livefs ${i})
        if [ -n "${livefs_root}" ]
        then
          break
        fi
        sleep 1
        i=$((i + 1))
      done
    fi
  fi
  printf "\e[93m[DEBUG] live(): [%s] -> livefs_root. \e[0m\n" "${livefs_root}"
  if [ -z "${livefs_root}" ]
  then
    panic "Unable to find a medium containing a live file system"
  fi
  printf "\e[93m[DEBUG] live(): Before [Verify_checksums %s] \e[0m\n" "${livefs_root}"
  Verify_checksums "${livefs_root}"
  # shellcheck disable=SC2244
  if [ "${TORAM}" ]
  then
    live_dest="ram"
  elif [ "${TODISK}" ]
  then
    live_dest="${TODISK}"
  fi
  # shellcheck disable=SC2244
  if [ "${live_dest}" ]
  then
    log_begin_msg "Copying live media to ${live_dest}"
    copy_live_to "${livefs_root}" "${live_dest}"
    log_end_msg
  fi
  # if we do not unmount the ISO, we can't run "fsck /dev/ice" later on
  # because the mountpoint is left behind in /proc/mounts, so let's get
  # rid of it when running from RAM
  # shellcheck disable=SC2244
  if [ -n "${FROMISO}" ] && [ "${TORAM}" ]
  then
    losetup -d /dev/loop0
    if is_mountpoint /run/live/fromiso
    then
      umount /run/live/fromiso
      rmdir --ignore-fail-on-non-empty /run/live/fromiso \
        >/dev/null 2>&1 || true
    fi
  fi
  printf "\e[93m[DBG] Live(): before overlay, live_dest=%s \e[0m\n" "${live_dest:-<none>}"
  printf "\e[93m[DBG] Live(): MODULETORAMFILE=%s PLAIN_ROOT=%s \e[0m\n" "${MODULETORAMFILE}" "${PLAIN_ROOT}"
  if [ -n "${MODULETORAMFILE}" ] || [ -n "${PLAIN_ROOT}" ]
  then
    printf "\e[93m[DBG] Live(): setup_unionfs livefs_root=%s rootmnt=%s \e[0m\n" "${livefs_root}" "${rootmnt?}"
    setup_unionfs "${livefs_root}" "${rootmnt?}"
  else
    mac="$(get_mac)"
    mac="$(echo "${mac}" | sed 's/-//g')"
    printf "\e[93m[DBG] Live(): mount_images_in_directory livefs_root=%s rootmnt=%s mac=%s \e[0m\n" "${livefs_root}" "${rootmnt}" "${mac}"
    mount_images_in_directory "${livefs_root}" "${rootmnt}" "${mac}"
  fi
  if [ -n "${ROOT_PID}" ]
  then
    echo "${ROOT_PID}" > "${rootmnt}"/lib/live/root.pid
  fi
  log_end_msg
  # aufs2 in kernel versions around 2.6.33 has a regression:
  # directories can't be accessed when read for the first time,
  # causing a failure, for example, when accessing /var/lib/fai
  # when booting FAI, this simple workaround solves it
  ls /root/* >/dev/null 2>&1
  # if we do not unmount the ISO, we can't run "fsck /dev/ice" later on
  # because the mountpoint is left behind in /proc/mounts, so let's get
  # rid of it when running from RAM
  # shellcheck disable=SC2244
  if [ -n "${FINDISO}" ] && [ "${TORAM}" ]
  then
    losetup -d /dev/loop0
    if is_mountpoint /run/live/findiso
    then
      umount /run/live/findiso
      rmdir --ignore-fail-on-non-empty /run/live/findiso \
        >/dev/null 2>&1 || true
    fi
  fi
  if [ -f /etc/hostname ] && ! grep -E -q -v '^[[:space:]]*(#|$)' "${rootmnt}/etc/hostname"
  then
    log_begin_msg "Copying /etc/hostname to ${rootmnt}/etc/hostname"
    cp -v /etc/hostname "${rootmnt}/etc/hostname"
    log_end_msg
  fi
  if [ -f /etc/hosts ] && ! grep -E -q -v '^[[:space:]]*(#|$|(127.0.0.1|::1|ff02::[12])[[:space:]])' "${rootmnt}/etc/hosts"
  then
    log_begin_msg "Copying /etc/hosts to ${rootmnt}/etc/hosts"
    cp -v /etc/hosts "${rootmnt}/etc/hosts"
    log_end_msg
  fi
  if [ -L /root/etc/resolv.conf ] ; then
    # assume we have resolvconf
    DNSFILE="${rootmnt}/etc/resolvconf/resolv.conf.d/base"
  else
    DNSFILE="${rootmnt}/etc/resolv.conf"
  fi
  if [ -f /etc/resolv.conf ] && ! grep -E -q -v '^[[:space:]]*(#|$)' "${DNSFILE}"
  then
    log_begin_msg "Copying /etc/resolv.conf to ${DNSFILE}"
    cp -v /etc/resolv.conf "${DNSFILE}"
    log_end_msg
  fi
  if ! [ -d "/lib/live/boot" ]
  then
    panic "A wrong rootfs was mounted."
