V8.13.404.2025.11.10

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

lib/lib_primordial.sh

@@ -84,11 +84,19 @@ readonly -f init_primordial
 #   ERR_SANITIZING: on failure
 #######################################
 normalize_ssh_key_file() {
-  declare var_key_file="" var_tmp_file=""
+  declare    var_key_file="" var_tmp_file=""
+  declare -i var_is_pub=0
   var_key_file="$1"
 
   [[ -f "${var_key_file}" ]] || return 0
 
+  # shellcheck disable=SC2249
+  case "${var_key_file}" in
+    *.pub)
+      var_is_pub=1
+      ;;
+  esac
+
   ### If there is any CR (carriage return), strip it.
   if grep -q $'\r' "${var_key_file}"; then
 
@@ -106,10 +114,20 @@ normalize_ssh_key_file() {
 
     mv "${var_tmp_file}" "${var_key_file}"
 
-    chmod 0600 "${var_key_file}"
+    if [[ "${var_is_pub}" -eq 1 ]]; then
 
+      chmod 0644 "${var_key_file}"
+
+    else
+
+      chmod 0600 "${var_key_file}"
+
+    fi
+
+    ### Validate with ssh-keygen if available.
     if command -v ssh-keygen >/dev/null 2>&1; then
 
+      ### Always: fingerprint check (works for private and public keys)
       if ! ssh-keygen -lf "${var_key_file}" >/dev/null; then
 
         printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed check ssh-keygen -lf: [%s] \e[0m\n" "${var_key_file}"
@@ -117,10 +135,15 @@ normalize_ssh_key_file() {
 
       fi
 
-      if ! ssh-keygen -yf "${var_key_file}" >/dev/null; then
+      ### Only for private keys: derive the public key to ensure libcrypto can parse the private key.
+      if [[ "${var_is_pub}" -eq 0 ]]; then
 
-        printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed check ssh-keygen -yf: [%s] \e[0m\n" "${var_key_file}"
-        return "${ERR_SANITIZING}"
+        if ! ssh-keygen -yf "${var_key_file}" >/dev/null; then
+
+          printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed check ssh-keygen -yf: [%s] \e[0m\n" "${var_key_file}"
+          return "${ERR_SANITIZING}"
+
+        fi
 
       fi