msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V9.14.022.2026.06.11: enforce secret and cleanup safeguards

Browse Source
This commit is contained in:
André H. Zimnol
2026-06-11 05:08:01 +02:00
parent 74897d85b1
commit 9d3f283297
10 changed files with 182 additions and 154 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/lib_gnupg.sh
+7
View File
@@ -41,6 +41,12 @@ init_gnupg() {
if [[ "${VAR_SIGNER}" == "true" ]]; then
validate_secret_file_in_root "${VAR_SIGNING_KEY}" "signing key file" || return "${ERR_SECRET_PATH}"
validate_secret_file_in_root "${VAR_SIGNING_KEY_PASS}" "signing passphrase file" || return "${ERR_SECRET_PATH}"
if [[ -n "${VAR_SIGNING_CA}" ]]; then
validate_secret_file_in_root "${VAR_SIGNING_CA}" "signing CA file" || return "${ERR_SECRET_PATH}"
fi
__umask=$(umask)
umask 0077
@@ -82,6 +88,7 @@ EOF
declare __pw=""
__pw="$(<"${VAR_SIGNING_KEY_PASSFILE}")"; __pw="${__pw%$'\r'}"; printf '%s' "${__pw}" >| "${VAR_SIGNING_KEY_PASSFILE}"
register_secret_value "${__pw}"
__pw="" && unset __pw
### Turn on tracing again ----------------------------------------------------------------------------------------------------