  fi
  Fstab
  Netbase
  Swap
  exec 1>&6 6>&-
  exec 2>&7 7>&-
  kill "${tailpid}"
  [ -w "${rootmnt}/var/log/" ] && mkdir -p "${rootmnt}/var/log/live" && ( \
    cp boot.log "${rootmnt}/var/log/live" 2>/dev/null; \
    cp fsck.log "${rootmnt}/var/log/live" 2>/dev/null )
  printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-main.sh] ... \n\e[0m"
 }
--- a/.archive/9990-overlay.sh
+++ b/.archive/9990-overlay.sh
@@ -1,499 +0,0 @@
 #!/bin/sh
 # bashsupport disable=BP5007
 # shellcheck disable=SC2249
 # shellcheck shell=sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: GPL-3.0-or-later
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Modified Version of the original file:
 ### https://salsa.debian.org/live-team/live-boot 'components/9990-overlay.sh'
 ### Change behavior to mount already opened ciss_rootfs.crypt (0024-ciss-crypt-squash).
 #set -e
 printf "\e[95m[INFO] Sourcing             : [/usr/lib/live/boot/9990-overlay.sh] \n\e[0m"
 setup_unionfs ()
 {
  printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/9990-overlay.sh] \n\e[0m"
  image_directory="${1}"
  rootmnt="${2}"
  addimage_directory="${3}"
  ### CISS hook: allow explicit root override ----------------------------------------------------------------------------------
  if [ -z "${CISS_ROOT_DEV:-}" ] && [ -r /run/ciss-rootdev ]; then
    CISS_ROOT_DEV=$(cat /run/ciss-rootdev 2>/dev/null || printf '')
  fi
  if [ -n "${CISS_ROOT_DEV:-}" ]; then
    ### Treat the decrypted block device as plain root (e.g., squashfs on LUKS).
    PLAIN_ROOT=1
    image_directory="${CISS_ROOT_DEV}"
  elif [ -n "${CISS_ROOT_DIR:-}" ]; then
    ### Alternative: explicitly provided root directory.
    PLAIN_ROOT=1
    image_directory="${CISS_ROOT_DIR}"
  fi
  ### --------------------------------------------------------------------------------------------------------------------------
  # shellcheck disable=SC2086
  modprobe -q -b ${UNIONTYPE}
  if ! cut -f2 /proc/filesystems | grep -q "^${UNIONTYPE}\$"
  then
    panic "${UNIONTYPE} not available."
  fi
  croot="/run/live/rootfs"
  # Let's just mount the read-only file systems first
  rootfslist=""
  if [ -z "${PLAIN_ROOT}" ]
  then
    # Read image names from ${MODULE}.module if it exists
    # shellcheck disable=SC2153
    if [ -e "${image_directory}/filesystem.${MODULE}.module" ]
    then
      # shellcheck disable=SC2013,SC2086
      for IMAGE in $(cat ${image_directory}/filesystem.${MODULE}.module)
      do
        image_string="${image_string} ${image_directory}/${IMAGE}"
      done
    elif [ -e "${image_directory}/${MODULE}.module" ]
    then
      # shellcheck disable=SC2013,SC2086
      for IMAGE in $(cat ${image_directory}/${MODULE}.module)
      do
        image_string="${image_string} ${image_directory}/${IMAGE}"
      done
    else
      # ${MODULE}.module does not exist, create a list of images
      for FILESYSTEM in squashfs ext2 ext3 ext4 xfs jffs2 dir
      do
        for IMAGE in "${image_directory}"/*."${FILESYSTEM}"
        do
          if [ -e "${IMAGE}" ]
          then
            image_string="${image_string} ${IMAGE}"
          fi
        done
      done
      if [ -n "${addimage_directory}" ] && [ -d "${addimage_directory}" ]
      then
        for FILESYSTEM in squashfs ext2 ext3 ext4 xfs jffs2 dir
        do
          for IMAGE in "${addimage_directory}"/*."${FILESYSTEM}"
          do
            if [ -e "${IMAGE}" ]
            then
              image_string="${image_string} ${IMAGE}"
            fi
          done
        done
      fi
      # Now sort the list
      # shellcheck disable=SC2086
      image_string="$(echo ${image_string} | sed -e 's/ /\n/g' | sort )"
    fi
    # shellcheck disable=SC2086
    [ -n "${MODULETORAMFILE}" ] && image_string="${image_directory}/$(basename ${MODULETORAMFILE})"
    mkdir -p "${croot}"
    for image in ${image_string}
    do
      imagename=$(basename "${image}")
      export image devname
      maybe_break live-realpremount
      log_begin_msg "Running /scripts/live-realpremount"
      run_scripts /scripts/live-realpremount
      log_end_msg
      if [ -d "${image}" ]
      then
        # It is a plain directory: do nothing
        rootfslist="${image} ${rootfslist}"
      elif [ -f "${image}" ]
      then
        if losetup --help 2>&1 | grep -q -- "-r\b"
        then
          backdev=$(get_backing_device "${image}" "-r")
        else
          backdev=$(get_backing_device "${image}")
        fi
        fstype=$(get_fstype "${backdev}")
        case "${fstype}" in
          unknown)
            panic "Unknown file system type on ${backdev} (${image})"
            ;;
          "")
            fstype="${imagename##*.}"
            log_warning_msg "Unknown file system type on ${backdev} (${image}), assuming ${fstype}."
