From b5fdbdacdc4b8c9d526c6bbfc5e6c0f5cf52a41b Mon Sep 17 00:00:00 2001 From: byte Date: Sat, 5 Apr 2025 12:56:58 +0200 Subject: [PATCH 1/7] add script to validate keys --- check_key.sh | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100755 check_key.sh diff --git a/check_key.sh b/check_key.sh new file mode 100755 index 0000000..a963a68 --- /dev/null +++ b/check_key.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +# Input file containing the SSH public keys +key_file=$1 + +# Read the file line by line +while IFS= read -r line; do + # Skip empty lines + if [ -z "$line" ]; then + continue + fi + + # Trim leading/trailing whitespace (preserving the key and comment structure) + trimmed_line=$(echo "$line" | xargs) + + # Validate the SSH key format: + # Starts with ssh-, followed by base64-encoded data, and an optional comment + echo $key_file + if ! echo "$trimmed_line" | grep -Eq '^ssh-(rsa|ed25519|dss|ecdsa) [A-Za-z0-9+/=]+ ?.*$'; then + echo "Invalid key format: $line" + exit 1 + fi + + # Ensure there is only one key on the line: a valid key should only have one space separating key data from the comment + space_count=$(echo "$trimmed_line" | grep -o ' ' | wc -l) + if [ "$space_count" -gt 2 ]; then + echo "Invalid: Multiple keys found on the same line" + exit 1 + fi + +done < "$key_file" + +echo "All keys are valid and correctly formatted." From 74f71728c356c601cfbc2aef356774ffec36c6ba Mon Sep 17 00:00:00 2001 From: byte Date: Sat, 5 Apr 2025 12:59:32 +0200 Subject: [PATCH 2/7] add workflow --- .forgejo/workflows/validate-keys.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .forgejo/workflows/validate-keys.yaml diff --git a/.forgejo/workflows/validate-keys.yaml b/.forgejo/workflows/validate-keys.yaml new file mode 100644 index 0000000..56ab0a3 --- /dev/null +++ b/.forgejo/workflows/validate-keys.yaml @@ -0,0 +1,19 @@ +name: test +on: + push: + branches: + - 'main' + pull_request: + +jobs: + test: + runs-on: docker + container: + image: 'code.forgejo.org/oci/ci:1' + steps: + - uses: actions/checkout@v4 + - run: for i in *.pub; do ./check_key.sh $i; done + - run: | + echo assembeling authorized keys && + cat keys/*.pub > authorized_keys + - run: ssh-keygen -l -f authorized_keys From 2af9aae496304be063f2590e32b5285de7139f77 Mon Sep 17 00:00:00 2001 From: byte Date: Sat, 5 Apr 2025 13:00:06 +0200 Subject: [PATCH 3/7] fix workflow --- .forgejo/workflows/validate-keys.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/validate-keys.yaml b/.forgejo/workflows/validate-keys.yaml index 56ab0a3..27e6feb 100644 --- a/.forgejo/workflows/validate-keys.yaml +++ b/.forgejo/workflows/validate-keys.yaml @@ -15,5 +15,5 @@ jobs: - run: for i in *.pub; do ./check_key.sh $i; done - run: | echo assembeling authorized keys && - cat keys/*.pub > authorized_keys + cat *.pub > authorized_keys - run: ssh-keygen -l -f authorized_keys From 5fb7d17f0ac6b7b35dea769b3fa1818a93463f30 Mon Sep 17 00:00:00 2001 From: byte Date: Sat, 5 Apr 2025 13:07:23 +0200 Subject: [PATCH 4/7] test if ci fails with invalid key --- byte.pub | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/byte.pub b/byte.pub index a54982d..057ced8 100644 --- a/byte.pub +++ b/byte.pub @@ -1,2 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDWcYvzMXydV3n3S5DfT5C0TGQROKC2OUr/WLo+ohqZ7 -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYfR9R1unNcDxCiS9lIYG1xEgZHF9/1zHrOn/Gn9tqB +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDWcYvzMXydV3n3S5DfT5C0TGQROKC2OUr/WLo+ohqZ7ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYfR9R1unNcDxCiS9lIYG1xEgZHF9/1zHrOn/Gn9tqB From 9736f68157e494bcd41329c7ae608d91c0b1806c Mon Sep 17 00:00:00 2001 From: byte Date: Sat, 5 Apr 2025 13:17:37 +0200 Subject: [PATCH 5/7] maybe just use ssh-keygen --- .forgejo/workflows/validate-keys.yaml | 2 +- byte.pub | 3 ++- check_key.sh | 33 --------------------------- 3 files changed, 3 insertions(+), 35 deletions(-) delete mode 100755 check_key.sh diff --git a/.forgejo/workflows/validate-keys.yaml b/.forgejo/workflows/validate-keys.yaml index 27e6feb..8cf75f2 100644 --- a/.forgejo/workflows/validate-keys.yaml +++ b/.forgejo/workflows/validate-keys.yaml @@ -12,7 +12,7 @@ jobs: image: 'code.forgejo.org/oci/ci:1' steps: - uses: actions/checkout@v4 - - run: for i in *.pub; do ./check_key.sh $i; done + - run: for i in *.pub; do ssh-keygen -l -f $i; done - run: | echo assembeling authorized keys && cat *.pub > authorized_keys diff --git a/byte.pub b/byte.pub index 057ced8..a54982d 100644 --- a/byte.pub +++ b/byte.pub @@ -1 +1,2 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDWcYvzMXydV3n3S5DfT5C0TGQROKC2OUr/WLo+ohqZ7ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYfR9R1unNcDxCiS9lIYG1xEgZHF9/1zHrOn/Gn9tqB +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDWcYvzMXydV3n3S5DfT5C0TGQROKC2OUr/WLo+ohqZ7 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYfR9R1unNcDxCiS9lIYG1xEgZHF9/1zHrOn/Gn9tqB diff --git a/check_key.sh b/check_key.sh deleted file mode 100755 index a963a68..0000000 --- a/check_key.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash - -# Input file containing the SSH public keys -key_file=$1 - -# Read the file line by line -while IFS= read -r line; do - # Skip empty lines - if [ -z "$line" ]; then - continue - fi - - # Trim leading/trailing whitespace (preserving the key and comment structure) - trimmed_line=$(echo "$line" | xargs) - - # Validate the SSH key format: - # Starts with ssh-, followed by base64-encoded data, and an optional comment - echo $key_file - if ! echo "$trimmed_line" | grep -Eq '^ssh-(rsa|ed25519|dss|ecdsa) [A-Za-z0-9+/=]+ ?.*$'; then - echo "Invalid key format: $line" - exit 1 - fi - - # Ensure there is only one key on the line: a valid key should only have one space separating key data from the comment - space_count=$(echo "$trimmed_line" | grep -o ' ' | wc -l) - if [ "$space_count" -gt 2 ]; then - echo "Invalid: Multiple keys found on the same line" - exit 1 - fi - -done < "$key_file" - -echo "All keys are valid and correctly formatted." From c0976a56a9eb0296d950d77b183dc1647cecb64b Mon Sep 17 00:00:00 2001 From: byte Date: Sat, 5 Apr 2025 13:18:12 +0200 Subject: [PATCH 6/7] test if ci fails with invalid key --- byte.pub | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/byte.pub b/byte.pub index a54982d..057ced8 100644 --- a/byte.pub +++ b/byte.pub @@ -1,2 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDWcYvzMXydV3n3S5DfT5C0TGQROKC2OUr/WLo+ohqZ7 -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYfR9R1unNcDxCiS9lIYG1xEgZHF9/1zHrOn/Gn9tqB +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDWcYvzMXydV3n3S5DfT5C0TGQROKC2OUr/WLo+ohqZ7ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYfR9R1unNcDxCiS9lIYG1xEgZHF9/1zHrOn/Gn9tqB From 7e9866171e036018e112774195cd221c4568886e Mon Sep 17 00:00:00 2001 From: byte Date: Sat, 5 Apr 2025 13:18:47 +0200 Subject: [PATCH 7/7] fix key --- byte.pub | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/byte.pub b/byte.pub index 057ced8..a54982d 100644 --- a/byte.pub +++ b/byte.pub @@ -1 +1,2 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDWcYvzMXydV3n3S5DfT5C0TGQROKC2OUr/WLo+ohqZ7ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYfR9R1unNcDxCiS9lIYG1xEgZHF9/1zHrOn/Gn9tqB +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDWcYvzMXydV3n3S5DfT5C0TGQROKC2OUr/WLo+ohqZ7 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYfR9R1unNcDxCiS9lIYG1xEgZHF9/1zHrOn/Gn9tqB