mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-06 22:57:02 +02:00
38 lines
1.1 KiB
Bash
38 lines
1.1 KiB
Bash
#!/usr/bin/env bash
|
|
# Copyright (c) HashiCorp, Inc.
|
|
# SPDX-License-Identifier: BUSL-1.1
|
|
|
|
set -e
|
|
|
|
fail() {
|
|
echo "$1" 1>&2
|
|
exit 1
|
|
}
|
|
|
|
[[ -z "$VERIFY_SSH_SECRETS" ]] && fail "VERIFY_SSH_SECRETS env variable has not been set"
|
|
[[ -z "$SIGNED_KEY" ]] && fail "SIGNED_KEY env variable has not been set"
|
|
[[ -z "$KEY_TYPE" ]] && fail "KEY_TYPE env variable has not been set"
|
|
[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
|
|
[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
|
|
[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
|
|
|
|
if [[ "$VERIFY_SSH_SECRETS" == "false" ]]; then
|
|
log "VERIFY_SSH_SECRETS is false; exiting script"
|
|
exit 0
|
|
fi
|
|
|
|
SIGNED_KEY_PATH=$(mktemp)
|
|
trap 'rm -f "$SIGNED_KEY_PATH"' EXIT
|
|
echo "$SIGNED_KEY" > "$SIGNED_KEY_PATH"
|
|
|
|
# Inspect the signed key
|
|
if ! ssh_key_info=$(ssh-keygen -Lf "$SIGNED_KEY_PATH"); then
|
|
fail "Failed to verify signed SSH key"
|
|
fi
|
|
|
|
# Extract key type
|
|
key_type=$(echo "$ssh_key_info" | grep "Type:" | awk '{print $2}')
|
|
if [[ "$key_type" != *"$KEY_TYPE"* ]]; then
|
|
fail "Key type mismatch: expected $KEY_TYPE, got $key_type"
|
|
fi
|