            ;;
        esac
        mpoint=$(trim_path "${croot}/${imagename}")
        rootfslist="${mpoint} ${rootfslist}"
        mount_options=""
        # Setup dm-verity support if a device has it supported
        hash_device="${image}.verity"
        # shellcheck disable=SC2086
        if [ -f ${hash_device} ]
        then
          log_begin_msg "Start parsing dm-verity options for ${image}"
          backdev_roothash=$(get_backing_device ${hash_device})
          verity_mount_options="-o verity.hashdevice=${backdev_roothash}"
          root_hash=$(get_dm_verity_hash ${imagename} ${DM_VERITY_ROOT_HASH})
          valid_config="true"
          case $(mount --version) in
            *verity*)
              ;;
            *)
              valid_config="false"
              log_warning_msg "mount does not have support for dm-verity. Ignoring mount options"
              ;;
          esac
          if [ -n "${root_hash}" ]
          then
            verity_mount_options="${verity_mount_options} -o verity.roothash=${root_hash}"
            # Check if the root hash is saved on disk
          elif [ -f "${image}.roothash" ]
          then
            verity_mount_options="${verity_mount_options} -o verity.roothashfile=${image}.roothash"
          else
            valid_config="false"
            log_warning_msg "'${image}' has a dm-verity hash table, but no root hash was specified ignoring"
          fi
          fec="${image}.fec"
          fec_roots="${image}.fec.roots"
          if [ -f ${fec} ] && [ -f ${fec_roots} ]
          then
            backdev_fec=$(get_backing_device ${fec})
            roots=$(cat ${fec_roots})
            verity_mount_options="${verity_mount_options} -o verity.fecdevice=${backdev_fec} -o verity.fecroots=${roots}"
          fi
          signature="${image}.roothash.p7s"
          if [ -f "${signature}" ]
          then
            verity_mount_options="${verity_mount_options} -o verity.roothashsig=${signature}"
          elif [ "${DM_VERITY_ENFORCE_ROOT_HASH_SIG}" = "true" ]
          then
            panic "dm-verity signature checking was enforced but no signature could be found for ${image}!"
          fi
          if [ -n "${DM_VERITY_ONCORRUPTION}" ]
          then
            if is_in_space_sep_list "${DM_VERITY_ONCORRUPTION}" "ignore panic restart"
            then
              verity_mount_options="${verity_mount_options} -o verity.oncorruption=${DM_VERITY_ONCORRUPTION}"
            else
              log_warning_msg "For dm-verity on corruption '${DM_VERITY_ONCORRUPTION}' was specified, but only ignore, panic or restart are supported!"
              log_warning_msg "Ignoring setting"
            fi
          fi
          if [ "${valid_config}" = "true" ]
          then
            mount_options="${mount_options} ${verity_mount_options}"
          fi
          log_end_msg "Finished parsing dm-verity options for ${image}"
        fi
        mkdir -p "${mpoint}"
        log_begin_msg "Mounting \"${image}\" on \"${mpoint}\" via \"${backdev}\""
        # shellcheck disable=SC2086
        mount -t "${fstype}" -o ro,noatime ${mount_options} "${backdev}" "${mpoint}" || panic "Can not mount ${backdev} (${image}) on ${mpoint}"
        log_end_msg
      else
        log_warning_msg "Could not find image '${image}'. Most likely it is listed in a .module file, perhaps by mistake."
      fi
    done
  else
    # We have a plain root system
    mkdir -p "${croot}/filesystem"
    log_begin_msg "Mounting \"${image_directory}\" on \"${croot}/filesystem\""
    # shellcheck disable=SC2046,SC2312
    mount -t $(get_fstype "${image_directory}") -o ro,noatime "${image_directory}" "${croot}/filesystem" || \
      panic "Can not mount ${image_directory} on ${croot}/filesystem" && \
      rootfslist="${croot}/filesystem ${rootfslist}"
    # Probably broken:
    # shellcheck disable=SC2086,SC2250
    mount -o bind ${croot}/filesystem $mountpoint
    log_end_msg
  fi
  # tmpfs file systems
  touch /etc/fstab
  mkdir -p /run/live/overlay
  # Looking for persistence devices or files
  if [ -n "${PERSISTENCE}" ] && [ -z "${NOPERSISTENCE}" ]
  then
    if [ -z "${QUICKUSBMODULES}" ]
    then
      # Load USB modules
      # shellcheck disable=SC2012
      num_block=$(ls -l /sys/block | wc -l)
