From b489d147d4df64967438ee4e97fd2d59d5ee2d0c Mon Sep 17 00:00:00 2001 From: Sam & Claude Date: Mon, 22 Jun 2026 09:42:00 +0200 Subject: [PATCH] build: refuse to bake mother SSH key into release images The trigger copies osa-mother-2026 from the build host into any ISO as long as the key file exists (which it does permanently on OSA). A BUILD_CHANNEL=release build would embed the private key into a publicly hosted image = mother compromise. Add a fail-closed guard: release builds exit with an error before copying the key. Dev builds (including personalized sticks) are unaffected. --- build.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build.sh b/build.sh index 0fc22b4d..62e107f3 100755 --- a/build.sh +++ b/build.sh @@ -1615,6 +1615,8 @@ EOF # manual key exchange. Public key is already in mother authorized_keys. _mother_key_src="/home/clawdie/.ssh/osa-mother-2026" if [ -f "${_mother_key_src}" ]; then + [ "${BUILD_CHANNEL}" = "release" ] && { echo "ERROR: refusing to bake mother SSH key into a release image"; exit 1; } + mkdir -p "${MOUNT_POINT}/home/clawdie/.ssh" cp "${_mother_key_src}" "${MOUNT_POINT}/home/clawdie/.ssh/osa-mother-2026" chmod 0600 "${MOUNT_POINT}/home/clawdie/.ssh/osa-mother-2026"