maxammann/run.sh

## run.sh
#!/usr/bin/env bash


inspect_key() {
  k="$1"
  [ -f "$k" ] || { echo "KEY_FILE_STATUS=missing"; return; }

  hdr="$(head -n 1 "$k" 2>/dev/null || true)"

  # OpenSSH new-format
  if [ "$hdr" = "-----BEGIN OPENSSH PRIVATE KEY-----" ]; then
    python3 - <<'PY' "$k"
import base64, struct, sys
path = sys.argv[1]

lines = open(path, "rb").read().splitlines()
b64 = b"".join(l for l in lines if not l.startswith(b"-----"))
raw = base64.b64decode(b64)

magic = b"openssh-key-v1\x00"
if not raw.startswith(magic):
    print("FORMAT=OPENSSH  PARSE_ERROR")
    sys.exit(0)

i = len(magic)
def read_cstring():
    global i
    n = struct.unpack(">I", raw[i:i+4])[0]
    i += 4
    s = raw[i:i+n]
    i += n
    return s

cipher = read_cstring().decode()
kdf    = read_cstring().decode()

enc = "yes" if cipher != "none" else "no"
print(f"FORMAT=OPENSSH  ENCRYPTED={enc}  CIPHER={cipher}  KDF={kdf}")
PY
    return
  fi

  # PEM legacy keys
  if echo "$hdr" | grep -qE '^-----BEGIN (RSA|EC|DSA) PRIVATE KEY-----$'; then
    if grep -q 'Proc-Type: 4,ENCRYPTED' "$k"; then
      echo "FORMAT=PEM  ENCRYPTED=yes"
    else
      echo "FORMAT=PEM  ENCRYPTED=no"
    fi
    return
  fi

  echo "FORMAT=unknown"
  echo "HEADER=$hdr"
}


echo "--------------------- SSH clone:"
d="$(mktemp -d /tmp/empty-ssh.XXXXXX)"
log="/tmp/git-ssh-trace.$(date +%s).log"
ssh -O stop github.com 2>/dev/null || true
GIT_TRACE=1 GIT_SSH_COMMAND='ssh -vv' git clone -v git@github.com:KittyCAD/empty.git "$d" >"$log" 2>&1
ec=$?
awk '/ssh -vv|Offering public key|Authentications that can continue|Authentication succeeded|Permission denied|fatal:|trace: run_command:/{print}' "$log"
echo "SSH exit=$ec  log=$log"
awk '
/Server accepts key:/ {acc=1; print "ACCEPTED:", $0}

/Offering public key:/ {offer_n++; offers[offer_n]=$0}

/Enter passphrase for key/ || /bad passphrase/ || /incorrect passphrase/ {
  pp=1
  if (!pp_ex) pp_ex=$0
}

function mark(rule, s) {
  agent=1
  hit[rule]++
  if (!(rule in ex)) ex[rule]=s
}

{
  # Agent / IdentityAgent / agent identities
  if ($0 ~ /get_agent_identities/ || $0 ~ /agent returned/ || $0 ~ /ssh-agent/ || $0 ~ /Authentication agent/ || $0 ~ /IdentityAgent/)
    mark("agent/IdentityAgent", $0)

  # Explicit "offering via agent" / agent refused signing
  if ($0 ~ /Offering public key:.*agent/ || $0 ~ /sign_and_send_pubkey:.*agent/ || $0 ~ /agent refused operation/)
    mark("offered via agent", $0)

  # PKCS#11 (smartcard / token)
  if ($0 ~ /pkcs11/ || $0 ~ /PKCS11/)
    mark("PKCS#11", $0)

  # FIDO / security key UX signals
  if ($0 ~ /FIDO/ || $0 ~ /security key/ || $0 ~ /PIN/ || $0 ~ /touch/)
    mark("FIDO", $0)
}

END{
  print "---- verdict ----"
  if(!acc){ print "No \"Server accepts key\" line found in log"; exit 1 }

  if(agent){
    print "Accepted key appears AGENT/HARDWARE-backed (not decrypted from a local file)."
    print "Agent evidence (rules that triggered):"
    for (k in hit) printf "- %s: %d (e.g. %s)\n", k, hit[k], ex[k]
  } else if(pp){
    print "Accepted key likely PASSPHRASE-PROTECTED local key (ssh prompted for passphrase)."
    print "Passphrase evidence (e.g.): " pp_ex
  } else {
    print "Accepted key looks like an UNENCRYPTED local key OR an agent key with no obvious hints in log (inconclusive)."
  }

  print "Offering summary:"
  for(i=1;i<=offer_n;i++) print "- " offers[i]
}' "$log"

keyfile="$(
  awk '
    /Offering public key:/ { last=$0 }
    /Server accepts key:/ {
      if ($0 ~ /agent/ || last ~ /agent/) exit
      for (i=1;i<=NF;i++)
        if ($i ~ /^\// || $i ~ /^~\//) {
          gsub(/^~\//, ENVIRON["HOME"] "/", $i)
          print $i
          exit
        }
    }
  ' "$log"
)"

if [ -n "$keyfile" ]; then
  inspect_key "$keyfile"
else
  echo "SOURCE=agent/hardware (no private key file)"
fi


echo "--------------------- HTTPS clone:"
d="$(mktemp -d /tmp/empty-https.XXXXXX)"; GIT_TRACE=1 GIT_TRACE_CREDENTIALS=1 git -c credential.interactive=never clone -v https://github.com/KittyCAD/empty.git "$d"
	#!/usr/bin/env bash


	inspect_key() {
	k="$1"
	[ -f "$k" ] \|\| { echo "KEY_FILE_STATUS=missing"; return; }

	hdr="$(head -n 1 "$k" 2>/dev/null \|\| true)"

	# OpenSSH new-format
	if [ "$hdr" = "-----BEGIN OPENSSH PRIVATE KEY-----" ]; then
	python3 - <<'PY' "$k"
	import base64, struct, sys
	path = sys.argv[1]

	lines = open(path, "rb").read().splitlines()
	b64 = b"".join(l for l in lines if not l.startswith(b"-----"))
	raw = base64.b64decode(b64)

	magic = b"openssh-key-v1\x00"
	if not raw.startswith(magic):
	print("FORMAT=OPENSSH PARSE_ERROR")
	sys.exit(0)

	i = len(magic)
	def read_cstring():
	global i
	n = struct.unpack(">I", raw[i:i+4])[0]
	i += 4
	s = raw[i:i+n]
	i += n
	return s

	cipher = read_cstring().decode()
	kdf = read_cstring().decode()

	enc = "yes" if cipher != "none" else "no"
	print(f"FORMAT=OPENSSH ENCRYPTED={enc} CIPHER={cipher} KDF={kdf}")
	PY
	return
	fi

	# PEM legacy keys
	if echo "$hdr" \| grep -qE '^-----BEGIN (RSA\|EC\|DSA) PRIVATE KEY-----$'; then
	if grep -q 'Proc-Type: 4,ENCRYPTED' "$k"; then
	echo "FORMAT=PEM ENCRYPTED=yes"
	else
	echo "FORMAT=PEM ENCRYPTED=no"
	fi
	return
	fi

	echo "FORMAT=unknown"
	echo "HEADER=$hdr"
	}



	echo "--------------------- SSH clone:"
	d="$(mktemp -d /tmp/empty-ssh.XXXXXX)"
	log="/tmp/git-ssh-trace.$(date +%s).log"
	ssh -O stop github.com 2>/dev/null \|\| true
	GIT_TRACE=1 GIT_SSH_COMMAND='ssh -vv' git clone -v git@github.com:KittyCAD/empty.git "$d" >"$log" 2>&1
	ec=$?
	awk '/ssh -vv\|Offering public key\|Authentications that can continue\|Authentication succeeded\|Permission denied\|fatal:\|trace: run_command:/{print}' "$log"
	echo "SSH exit=$ec log=$log"
	awk '
	/Server accepts key:/ {acc=1; print "ACCEPTED:", $0}

	/Offering public key:/ {offer_n++; offers[offer_n]=$0}

	/Enter passphrase for key/ \|\| /bad passphrase/ \|\| /incorrect passphrase/ {
	pp=1
	if (!pp_ex) pp_ex=$0
	}

	function mark(rule, s) {
	agent=1
	hit[rule]++
	if (!(rule in ex)) ex[rule]=s
	}

	{
	# Agent / IdentityAgent / agent identities
	if ($0 ~ /get_agent_identities/ \|\| $0 ~ /agent returned/ \|\| $0 ~ /ssh-agent/ \|\| $0 ~ /Authentication agent/ \|\| $0 ~ /IdentityAgent/)
	mark("agent/IdentityAgent", $0)

	# Explicit "offering via agent" / agent refused signing
	if ($0 ~ /Offering public key:.agent/ \|\| $0 ~ /sign_and_send_pubkey:.agent/ \|\| $0 ~ /agent refused operation/)
	mark("offered via agent", $0)

	# PKCS#11 (smartcard / token)
	if ($0 ~ /pkcs11/ \|\| $0 ~ /PKCS11/)
	mark("PKCS#11", $0)

	# FIDO / security key UX signals
	if ($0 ~ /FIDO/ \|\| $0 ~ /security key/ \|\| $0 ~ /PIN/ \|\| $0 ~ /touch/)
	mark("FIDO", $0)
	}

	END{
	print "---- verdict ----"
	if(!acc){ print "No \"Server accepts key\" line found in log"; exit 1 }

	if(agent){
	print "Accepted key appears AGENT/HARDWARE-backed (not decrypted from a local file)."
	print "Agent evidence (rules that triggered):"
	for (k in hit) printf "- %s: %d (e.g. %s)\n", k, hit[k], ex[k]
	} else if(pp){
	print "Accepted key likely PASSPHRASE-PROTECTED local key (ssh prompted for passphrase)."
	print "Passphrase evidence (e.g.): " pp_ex
	} else {
	print "Accepted key looks like an UNENCRYPTED local key OR an agent key with no obvious hints in log (inconclusive)."
	}

	print "Offering summary:"
	for(i=1;i<=offer_n;i++) print "- " offers[i]
	}' "$log"

	keyfile="$(
	awk '
	/Offering public key:/ { last=$0 }
	/Server accepts key:/ {
	if ($0 ~ /agent/ \|\| last ~ /agent/) exit
	for (i=1;i<=NF;i++)
	if ($i ~ /^\// \|\| $i ~ /^~\//) {
	gsub(/^~\//, ENVIRON["HOME"] "/", $i)
	print $i
	exit
	}
	}
	' "$log"
	)"

	if [ -n "$keyfile" ]; then
	inspect_key "$keyfile"
	else
	echo "SOURCE=agent/hardware (no private key file)"
	fi


	echo "--------------------- HTTPS clone:"
	d="$(mktemp -d /tmp/empty-https.XXXXXX)"; GIT_TRACE=1 GIT_TRACE_CREDENTIALS=1 git -c credential.interactive=never clone -v https://github.com/KittyCAD/empty.git "$d"
No results found