      for module in sd_mod uhci-hcd ehci-hcd ohci-hcd usb-storage
      do
        # shellcheck disable=SC2086
        modprobe -q -b ${module}
      done
      udevadm trigger
      udevadm settle
      # For some reason, udevsettle does not block in this scenario,
      # so we sleep for a little while.
      #
      # See https://bugs.launchpad.net/ubuntu/+source/casper/+bug/84591
      # shellcheck disable=SC2034
      for timeout in 5 4 3 2 1
      do
        sleep 1
        # shellcheck disable=SC2012,SC2046,SC2086,SC2312
        if [ $(ls -l /sys/block | wc -l) -gt ${num_block} ]
        then
          break
        fi
      done
    fi
    # shellcheck disable=SC3043
    local whitelistdev
    whitelistdev=""
    if [ -n "${PERSISTENCE_MEDIA}" ]
    then
      case "${PERSISTENCE_MEDIA}" in
        removable)
          whitelistdev="$(removable_dev)"
          ;;
        removable-usb)
          whitelistdev="$(removable_usb_dev)"
          ;;
      esac
      if [ -z "${whitelistdev}" ]
      then
        whitelistdev="ignore_all_devices"
      fi
    fi
    # shellcheck disable=SC2086
    if is_in_comma_sep_list overlay ${PERSISTENCE_METHOD}
    then
      overlays="${custom_overlay_label}"
    fi
    # shellcheck disable=SC3043
    local overlay_devices
    overlay_devices=""
    if [ "${whitelistdev}" != "ignore_all_devices" ]
    then
      for media in $(find_persistence_media "${overlays}" "${whitelistdev}")
      do
        # shellcheck disable=SC2086
        media="$(echo ${media} | tr ":" " ")"
        for overlay_label in ${custom_overlay_label}
        do
          case ${media} in
            ${overlay_label}=*)
              device="${media#*=}"
              overlay_devices="${overlay_devices} ${device}"
              ;;
          esac
        done
      done
    fi
  elif [ -n "${NFS_COW}" ] && [ -z "${NOPERSISTENCE}" ]
  then
    # Check if there are any nfs options
    # shellcheck disable=SC2086
    if echo ${NFS_COW} | grep -q ','
    then
      # shellcheck disable=SC2086
      nfs_cow_opts="-o nolock,$(echo ${NFS_COW}|cut -d, -f2-)"
      nfs_cow=$(echo ${NFS_COW}|cut -d, -f1)
    else
      nfs_cow_opts="-o nolock"
      nfs_cow=${NFS_COW}
    fi
    if [ -n "${PERSISTENCE_READONLY}" ]
    then
      nfs_cow_opts="${nfs_cow_opts},nocto,ro"
    fi
    mac="$(get_mac)"
    if [ -n "${mac}" ]
    then
      # shellcheck disable=SC2086
      cowdevice=$(echo ${nfs_cow} | sed "s/client_mac_address/${mac}/")
      cow_fstype="nfs"
    else
      panic "unable to determine mac address"
    fi
  fi
  if [ -z "${cowdevice}" ]
  then
    cowdevice="tmpfs"
    cow_fstype="tmpfs"
    cow_mountopt="rw,noatime,mode=755,size=${OVERLAY_SIZE:-50%}"
  fi
  if [ -n "${PERSISTENCE_READONLY}" ] && [ "${cowdevice}" != "tmpfs" ]
  then
    # shellcheck disable=SC2086
    mount -t tmpfs -o rw,noatime,mode=755,size=${OVERLAY_SIZE:-50%} tmpfs "/run/live/overlay"
    # shellcheck disable=SC2086
    root_backing="/run/live/persistence/$(basename ${cowdevice})-root"
    # shellcheck disable=SC2086
    mkdir -p ${root_backing}
  else
    root_backing="/run/live/overlay"
  fi
  if [ "${cow_fstype}" = "nfs" ]
  then
    log_begin_msg \
      "Trying nfsmount ${nfs_cow_opts} ${cowdevice} ${root_backing}"
    # shellcheck disable=SC2086
    nfsmount ${nfs_cow_opts} ${cowdevice} ${root_backing} || \
      panic "Can not mount ${cowdevice} (n: ${cow_fstype}) on ${root_backing}"
  else
    # shellcheck disable=SC2086
    mount -t ${cow_fstype} -o ${cow_mountopt} ${cowdevice} ${root_backing} || \
      panic "Can not mount ${cowdevice} (o: ${cow_fstype}) on ${root_backing}"
  fi
  # shellcheck disable=SC2086
  rootfscount=$(echo ${rootfslist} |wc -w)
  rootfs=${rootfslist%% }
  if [ -n "${EXPOSED_ROOT}" ]
  then
    # shellcheck disable=SC2086
    if [ ${rootfscount} -ne 1 ]
    then
      panic "only one RO file system supported with exposedroot: ${rootfslist}"
    fi
    # shellcheck disable=SC2086
    mount -o bind ${rootfs} ${rootmnt} || \
      panic "bind mount of ${rootfs} failed"
    if [ -z "${SKIP_UNION_MOUNTS}" ]
    then
      cow_dirs='/var/tmp /var/lock /var/run /var/log /var/spool /home /var/lib/live'
    else
      cow_dirs=''
    fi
  else
    cow_dirs="/"
  fi
  for dir in ${cow_dirs}; do
    unionmountpoint=$(trim_path "${rootmnt}${dir}")
    # shellcheck disable=SC2086
    mkdir -p ${unionmountpoint}
    cow_dir=$(trim_path "/run/live/overlay${dir}")
    rootfs_dir="${rootfs}${dir}"
    # shellcheck disable=SC2086
    mkdir -p ${cow_dir}
    if [ -n "${PERSISTENCE_READONLY}" ] && [ "${cowdevice}" != "tmpfs" ]
    then
      # shellcheck disable=SC2086
      do_union ${unionmountpoint} ${cow_dir} ${root_backing} ${rootfs_dir}
    else
      # shellcheck disable=SC2086
      do_union ${unionmountpoint} ${cow_dir} ${rootfs_dir}
    fi || panic "mount ${UNIONTYPE} on ${unionmountpoint} failed with option ${unionmountopts}"
  done
  # Remove persistence depending on boot parameter
  Remove_persistence
  # Correct the permissions of /:
  chmod 0755 "${rootmnt}"
  # Correct the permission of /tmp:
  if [ -d "${rootmnt}/tmp" ]
  then
    chmod 1777 "${rootmnt}"/tmp
  fi
  # Correct the permission of /var/tmp:
  if [ -d "${rootmnt}/var/tmp" ]
  then
    chmod 1777 "${rootmnt}"/var/tmp
  fi
  # Adding custom persistence
  if [ -n "${PERSISTENCE}" ] && [ -z "${NOPERSISTENCE}" ]
  then
    # shellcheck disable=SC3043
    local custom_mounts
    custom_mounts="/tmp/custom_mounts.list"
    # shellcheck disable=SC2086
    rm -f ${custom_mounts}
    # Gather information about custom mounts from devices detected as overlays
    # shellcheck disable=SC2086
    get_custom_mounts ${custom_mounts} ${overlay_devices}
    # shellcheck disable=SC2086
    [ -n "${LIVE_BOOT_DEBUG}" ] && cp ${custom_mounts} "/run/live/persistence"
    # Now we do the actual mounting (and symlinking)
    # shellcheck disable=SC3043
    local used_overlays
    used_overlays=""
    # shellcheck disable=SC2086
    used_overlays=$(activate_custom_mounts ${custom_mounts})
    # shellcheck disable=SC2086
    rm -f ${custom_mounts}
    # Close unused overlays (e.g., due to missing $persistence_list)
    for overlay in ${overlay_devices}
    do
      # shellcheck disable=SC2086
      if echo ${used_overlays} | grep -qve "^\(.* \)\?${overlay}\( .*\)\?$"
      then
        close_persistence_media ${overlay}
      fi
    done
  fi
  printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-overlay.sh] ... \n\e[0m"
 }
--- a/.archive/generate_PRIVATE_trixie_0.yaml
+++ b/.archive/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.440.2025.11.19
+# Version Master V8.13.512.2025.11.26
 name: 🔐 Generating a Private Live ISO TRIXIE.
--- a/.archive/generate_PRIVATE_trixie_1.yaml
+++ b/.archive/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.440.2025.11.19
+# Version Master V8.13.512.2025.11.26
 name: 🔐 Generating a Private Live ISO TRIXIE.
--- a/.archive/generate_PUBLIC_iso.yaml
+++ b/.archive/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.440.2025.11.19
+# Version Master V8.13.512.2025.11.26
 name: 💙 Generating a PUBLIC Live ISO.
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.440.2025.11.19"
+      placeholder: "e.g., Master V8.13.512.2025.11.26"
    validations:
      required: true
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.440.2025.11.19
+# Version Master V8.13.512.2025.11.26
 FROM debian:bookworm
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.440.2025.11.19
+# Version Master V8.13.512.2025.11.26
 name: 🔁 Render README.md to README.html.
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.13.440.2025.11.19
+  version: V8.13.512.2025.11.26
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.440.2025.11.19
+# Version Master V8.13.512.2025.11.26
 name: 🔐 Generating a Private Live ISO TRIXIE.
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.440.2025.11.19
+# Version Master V8.13.512.2025.11.26
 name: 🔐 Generating a Private Live ISO TRIXIE.
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.440.2025.11.19
+# Version Master V8.13.512.2025.11.26
 name: 💙 Generating a PUBLIC Live ISO.
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.440.2025.11.19
+# Version Master V8.13.512.2025.11.26
 # Gitea Workflow: Shell-Script Linting
 #
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.440.2025.11.19
+# Version Master V8.13.512.2025.11.26
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.440.2025.11.19
+# Version Master V8.13.512.2025.11.26
 name: 🔁 Render Graphviz Diagrams.
