#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu guard_sourcing || return "${ERR_GUARD_SRCE}" ####################################### # Removes secrets securely before 'lb build' execution. # Globals: # BASH_SOURCE # VAR_TMP_SECRET # Arguments: # None # Returns: # 0: on success ####################################### x_remove() { declare luks_key_filename="${VAR_LUKS_KEY:-luks.txt}" luks_key_path="" signing_pass_path="" declare -a find_args=("${VAR_TMP_SECRET}" -xdev -type f) printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" validate_secret_staging_area || return "${ERR_SECRET_PATH}" if [[ "${VAR_SIGNER}" == "true" ]]; then validate_secret_file_in_root "${VAR_SIGNING_KEY_PASS}" "signing passphrase file" || return "${ERR_SECRET_PATH}" signing_pass_path="${VAR_TMP_SECRET}/${VAR_SIGNING_KEY_PASS}" find_args+=(! -path "${signing_pass_path}") fi validate_secret_file_in_root "${luks_key_filename}" "LUKS key file" || return "${ERR_SECRET_PATH}" luks_key_path="${VAR_TMP_SECRET}/${luks_key_filename}" find_args+=(! -path "${luks_key_path}") # shellcheck disable=SC2312 find "${find_args[@]}" -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 -- find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" return 0 } ### Prevents accidental 'unset -f'. # shellcheck disable=SC2034 readonly -f x_remove # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh