clawdie/clawdie-iso
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

build: refuse to bake mother SSH key into release images

Browse source 
The trigger copies osa-mother-2026 from the build host into any ISO
as long as the key file exists (which it does permanently on OSA).
A BUILD_CHANNEL=release build would embed the private key into a
publicly hosted image = mother compromise.

Add a fail-closed guard: release builds exit with an error before
copying the key. Dev builds (including personalized sticks) are
unaffected.
This commit is contained in:
Sam & Claude 2026-06-22 09:42:00 +02:00
parent 4addf6fa89
commit b489d147d4
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
build.sh
View file

@ -1615,6 +1615,8 @@ EOF
# manual key exchange. Public key is already in mother authorized_keys.
_mother_key_src="/home/clawdie/.ssh/osa-mother-2026"
if [ -f "${_mother_key_src}" ]; then
[ "${BUILD_CHANNEL}" = "release" ] && { echo "ERROR: refusing to bake mother SSH key into a release image"; exit 1; }
mkdir -p "${MOUNT_POINT}/home/clawdie/.ssh"
cp "${_mother_key_src}" "${MOUNT_POINT}/home/clawdie/.ssh/osa-mother-2026"
chmod 0600 "${MOUNT_POINT}/home/clawdie/.ssh/osa-mother-2026"