#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024โ€“2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu set -C -e -u -o pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" # sleep 1 target="/usr/lib/live/boot/0030-verify-checksums" src="$(mktemp)" if [[ ! -d /usr/lib/live/boot ]]; then mkdir -p /usr/lib/live/boot fi cat << 'EOF' >| "${src}" #!/bin/sh # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024โ€“2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu ### Changed version of https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums' ### In case of successful verification of the offered checksums, proceed with booting, else panic. ### Inside 0002_verify_checksums.chroot ### ####################################### # Live build ISO with the modified checksum verification script for continuing the boot process. # Globals: # LIVE_BOOT_CMDLINE # LIVE_VERIFY_CHECKSUMS # LIVE_VERIFY_CHECKSUMS_DIGESTS # _CHECKSUM # _CHECKSUMS # _DIGEST # _MOUNTPOINT # _PARAMETER # _RETURN # _TTY # Arguments: # $1: ${_PARAMETER} # Returns: # 0 : Successful Verification ####################################### Verify_checksums() { for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do case "${_PARAMETER}" in live-boot.verify-checksums=* | verify-checksums=*) LIVE_VERIFY_CHECKSUMS="true" LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}" ;; live-boot.verify-checksums | verify-checksums) LIVE_VERIFY_CHECKSUMS="true" ;; esac done case "${LIVE_VERIFY_CHECKSUMS}" in true) ;; *) return 0 ;; esac _MOUNTPOINT="${1}" LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}" _TTY="/dev/tty8" log_begin_msg "Verifying checksums" # shellcheck disable=SC2164 cd "${_MOUNTPOINT}" for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do # shellcheck disable=SC2060 _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt" for _CHECKSUM in ${_CHECKSUMS}; do if [ -e "${_CHECKSUM}" ]; then echo "Found ${_CHECKSUM}..." > "${_TTY}" if [ -e "/bin/${_DIGEST}sum" ]; then echo "Checking ${_CHECKSUM}..." > "${_TTY}" # Verify checksums grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}" _RETURN="${?}" # Stop after the first verification # break 2 else echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}" fi fi done done log_end_msg case "${_RETURN}" in 0) log_success_msg "Verification sha512 sha384 sha256 successful, continuing booting in 10 seconds." sleep 10 return 0 ;; *) panic "Verification failed, $(basename ${_TTY}) for more information." ;; esac } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh EOF # Copy and make executable install -Dm755 "${src}" "${target}" rm -f "${src}" unset target src printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… '%s' applied successfully. \e[0m\n" "${0}" # sleep 1 exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh