# SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu ### Version Master V8.13.002.2025.08.11 name: 🔐 Generating a Private Live ISO FLV 0. permissions: contents: write on: push: branches: - master paths: - '.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml' jobs: generate-private-ciss-debian-live-iso: name: 🔐 Generating a Private Live ISO FLV 0. runs-on: ciss.debian.live.builder.iso.generator ### Run all steps inside Debian Bookworm container: image: debian:bookworm steps: - name: 🛠️ Basic Image Setup and enable Bookworm Backports. run: | apt-get update -y apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo echo 'deb https://deb.debian.org/debian bookworm-backports main' \ >| /etc/apt/sources.list.d/bookworm-backports.list apt-get update -y apt-get upgrade -y - name: 🛠️ Installing Build Tools. shell: bash run: | apt-get update -y apt-get install -y \ autoconf \ automake \ build-essential \ cryptsetup \ curl \ debootstrap \ dosfstools \ efibootmgr \ gettext \ git \ gnupg \ haveged \ libbz2-dev \ zlib1g-dev \ liblzma-dev \ libtool \ live-build \ parted \ pkg-config \ ssh \ ssl-cert \ sudo \ texinfo \ wget \ whois \ - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5. shell: bash run: | urls=( "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2" "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2" "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2" "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2" "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2" "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2" ) wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1 gpg --batch --import signature_key.asc for url in "${urls[@]}"; do archive_name="${url##*/}" pkg_name="${archive_name%.tar.bz2}" echo "🔄 Processing ${pkg_name}" if [[ ! -f "${archive_name}" ]]; then echo "📥 Downloading: '${archive_name}'." if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then echo "✅ Download successful: '${archive_name}'." else echo "❌ Download NOT successful: '${archive_name}'." exit 1 fi else echo "💡 Skipping download, package already exists: '${archive_name}'." fi if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi if [[ ! -d "${pkg_name}" ]]; then echo "📂 Extracting: '${archive_name}'." if tar -xjf "${archive_name}"; then echo "✅ Extraction successful: '${archive_name}'." else echo "❌ Extraction not successful: '${archive_name}'." exit 1 fi else echo "💡 Skipping directory, already exists: '${pkg_name}'." fi echo "🏗️ Build and install the package: '${pkg_name}'." cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; } mkdir -p build cd build || { echo "❌ Could not change to '/build'."; exit 1; } sudo ../configure > /dev/null 2>&1 || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; } make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; } sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; } cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; } rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'." rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'." echo "✅ Successful build and installation of '${pkg_name}'." echo "-------------------------------------------------------------------------------------" done rm -f signature_key.asc echo "✅ All packages were built and installed successfully." mv_bin=( "/usr/bin/gpg" "/usr/bin/gpg-agent" "/usr/bin/gpgconf" "/usr/bin/gpg-connect-agent" "/usr/bin/gpg-wks-client" "/usr/bin/gpg-preset-passphrase" ) for bin in "${mv_bin[@]}"; do name="${bin##*/}" if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then if mv "${bin}" "${bin}.debian-backup"; then echo "✅ Moved successfully: '${bin}'." else echo "❌ Moved NOT successfully: '${bin}'." fi else echo "💡 Does not exist as build binary: '${bin}'." fi done for bin in "${mv_bin[@]}"; do name="${bin##*/}" if [[ -f "/usr/local/bin/${name}" ]]; then if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then echo "✅ 'update-alternatives' successfully: '${bin}'." else echo "❌ 'update-alternatives' NOT successfully: '${bin}'." fi else echo "💡 Does not exist: '/usr/local/bin/${name}'." fi done sudo ldconfig gpgconf --kill all /usr/local/bin/gpg-agent --daemon - name: ⚙️ Check GnuPG Version. shell: bash run: | gpg --version - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. shell: bash run: | rm -rf ~/.ssh && mkdir -m700 ~/.ssh ### Private Key echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts chmod 600 ~/.ssh/known_hosts ### Generate SSH Config for git.coresecret.dev Custom-Port cat <| ~/.ssh/config Host git.coresecret.dev HostName git.coresecret.dev Port 42842 IdentityFile ~/.ssh/id_ed25519 StrictHostKeyChecking yes UserKnownHostsFile ~/.ssh/known_hosts EOF chmod 600 ~/.ssh/config ### https://github.com/actions/checkout/issues/1843 - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. shell: bash env: ### GITHUB_REF_NAME contains the branch name from the push event. GITHUB_REF_NAME: ${{ github.ref_name }} run: | git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . git fetch --unshallow || echo "Nothing to fetch - already full clone." - name: 🛠️ Cleaning the workspace. shell: bash run: | git reset --hard git clean -fd - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key. shell: bash run: | set -euo pipefail ### GPG-Home relative to the Runner Workspace to avoid changing global files. export GNUPGHOME="$(pwd)/.gnupg" mkdir -m 700 "${GNUPGHOME}" echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc gpg --batch --import centurion-root.PUB.asc echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc gpg --batch --import ci-bot.sec.asc ### Trust the key automatically KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}') echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" - name: ⚙️ Configuring Git for signed CI/DEPLOY commits. shell: bash run: | set -euo pipefail export GNUPGHOME="$(pwd)/.gnupg" git config user.name "Marc S. Weidner BOT" git config user.email "msw+bot@coresecret.dev" git config commit.gpgsign true git config gpg.program gpg git config gpg.format openpgp - name: ⚙️ Preparing the build environment. shell: bash run: | set -euo pipefail mkdir -p /opt/config mkdir -p /opt/livebuild touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ... shell: bash run: | set -euo pipefail chmod 0755 ciss_live_builder.sh timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64. ./ciss_live_builder.sh \ --autobuild=6.1.0-37-amd64 \ --architecture amd64 \ --build-directory /opt/livebuild \ --control "${timestamp}" \ --debug \ --dhcp-centurion \ --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \ --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \ --root-password-file /opt/config/password.txt \ --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \ --ssh-pubkey /opt/config - name: 📥 Checking Centurion Cloud for existing LIVE ISOs. shell: bash env: NC_BASE: "https://cloud.e2ee.li" SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}" SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}" run: | set -euo pipefail SHARE_SUBDIR="" echo "📥 Get directory listing via PROPFIND ..." curl -s \ --user "${SHARE_TOKEN}:${SHARE_PASS}" \ -X PROPFIND \ -H "Depth: 1" \ "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \ -o propfind_public.xml echo "📥 Filter .iso files from the PROPFIND response ..." grep -oP '(?<=)[^<]+\.iso(?=)' propfind_public.xml >| public_iso_list.txt || true if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then echo "💡 Old ISO files found and deleted :" while IFS= read -r href; do FILE_URL="${NC_BASE}${href}" echo " Delete: ${FILE_URL}" if curl -s \ --user "${SHARE_TOKEN}:${SHARE_PASS}" \ -X DELETE "${FILE_URL}"; then echo " ✅ Successfully deleted: $(basename "${href}")" else echo " ❌ Error: $(basename "${href}") could not be deleted" fi done < public_iso_list.txt else echo "💡 No old ISO files found to delete." fi - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV. shell: bash env: NC_BASE: "https://cloud.e2ee.li" SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}" SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}" run: | set -euo pipefail if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then echo "❌ There must be exactly one .iso file in the directory!" exit 1 else VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso) VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}" fi AUTH="${SHARE_TOKEN}:${SHARE_PASS}" if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \ --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then echo "✅ New ISO successfully uploaded." else echo "❌ Uploading the new ISO failed." exit 1 fi - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file. shell: bash run: | if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then echo "❌ There must be exactly one .iso file in the directory!" exit 1 else VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso) VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}" fi VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512" touch "${VAR_ISO_FILE_SHA512}" sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}" SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign" touch "${SIGNATURE_FILE}" export GNUPGHOME="$(pwd)/.gnupg" gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}" timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ") PRIVATE_FILE="LIVE_ISO_FLV_0.private" touch "${PRIVATE_FILE}" cat << EOF >| "${PRIVATE_FILE}" # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu This file was automatically generated by the DEPLOY BOT on: "${timestamp}" CISS.debian.live.builder ISO : "${VAR_ISO_FILE_NAME}" CISS.debian.live.builder ISO sha512 : $(< "${VAR_ISO_FILE_SHA512}") CISS.debian.live.builder ISO sha512 sign : $(< "${SIGNATURE_FILE}") # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text EOF - name: 🚧 Stash local changes (including untracked). shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail ### Temporarily store any local modifications or untracked files. git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash." - name: 🔄 Sync with remote before commit using merge strategy. shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail export GNUPGHOME="$(pwd)/.gnupg" echo "🔄 Fetching origin/master ..." git fetch origin master echo "🔁 Merging origin/master into current branch ..." git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward." echo "📋 Post-merge status :" git status git log --oneline -n 5 - name: 🛠️ Restore stashed changes. shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail ### Apply previously stashed changes. git stash pop || echo "✔️ Nothing to pop." - name: 📦 Stage generated files. shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail PRIVATE_FILE="LIVE_ISO_FLV_0.private" git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add." - name: 🔑 Commit and sign changes with CI metadata. shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail export GNUPGHOME="$(pwd)/.gnupg" if git diff --cached --quiet; then echo "✔️ No staged changes to commit." else echo "📝 Committing changes with GPG signature ..." ### CI Metadata TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')" HOSTNAME="$(hostname -f || hostname)" GIT_SHA="$(git rev-parse --short HEAD)" GIT_REF="$(git symbolic-ref --short HEAD || echo detached)" WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}" CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" COMMIT_MSG="DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci] ${CI_HEADER} Generated at : ${TIMESTAMP_UTC} Runner Host : ${HOSTNAME} Workflow ID : ${WORKFLOW_ID} Git Commit : ${GIT_SHA} HEAD -> ${GIT_REF} " echo "🔏 Commit message :" echo "${COMMIT_MSG}" git commit -S -m "${COMMIT_MSG}" fi - name: 🔁 Push back to repository. shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..." git push origin HEAD:${GITHUB_REF_NAME} # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml