msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.404.2025.11.10
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 55s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-10 12:26:58 +01:00
parent 67fc4b906f
commit 1065a53523
1 changed files with 28 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
lib/lib_primordial.sh
View File

@@ -85,10 +85,18 @@ readonly -f init_primordial
####################################### #######################################
normalize_ssh_key_file() { normalize_ssh_key_file() {
declare var_key_file="" var_tmp_file="" declare var_key_file="" var_tmp_file=""
declare -i var_is_pub=0
var_key_file="$1" var_key_file="$1"
[[ -f "${var_key_file}" ]] || return 0 [[ -f "${var_key_file}" ]] || return 0
# shellcheck disable=SC2249
case "${var_key_file}" in
*.pub)
var_is_pub=1
;;
esac
### If there is any CR (carriage return), strip it. ### If there is any CR (carriage return), strip it.
if grep -q $'\r' "${var_key_file}"; then if grep -q $'\r' "${var_key_file}"; then
@@ -106,10 +114,20 @@ normalize_ssh_key_file() {
mv "${var_tmp_file}" "${var_key_file}" mv "${var_tmp_file}" "${var_key_file}"
if [[ "${var_is_pub}" -eq 1 ]]; then
chmod 0644 "${var_key_file}"
else
chmod 0600 "${var_key_file}" chmod 0600 "${var_key_file}"
fi
### Validate with ssh-keygen if available.
if command -v ssh-keygen >/dev/null 2>&1; then if command -v ssh-keygen >/dev/null 2>&1; then
### Always: fingerprint check (works for private and public keys)
if ! ssh-keygen -lf "${var_key_file}" >/dev/null; then if ! ssh-keygen -lf "${var_key_file}" >/dev/null; then
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed check ssh-keygen -lf: [%s] \e[0m\n" "${var_key_file}" printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed check ssh-keygen -lf: [%s] \e[0m\n" "${var_key_file}"
@@ -117,6 +135,9 @@ normalize_ssh_key_file() {
fi fi
### Only for private keys: derive the public key to ensure libcrypto can parse the private key.
if [[ "${var_is_pub}" -eq 0 ]]; then
if ! ssh-keygen -yf "${var_key_file}" >/dev/null; then if ! ssh-keygen -yf "${var_key_file}" >/dev/null; then
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed check ssh-keygen -yf: [%s] \e[0m\n" "${var_key_file}" printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed check ssh-keygen -yf: [%s] \e[0m\n" "${var_key_file}"
@@ -126,6 +147,8 @@ normalize_ssh_key_file() {
fi fi
fi
sha256sum "${var_key_file}" >| "${var_key_file}.sha256sum.txt" sha256sum "${var_key_file}" >| "${var_key_file}.sha256sum.txt"
chmod 0444 "${var_key_file}.sha256sum.txt" chmod 0444 "${var_key_file}.sha256sum.txt"