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.440.2025.11.19"
+properties_version="V8.13.512.2025.11.26"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.440.2025.11.19
+PackageVersion: Master V8.13.512.2025.11.26
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.440.2025.11.19-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.512.2025.11.26-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.440.2025.11.19<br>
+**Build**: V8.13.512.2025.11.26<br>
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -152,7 +152,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V8.13.440.2025.11.19`
+Example: `V8.13.512.2025.11.26`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
--- a/REPOSITORY.md
+++ b/REPOSITORY.md
@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.440.2025.11.19<br>
+**Build**: V8.13.512.2025.11.26<br>
 # 2.1. Repository Structure
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.440.2025.11.19** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.512.2025.11.26** (as of 2025-10-11)
 ## 2.2. Top-Level Layout
--- a/config/hooks/live/0000_basic_chroot_setup.chroot
+++ b/config/hooks/live/0000_basic_chroot_setup.chroot
@@ -232,9 +232,17 @@ ln -sf /dev/null /etc/systemd/system/apt-show-versions.timer
 ln -sf /dev/null /etc/systemd/system/apt-show-versions.service
 rm -f /etc/cron.daily/apt-show-versions || true
-### Remove original '/usr/lib/live/boot/0030-verify-checksums' -----------------------------------------------------------------
+### Remove the original '/usr/lib/live/boot/0030-verify-checksums' -------------------------------------------------------------
 [[ -e /usr/lib/live/boot/0030-verify-checksums ]] && rm -f /usr/lib/live/boot/0030-verify-checksums
 ### Ensure proper 0755 rights for CISS initramfs scripts  ----------------------------------------------------------------------
 [[ -x /etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh ]] \
  && chmod 0755 /etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh
 [[ -x /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh ]] \
  && chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
 [[ -x /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh ]] \
  && chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
--- a/config/includes.chroot/etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh
+++ b/config/includes.chroot/etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh
@@ -77,10 +77,11 @@ for _mp in /run/live/rootfs /run/live/rootfs.squashfs /run/live/overlay /root ;
 done
 if [ -z "${ROOTMP}" ]; then
  log_er "No decrypted rootfs mount found."
  sleep 8
-  # TODO: Remove debug mode
+  panic "[FATAL] No decrypted rootfs mount found."
-  # panic "[FATAL] No decrypted rootfs mount found."
+
 fi
 log_ok "Decrypted rootfs at: [${ROOTMP}]"
@@ -106,8 +107,7 @@ else
  log_er "Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
  sleep 8
-  # TODO: Remove debug mode
+  panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
  # panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
 fi
@@ -126,8 +126,7 @@ if [ -e "${MAP_DEV}" ]; then
    log_er "Top layer is NOT 'crypt'."
    sleep 8
-    # TODO: Remove debug mode
+    panic "[FATAL] Top layer is NOT 'crypt'."
    # panic "[FATAL] Top layer is NOT 'crypt'."
  fi
@@ -139,8 +138,7 @@ if [ -e "${MAP_DEV}" ]; then
    log_er "Cipher does not look like AES-XTS."
    sleep 8
-    # TODO: Remove debug mode
+    panic "[FATAL] Cipher does not look like AES-XTS."
    # panic "[FATAL] Cipher does not look like AES-XTS."
  fi
--- a/config/includes.chroot/etc/ssh/ssh_known_hosts
+++ b/config/includes.chroot/etc/ssh/ssh_known_hosts
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.440.2025.11.19
+# Version Master V8.13.512.2025.11.26
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.440.2025.11.19
+# Version Master V8.13.512.2025.11.26
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.440.2025.11.19
+# Version Master V8.13.512.2025.11.26
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.13.440.2025.11.19"
+declare -gr VERSION="Master V8.13.512.2025.11.26"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.440.2025.11.19 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.512.2025.11.26 at: 10:18:37.9542
--- a/config/includes.chroot/usr/lib/live/boot/9990-main.sh
+++ b/config/includes.chroot/usr/lib/live/boot/9990-main.sh
@@ -56,12 +56,10 @@ Live ()
  # Needed here too because some things (*cough* udev *cough*)
  # change the timeout
  printf "\e[93m[DEBUG] live(): Before do_netmount() pp. \e[0m\n"
  if [ -n "${NETBOOT}" ] || [ -n "${FETCH}" ] || [ -n "${HTTPFS}" ] || [ -n "${FTPFS}" ]
  then
    if do_netmount
    then
      printf "\e[93m[DEBUG] live(): [livefs_root=%s] \e[0m\n" "${mountpoint?}"
      livefs_root="${mountpoint?}"
    else
      panic "Unable to find a live file system on the network"
@@ -69,17 +67,13 @@ Live ()
  else
    if [ -n "${ISCSI_PORTAL}" ]
    then
      printf "\e[93m[DEBUG] live(): [do_iscsi && livefs_root=%s] \e[0m\n" "${mountpoint?}"
      do_iscsi && livefs_root="${mountpoint}"
    elif [ -n "${PLAIN_ROOT}" ] && [ -n "${ROOT}" ]
    then
      # Do a local boot from hd
      printf "\e[93m[DEBUG] live(): Do a local boot from hd [livefs_root=%s] \e[0m\n" "${ROOT?}"
      livefs_root=${ROOT}
    else
      printf "\e[93m[DEBUG] live(): [Setup_Memdisk] starting ... \e[0m\n"
      Setup_Memdisk
      printf "\e[93m[DEBUG] live(): [Setup_Memdisk] finished. \e[0m\n"
