From 030ecd8fd84870576b78104c19ed38907de39898 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 4 Jul 2026 01:50:23 -0400 Subject: [PATCH] fix build afet private key --- .gitea/workflows/build-and-deploy.yml | 38 ++++++++++++++++++++++----- 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/.gitea/workflows/build-and-deploy.yml b/.gitea/workflows/build-and-deploy.yml index e9eb25f..cf3f357 100644 --- a/.gitea/workflows/build-and-deploy.yml +++ b/.gitea/workflows/build-and-deploy.yml @@ -155,13 +155,26 @@ jobs: echo "Using SSH host $VPS_HOST" mkdir -p ~/.ssh && chmod 700 ~/.ssh if [ -n "$VPS_SSH_KEY_B64" ]; then - printf '%s' "$VPS_SSH_KEY_B64" | base64 -d > ~/.ssh/id_rsa + printf '%s' "$VPS_SSH_KEY_B64" | tr -d '[:space:]' | base64 -d > ~/.ssh/id_rsa else printf '%b\n' "$VPS_SSH_KEY" | tr -d '\r' > ~/.ssh/id_rsa fi chmod 600 ~/.ssh/id_rsa - if ! ssh-keygen -y -f ~/.ssh/id_rsa >/dev/null 2>&1; then - echo "::error::SSH private key is not readable. Prefer setting VPS_SSH_KEY_B64 to: base64 -w0 /path/to/private_key" + key_header="$(head -n 1 ~/.ssh/id_rsa || true)" + key_size="$(wc -c < ~/.ssh/id_rsa | tr -d ' ')" + case "$key_header" in + "-----BEGIN "*PRIVATE*" KEY-----") ;; + ssh-*|"ecdsa-"*|"sk-"*) + echo "::error::Decoded SSH key looks like a public key, not a private key. Encode the private key file, not the .pub file." + exit 1 + ;; + *) + echo "::error::Decoded SSH key does not start with a private key header. Decoded byte count: $key_size." + exit 1 + ;; + esac + if ! keygen_error="$(ssh-keygen -y -f ~/.ssh/id_rsa 2>&1 >/dev/null)"; then + echo "::error::SSH private key is not readable by ssh-keygen: $keygen_error. Use an unencrypted private key or configure a CI-specific deploy key." exit 1 fi touch ~/.ssh/known_hosts @@ -322,13 +335,26 @@ jobs: echo "Using SSH host $VPS_HOST" mkdir -p ~/.ssh && chmod 700 ~/.ssh if [ -n "$VPS_SSH_KEY_B64" ]; then - printf '%s' "$VPS_SSH_KEY_B64" | base64 -d > ~/.ssh/id_rsa + printf '%s' "$VPS_SSH_KEY_B64" | tr -d '[:space:]' | base64 -d > ~/.ssh/id_rsa else printf '%b\n' "$VPS_SSH_KEY" | tr -d '\r' > ~/.ssh/id_rsa fi chmod 600 ~/.ssh/id_rsa - if ! ssh-keygen -y -f ~/.ssh/id_rsa >/dev/null 2>&1; then - echo "::error::SSH private key is not readable. Prefer setting VPS_SSH_KEY_B64 to: base64 -w0 /path/to/private_key" + key_header="$(head -n 1 ~/.ssh/id_rsa || true)" + key_size="$(wc -c < ~/.ssh/id_rsa | tr -d ' ')" + case "$key_header" in + "-----BEGIN "*PRIVATE*" KEY-----") ;; + ssh-*|"ecdsa-"*|"sk-"*) + echo "::error::Decoded SSH key looks like a public key, not a private key. Encode the private key file, not the .pub file." + exit 1 + ;; + *) + echo "::error::Decoded SSH key does not start with a private key header. Decoded byte count: $key_size." + exit 1 + ;; + esac + if ! keygen_error="$(ssh-keygen -y -f ~/.ssh/id_rsa 2>&1 >/dev/null)"; then + echo "::error::SSH private key is not readable by ssh-keygen: $keygen_error. Use an unencrypted private key or configure a CI-specific deploy key." exit 1 fi touch ~/.ssh/known_hosts