From 0cc6f76be2e80b93bf39c731421a3997fc0cd4b7 Mon Sep 17 00:00:00 2001 From: Flo Date: Tue, 31 Mar 2026 00:23:55 +0200 Subject: [PATCH] fix: minor hygiene from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove unused SIGNING_KEY_PATH variable (dead code), add trap for temp file cleanup in apply_ssh_directive, add -- separator before ssh-keygen path arguments, add info message when falling back to in-memory credential cache on Linux. Closes: #15 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- git-harden.sh | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/git-harden.sh b/git-harden.sh index afd7487..4fe8ccf 100755 --- a/git-harden.sh +++ b/git-harden.sh @@ -46,7 +46,7 @@ AUDIT_MISS=0 # Whether signing key was found SIGNING_KEY_FOUND=false -export SIGNING_KEY_PATH="" # private key path; exported for hook/subshell use + SIGNING_PUB_PATH="" # Credential helper detected for this platform @@ -277,6 +277,7 @@ detect_credential_helper() { DETECTED_CRED_HELPER="$libsecret_path" else DETECTED_CRED_HELPER="cache --timeout=3600" + print_info "libsecret not found; falling back to in-memory credential cache (1h TTL, not persistent)" fi ;; esac @@ -603,7 +604,7 @@ apply_signing_config() { detect_existing_keys() { SIGNING_KEY_FOUND=false - SIGNING_KEY_PATH="" + SIGNING_PUB_PATH="" # Check if a signing key is already configured @@ -616,7 +617,7 @@ detect_existing_keys() { SIGNING_KEY_FOUND=true SIGNING_PUB_PATH="$expanded_key" # Derive private key path (remove .pub suffix if present) - SIGNING_KEY_PATH="${expanded_key%.pub}" + return fi fi @@ -628,7 +629,7 @@ detect_existing_keys() { pub_path="${priv_path}.pub" if [ -f "$pub_path" ]; then SIGNING_KEY_FOUND=true - SIGNING_KEY_PATH="$priv_path" + SIGNING_PUB_PATH="$pub_path" return fi @@ -652,7 +653,7 @@ detect_existing_keys() { case "$key_type_str" in ssh-ed25519*|sk-ssh-ed25519*) SIGNING_KEY_FOUND=true - SIGNING_KEY_PATH="$identity_path" + SIGNING_PUB_PATH="$pub_path" return ;; @@ -751,7 +752,7 @@ generate_ssh_key() { if [ -f "$key_path" ]; then print_warn "$key_path already exists. Not overwriting." SIGNING_KEY_FOUND=true - SIGNING_KEY_PATH="$key_path" + SIGNING_PUB_PATH="${key_path}.pub" return fi @@ -768,11 +769,11 @@ generate_ssh_key() { mkdir -p "$SSH_DIR" chmod 700 "$SSH_DIR" - ssh-keygen -t ed25519 -C "$email" -f "$key_path"