V8.13.404.2025.11.10

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

lib/lib_primordial.sh

@@ -85,10 +85,18 @@ readonly -f init_primordial
 #######################################
 normalize_ssh_key_file() {
   declare    var_key_file="" var_tmp_file=""
+  declare -i var_is_pub=0
   var_key_file="$1"
 
   [[ -f "${var_key_file}" ]] || return 0
 
+  # shellcheck disable=SC2249
+  case "${var_key_file}" in
+    *.pub)
+      var_is_pub=1
+      ;;
+  esac
+
   ### If there is any CR (carriage return), strip it.
   if grep -q $'\r' "${var_key_file}"; then
 
@@ -106,10 +114,20 @@ normalize_ssh_key_file() {
 
     mv "${var_tmp_file}" "${var_key_file}"
 
+    if [[ "${var_is_pub}" -eq 1 ]]; then
+
+      chmod 0644 "${var_key_file}"
+
+    else
+
       chmod 0600 "${var_key_file}"
 
+    fi
+
+    ### Validate with ssh-keygen if available.
     if command -v ssh-keygen >/dev/null 2>&1; then
 
+      ### Always: fingerprint check (works for private and public keys)
       if ! ssh-keygen -lf "${var_key_file}" >/dev/null; then
 
         printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed check ssh-keygen -lf: [%s] \e[0m\n" "${var_key_file}"
@@ -117,6 +135,9 @@ normalize_ssh_key_file() {
 
       fi
 
+      ### Only for private keys: derive the public key to ensure libcrypto can parse the private key.
+      if [[ "${var_is_pub}" -eq 0 ]]; then
+
         if ! ssh-keygen -yf "${var_key_file}" >/dev/null; then
 
           printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed check ssh-keygen -yf: [%s] \e[0m\n" "${var_key_file}"
@@ -126,6 +147,8 @@ normalize_ssh_key_file() {
 
       fi
 
+    fi
+
     sha256sum "${var_key_file}" >| "${var_key_file}.sha256sum.txt"
     chmod 0444 "${var_key_file}.sha256sum.txt"