      # If the live media location is given via command line and access to it
      # involves LVM volumes, the corresponding volumes need to be activated.
@@ -87,7 +81,6 @@ Live ()
      # shellcheck disable=SC2116
      for dev in $(echo "${LIVE_MEDIA}")
      do
        printf "\e[93m[DEBUG] live(): [%s] -> dev \e[0m\n" "${dev}"
        case "${dev}" in
          /dev/mapper/*)
            # shellcheck disable=SC2046,SC2312
@@ -148,7 +141,6 @@ Live ()
  fi
  printf "\e[93m[DEBUG] live(): Before [Verify_checksums %s] \e[0m\n" "${livefs_root}"
  Verify_checksums "${livefs_root}"
  # shellcheck disable=SC2244
@@ -188,16 +180,14 @@ Live ()
  fi
  printf "\e[93m[DBG] Live(): before overlay, live_dest=%s \e[0m\n" "${live_dest:-<none>}"
  printf "\e[93m[DBG] Live(): MODULETORAMFILE=%s PLAIN_ROOT=%s \e[0m\n" "${MODULETORAMFILE}" "${PLAIN_ROOT}"
  if [ -n "${MODULETORAMFILE}" ] || [ -n "${PLAIN_ROOT}" ]
  then
-    printf "\e[93m[DBG] Live(): setup_unionfs livefs_root=%s rootmnt=%s \e[0m\n" "${livefs_root}" "${rootmnt?}"
+    printf "\e[92m[INFO] Live()               : [setup_unionfs livefs_root=%s rootmnt=%s] \e[0m\n" "${livefs_root}" "${rootmnt?}"
    setup_unionfs "${livefs_root}" "${rootmnt?}"
  else
    mac="$(get_mac)"
    mac="$(echo "${mac}" | sed 's/-//g')"
-    printf "\e[93m[DBG] Live(): mount_images_in_directory livefs_root=%s rootmnt=%s mac=%s \e[0m\n" "${livefs_root}" "${rootmnt}" "${mac}"
+    printf "\e[92m[INFO] Live()               : [mount_images_in_directory livefs_root=%s rootmnt=%s mac=%s] \e[0m\n" "${livefs_root}" "${rootmnt}" "${mac}"
    mount_images_in_directory "${livefs_root}" "${rootmnt}" "${mac}"
  fi
@@ -274,5 +264,5 @@ Live ()
    cp boot.log "${rootmnt}/var/log/live" 2>/dev/null; \
    cp fsck.log "${rootmnt}/var/log/live" 2>/dev/null )
-  printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-main.sh] ... \n\e[0m"
+  printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-main.sh] \n\e[0m"
 }
--- a/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh
+++ b/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh
@@ -488,5 +488,5 @@ setup_unionfs ()
    done
  fi
-  printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-overlay.sh] ... \n\e[0m"
+  printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-overlay.sh] \n\e[0m"
 }
--- a/config/package-lists/live.list.common.chroot
+++ b/config/package-lists/live.list.common.chroot
@@ -112,6 +112,7 @@ pciutils
 perl
 pwgen
 python3
 ripgrep
 rkhunter
 rng-tools
 rsnapshot
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.440.2025.11.19<br>
+**Build**: V8.13.512.2025.11.26<br>
 # 2. DNSSEC Status
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.440.2025.11.19<br>
+**Build**: V8.13.512.2025.11.26<br>
 # 2. Haveged Audit on Netcup RS 2000 G11
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.440.2025.11.19<br>
+**Build**: V8.13.512.2025.11.26<br>
 # 2. Lynis Audit:
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.440.2025.11.19<br>
+**Build**: V8.13.512.2025.11.26<br>
 # 2. SSH Audit by ssh-audit.com
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.440.2025.11.19<br>
+**Build**: V8.13.512.2025.11.26<br>
 # 2. TLS Audit:
 ````text
--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.440.2025.11.19<br>
+**Build**: V8.13.512.2025.11.26<br>
 # 2. Hardened Kernel Boot Parameters
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,17 +8,20 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.440.2025.11.19<br>
+**Build**: V8.13.512.2025.11.26<br>
 # 2. Changelog
 ## V8.13.512.2025.11.26
 * **Global**: Final adjustments for LUKS dm-integrity integration
 ## V8.13.440.2025.11.19
 * **Added**: [9990-overlay.sh](../config/includes.chroot/usr/lib/live/boot/9990-overlay.sh)
 * **Bugfixes**: [0022-ciss-overlay-tmpfs](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs)
 * **Bugfixes**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash)
 * **Bugfixes**: [0026-ciss-early-sysctl](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl)
 * **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums)
-* **Bugfixes**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/etc/initramfs-tools/scripts/live-bottom/0042-ciss-post-decrypt-attest)
+* **Bugfixes**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh)
 ## V8.13.432.2025.11.18
 * **Bugfixes**: [0003_cdi_autostart.chroot](../config/hooks/live/0003_cdi_autostart.chroot)
@@ -34,7 +37,7 @@ include_toc: true
 * **Added**: [0022-ciss-overlay-tmpfs.sh](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs) + Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
 * **Added**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) + Open ``/live/ciss_rootfs.crypt`` (LUKS) and present its SquashFS as ``/run/live/rootfs``.
