brianhansonxyz/clearpilot
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity

fix: decrypt SSH keys to tmpdir instead of repo, gitignore ed25519 keys

Browse Source 
The decrypt step in provision.sh was writing decrypted private keys
directly into the source tree (system/clearpilot/dev/), leaving them
as untracked files in the repo. Now decrypts to a mktemp dir, copies
to the SSH dir, and cleans up. Also added ed25519 key paths to
.gitignore to match the existing id_rsa entries.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Brian Hanson
2026-04-15 02:42:52 +00:00
parent f46339c949
commit 531b3edcd2
3 changed files with 12 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@@ -2,6 +2,8 @@ prebuilt
system/clearpilot/dev/on_start_brian.sh
system/clearpilot/dev/id_rsa
system/clearpilot/dev/id_rsa.pub
system/clearpilot/dev/id_ed25519
system/clearpilot/dev/id_ed25519.pub
venv/
.venv/
.ci_cache

2
system/clearpilot/on_start.sh
View File

@@ -14,5 +14,5 @@ nmcli radio wifi on 2>/dev/null
# Provision (packages, git pull, build) if no quick_boot flag
if [ ! -f /data/quick_boot ]; then
bash /data/openpilot/system/clearpilot/provision.sh
sudo bash /data/openpilot/system/clearpilot/provision.sh
fi

23
system/clearpilot/provision.sh
View File

@@ -32,11 +32,9 @@ sudo mount -o remount,rw /
echo "Installing packages..."
sudo apt-get update -qq
sudo apt-get install -y openvpn curl ccrypt
echo "Installing Node.js 18..."
curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
#echo "Installing Node.js 20..."
#curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
sudo apt-get install -y nodejs
node -v
sudo apt-get install -y npm
mount -o rw,remount /
echo "Installing Claude Code..."
curl -fsSL https://claude.ai/install.sh | bash
@@ -49,10 +47,12 @@ serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline)
ssh_dir="/data/ssh/.ssh"
if [[ $serial == 3889765b ]] && [[ ! -f "$ssh_dir/id_ed25519" || ! -f "$ssh_dir/id_ed25519.pub" ]]; then
echo "Decrypting SSH identity keys (serial=$serial)..."
bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_ed25519.cpt /data/openpilot/system/clearpilot/dev/id_ed25519
bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_ed25519.pub.cpt /data/openpilot/system/clearpilot/dev/id_ed25519.pub
tmpdir=$(mktemp -d)
bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_ed25519.cpt "$tmpdir/id_ed25519"
bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_ed25519.pub.cpt "$tmpdir/id_ed25519.pub"
mkdir -p "$ssh_dir"
cp /data/openpilot/system/clearpilot/dev/id_ed25519 /data/openpilot/system/clearpilot/dev/id_ed25519.pub "$ssh_dir/"
cp "$tmpdir/id_ed25519" "$tmpdir/id_ed25519.pub" "$ssh_dir/"
rm -rf "$tmpdir"
chmod 700 "$ssh_dir"
chmod 600 "$ssh_dir/id_ed25519"
chmod 644 "$ssh_dir/id_ed25519.pub"
@@ -76,15 +76,8 @@ fi
# 5. Build
echo ""
echo "Starting build..."
sudo su - comma -c "bash /data/openpilot/build_only.sh"
if [ $? -eq 0 ]; then
echo "Build succeeded"
sudo chown -R comma:comma /data/openpilot
touch /data/quick_boot
else
echo "Build failed"
sleep 10
fi
echo "Provision complete"
sleep 2