brianhansonxyz/clearpilot
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity

move SSH key decryption from provision.sh to on_start.sh
Some checks failed
prebuilt / build prebuilt (push) Has been cancelled
Details
badges / create badges (push) Has been cancelled
Details

Browse Source 
Keys now install to /root/.ssh/ (for root git operations) instead of
/data/ssh/.ssh/. Runs every boot via on_start.sh so keys are available
even without a full provision cycle.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Brian Hanson
2026-04-15 02:59:34 +00:00
parent 6fcd4b37ba
commit 5e7911e599
2 changed files with 17 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
system/clearpilot/on_start.sh
View File

@@ -9,6 +9,23 @@ echo -n 1 > /data/params/d/SshEnabled
sudo systemctl enable ssh 2>/dev/null sudo systemctl enable ssh 2>/dev/null
sudo systemctl start ssh sudo systemctl start ssh
# Decrypt and install SSH identity keys for root (git auth)
serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline)
ssh_dir="/root/.ssh"
if [[ $serial == 3889765b ]] && [[ ! -f "$ssh_dir/id_ed25519" || ! -f "$ssh_dir/id_ed25519.pub" ]]; then
echo "Decrypting SSH identity keys for root (serial=$serial)..."
tmpdir=$(mktemp -d)
bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_ed25519.cpt "$tmpdir/id_ed25519"
bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_ed25519.pub.cpt "$tmpdir/id_ed25519.pub"
sudo mkdir -p "$ssh_dir"
sudo cp "$tmpdir/id_ed25519" "$tmpdir/id_ed25519.pub" "$ssh_dir/"
rm -rf "$tmpdir"
sudo chmod 700 "$ssh_dir"
sudo chmod 600 "$ssh_dir/id_ed25519"
sudo chmod 644 "$ssh_dir/id_ed25519.pub"
echo "SSH identity keys installed to $ssh_dir"
fi
# Always ensure WiFi radio is on # Always ensure WiFi radio is on
nmcli radio wifi on 2>/dev/null nmcli radio wifi on 2>/dev/null

19
system/clearpilot/provision.sh
View File

@@ -45,25 +45,6 @@ exec /root/.local/bin/claude "$@"
WRAPPER WRAPPER
chmod +x /usr/local/bin/claude chmod +x /usr/local/bin/claude
echo "Packages installed" echo "Packages installed"
# Decrypt and install SSH identity keys (for git auth)
# Uses hardware serial from /proc/cmdline as device identity and decryption key
serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline)
ssh_dir="/data/ssh/.ssh"
if [[ $serial == 3889765b ]] && [[ ! -f "$ssh_dir/id_ed25519" || ! -f "$ssh_dir/id_ed25519.pub" ]]; then
echo "Decrypting SSH identity keys (serial=$serial)..."
tmpdir=$(mktemp -d)
bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_ed25519.cpt "$tmpdir/id_ed25519"
bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_ed25519.pub.cpt "$tmpdir/id_ed25519.pub"
mkdir -p "$ssh_dir"
cp "$tmpdir/id_ed25519" "$tmpdir/id_ed25519.pub" "$ssh_dir/"
rm -rf "$tmpdir"
chmod 700 "$ssh_dir"
chmod 600 "$ssh_dir/id_ed25519"
chmod 644 "$ssh_dir/id_ed25519.pub"
echo "SSH identity keys installed to $ssh_dir"
fi
# 4. Ensure git remote uses SSH (not HTTPS) # 4. Ensure git remote uses SSH (not HTTPS)
cd /data/openpilot cd /data/openpilot
EXPECTED_REMOTE="git@git.hanson.xyz:brianhansonxyz/clearpilot.git" EXPECTED_REMOTE="git@git.hanson.xyz:brianhansonxyz/clearpilot.git"