 * **Added**: [0026-ciss-early-sysctl.sh](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl) + Enforce early sysctls before services start.
-* **Added**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/etc/initramfs-tools/scripts/live-bottom/0042-ciss-post-decrypt-attest) + Late rootfs attestation and dmsetup health checking.
+* **Added**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh) + Late rootfs attestation and dmsetup health checking.
 * **Added**: [MAN_CISS_ISO_BOOT_CHAIN.md](MAN_CISS_ISO_BOOT_CHAIN.md)
 * **Added**: [lib_ciss_signatures.sh](../lib/lib_ciss_signatures.sh) + integrated dynamic GPG FPR injection.
 * **Bugfixes**: [0021_dropbear_initramfs.chroot](../config/hooks/live/0021_dropbear_initramfs.chroot) + mv original files to a safe backup location.
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.440.2025.11.19<br>
+**Build**: V8.13.512.2025.11.26<br>
 # 2. Centurion Net - Developer Branch Overview
--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.440.2025.11.19<br>
+**Build**: V8.13.512.2025.11.26<br>
 # 2. Coding Style
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.440.2025.11.19<br>
+**Build**: V8.13.512.2025.11.26<br>
 # 2. Contributing / participating
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.440.2025.11.19<br>
+**Build**: V8.13.512.2025.11.26<br>
 # 2. Credits
--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.440.2025.11.19<br>
+**Build**: V8.13.512.2025.11.26<br>
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.440.2025.11.19<br>
+**Build**: V8.13.512.2025.11.26<br>
 # 2.1. Usage
 ````text
                        CDLB(1)                        CISS.debian.live.builder                        CDLB(1)
 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V8.13.440.2025.11.19
+Master V8.13.512.2025.11.26
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 (c) Marc S. Weidner, 2018 - 2025
@@ -146,7 +146,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/
-                        V8.13.440.2025.11.19                        2025-11-06                         CDLB(1)
+                        V8.13.512.2025.11.26                        2025-11-06                         CDLB(1)
 ````
 # 3. Booting
--- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md
+++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.440.2025.11.19<br>
+**Build**: V8.13.512.2025.11.26<br>
 # 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)
--- a/docs/MAN_SSH_Host_Key_Policy.md
+++ b/docs/MAN_SSH_Host_Key_Policy.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.440.2025.11.19<br>
+**Build**: V8.13.512.2025.11.26<br>
 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.440.2025.11.19<br>
+**Build**: V8.13.512.2025.11.26<br>
 # 2. Resources
--- a/lib/lib_ciss_signatures.sh
+++ b/lib/lib_ciss_signatures.sh
@@ -17,7 +17,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 # Module to export GPG FPRs into scripts:
 #  - /etc/initramfs-tools/files/unlock_wrapper.sh
 #  - /usr/lib/live/boot/0030-ciss-verify-checksums
-#  - /usr/lib/live/boot/0042-ciss-post-decrypt-attest
+#  - /usr/lib/live/boot/0042_ciss_post_decrypt_attest.sh
 # Globals:
 #   BASH_SOURCE
 #   VAR_HANDLER_BUILD_DIR
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -39,13 +39,13 @@ usage() {
  # shellcheck disable=SC2155
  declare var_header=$(center "CDLB(1)                        CISS.debian.live.builder                        CDLB(1)" "${var_cols}")
  # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.13.440.2025.11.19                        2025-11-06                         CDLB(1)" "${var_cols}")
+  declare var_footer=$(center "V8.13.512.2025.11.26                        2025-11-06                         CDLB(1)" "${var_cols}")
  {
    echo -e "\e[1;97m${var_header}\e[0m"
    echo
    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.13.440.2025.11.19\e[0m"
+    echo -e "\e[92mMaster V8.13.512.2025.11.26\e[0m"
    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
    echo
    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
--- a/scripts/usr/local/sbin/9999_cdi_starter.sh
+++ b/scripts/usr/local/sbin/9999_cdi_starter.sh
@@ -130,7 +130,7 @@ main() {
  touch "${var_log}"
-  printf "CISS.debian.installer Master V8.13.440.2025.11.19 is up! \n" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.512.2025.11.26 is up! \n" >> "${var_log}"
  ### Sleep a moment to settle boot artifacts.
  sleep 8
@@ -209,7 +209,7 @@ main() {
  ### Timeout reached without acceptable semaphore.
  logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.installer Master V8.13.440.2025.11.19: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.512.2025.11.26: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
  exit 0
 }
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V8.13.440.2025.11.19"
+declare -grx VAR_VERSION="Master V8.13.512.2025.11.26"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
  # Print $4 and $5; include $6 only if it exists
  out = $4
Author	SHA256	Message	Date
Marc S. Weidner	52c3298db9	V8.13.512.2025.11.26 All checks were successful 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m2s Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m27s Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-11-26 10:05:56 +00:00
Marc S. Weidner	afe0dd7038	V8.13.512.2025.11.26 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-11-26 09:54:11 +00:00