V9.14.024.2026.06.11

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

lib/lib_primordial.sh

@@ -84,6 +84,8 @@ init_primordial() {
   ### Check for SOPS AGE key integration ---------------------------------------------------------------------------------------
   if [[ "${VAR_AGE,,}" == "true" ]]; then
 
+    validate_secret_file_in_root "--key_age" "${VAR_AGE_KEY}" || return "$?"
+
     install -d -m 0700                                 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.config/sops/age"
     install -m 0400 "${VAR_TMP_SECRET}/${VAR_AGE_KEY}" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.config/sops/age/keys.txt"
     shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_AGE_KEY}" 2>/dev/null || rm -f "${VAR_TMP_SECRET}/${VAR_AGE_KEY}"
@@ -93,6 +95,18 @@ init_primordial() {
   ### Check for SSH CISS and PhysNet Primordial-Workflow™ integration -------------------------------------------------------
   if [[ "${VAR_SSHFP,,}" == "true" ]]; then
 
+    # shellcheck disable=SC2312
+    if find "${VAR_TMP_SECRET}" -xdev \( -name 'id*' -o -name 'ssh_host_*' \) -type l -print -quit | grep -q .; then
+      printf "\e[91m❌ ERROR: SSH identity and host key inputs MUST NOT be symlinks. \e[0m\n" >&2
+      return "${ERR_INVLD_CHAR}"
+    fi
+
+    # shellcheck disable=SC2312
+    if find "${VAR_TMP_SECRET}" -xdev \( -name 'id*' -o -name 'ssh_host_*' \) ! -type f -print -quit | grep -q .; then
+      printf "\e[91m❌ ERROR: SSH identity and host key inputs MUST be regular files. \e[0m\n" >&2
+      return "${ERR_INVLD_CHAR}"
+    fi
+
     install -d -m 0700                      "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
     install -m 0600 "${VAR_TMP_SECRET}/id"* "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/"
     normalize_ssh_keys_in_dir               "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"