M-09: SOURCE_DATE_EPOCH set at build start, BUILD-INFO.txt written with
build metadata for reproducibility verification.
M-10: GPG signing of ISO and SHA256 checksum. Uses persistent key at
config/gpg-keys/signing.key if available, otherwise generates ephemeral
key per build and exports pubkey alongside artifacts.
M-11: Docker base image digest-pinned to sha256:1d3c8111... preventing
supply chain tampering with the build environment.
H-09: Build cache integrity verification via SHA256 manifest. On cache
save, records checksums of all cached files. On restore, verifies each
file. Corrupted cache triggers fresh download instead of silent use.
Dockerfile: Added sbsigntool, shim-signed, systemd-boot-efi, gpg with
version pins for Secure Boot and signing support in build container.
Reference: DeepReport-2026-05-08.md findings M-09, M-10, M-11, H-09
💘 Generated with Crush
Assisted-by: GLM-5.1 via Crush <crush@charm.land>
live-build requires the 'file' command for installer processing.
Also pinned versions for bats-assert, bats-support, and bats-file
to satisfy hadolint DL3008 and ensure reproducible builds.
Reference: Build error "file: not found"
💘 Generated with Crush
Assisted-by: GLM-5 via Crush <crush@charm.land>
Create Docker build environment with live-build, Debian keyrings, and dependencies for ISO creation. Multi-stage build for efficient caching and minimal final image size.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
- Add project directory structure with config, src, tests directories
- Implement run.sh host wrapper script for Docker-based workflow
- Create Dockerfile for build/test environment with live-build
- Add basic live-build configuration with preseed and package lists
- Add .gitignore and .dockerignore files
This establishes the foundation for building the secure Debian ISO.
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
Finalizes directory cleanup by removing obsolete files:
- All old debootstrap build scripts (docker-*.sh, final-simple-build.sh)
- All old documentation from root (BUILD-*.md, DOCKER-*.md)
- Obsolete Dockerfiles (Dockerfile, Dockerfile.build)
- Obsolete chroot-overlay/ directory (now using preseed.cfg)
- Old build.sh (replaced by scripts/build-iso.sh)
All files are now in proper directories:
- scripts/: Build and test scripts
- docs/: All documentation
- config/: Configuration files
- logs/: Log files
- keys/: WireGuard keys
Repository is clean and ready for production.
💘 Generated with Crush
Assisted-by: Gemini 2.5 Flash via Crush <crush@charm.land>
