From a4bd6a1a6a284a14712a80bb11dba5c5b600f32d Mon Sep 17 00:00:00 2001 From: Tero Halla-aho Date: Sat, 20 Dec 2025 21:57:03 +0200 Subject: [PATCH] Accept multiple age recipients in build preflight --- deploy/build.sh | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/deploy/build.sh b/deploy/build.sh index f8ff53a..9d2b58e 100755 --- a/deploy/build.sh +++ b/deploy/build.sh @@ -19,7 +19,10 @@ done if [[ -z "$AGE_KEY_FILE" ]]; then AGE_KEY_FILE="$HOME/.config/age/keys.txt" fi -AGE_RECIPIENT="age1hkehkc2rryjl975c2mg5cghmjr54n4wjshncl292h2eg5l394fhs4uydrh" +AGE_RECIPIENTS=( + "age1hkehkc2rryjl975c2mg5cghmjr54n4wjshncl292h2eg5l394fhs4uydrh" + "age1ducvqxdzdhhluftu5hv4f2xsppmn803uh8tnnqj92v4n7nf6lprq9h3dqp" +) ENCRYPTED_SECRETS_FILE="${ENCRYPTED_SECRETS_FILE:-$PWD/creds/secrets.enc.env}" require_cmd() { @@ -53,19 +56,25 @@ check_age_setup() { fi local has_key="0" if command -v age-keygen >/dev/null 2>&1; then - if age-keygen -y "$AGE_KEY_FILE" 2>/dev/null | grep -q "$AGE_RECIPIENT"; then - has_key="1" - fi + for recipient in "${AGE_RECIPIENTS[@]}"; do + if age-keygen -y "$AGE_KEY_FILE" 2>/dev/null | grep -q "$recipient"; then + has_key="1" + break + fi + done else # Fallback: best-effort text check for the public key comment - if grep -q "$AGE_RECIPIENT" "$AGE_KEY_FILE"; then - has_key="1" - fi + for recipient in "${AGE_RECIPIENTS[@]}"; do + if grep -q "$recipient" "$AGE_KEY_FILE"; then + has_key="1" + break + fi + done fi if [[ "$has_key" != "1" ]]; then - echo "Age key file at $AGE_KEY_FILE does not contain the expected public key ($AGE_RECIPIENT)." >&2 - if [[ -f "$repo_age_key" ]] && grep -q "$AGE_RECIPIENT" "$repo_age_key"; then + echo "Age key file at $AGE_KEY_FILE does not contain any expected public key: ${AGE_RECIPIENTS[*]}." >&2 + if [[ -f "$repo_age_key" ]]; then cat >&2 <