@@ -146,9 +146,16 @@ generate_jwt() {
146146 signing_input=" ${header} .${payload} "
147147
148148 signature=$( printf ' %s' " ${signing_input} " \
149- | openssl dgst -sha256 -sign " ${pem_path} " -binary \
149+ | openssl dgst -sha256 -sign " ${pem_path} " -binary 2> /dev/null \
150150 | base64url)
151151
152+ if [ -z " ${signature} " ]; then
153+ print_error " Failed to sign JWT with private key: ${pem_path} "
154+ print_error " The key must be an unencrypted PEM (GitHub app keys start with '-----BEGIN RSA PRIVATE KEY-----')."
155+ print_error " Verify it with: openssl rsa -in '${pem_path} ' -check -noout"
156+ return 1
157+ fi
158+
152159 printf ' %s.%s' " ${signing_input} " " ${signature} "
153160}
154161
@@ -163,7 +170,9 @@ mint_installation_token() {
163170 local install_id=" $3 "
164171 local jwt response http_code body token message
165172
166- jwt=$( generate_jwt " ${client_id} " " ${pem_path} " )
173+ if ! jwt=$( generate_jwt " ${client_id} " " ${pem_path} " ) ; then
174+ return 1
175+ fi
167176
168177 response=$( curl -s -w " \n%{http_code}" -X POST \
169178 -H " Authorization: Bearer ${jwt} " \
@@ -172,7 +181,7 @@ mint_installation_token() {
172181 " ${API_URL_PREFIX} /app/installations/${install_id} /access_tokens" )
173182
174183 http_code=$( echo " ${response} " | tail -1)
175- body=$( echo " ${response} " | head -n -1 )
184+ body=$( echo " ${response} " | sed ' $d ' )
176185
177186 if [ " ${http_code} " != " 201" ]; then
178187 message=$( echo " ${body} " | jq -r ' .message // empty' 2> /dev/null || true)
@@ -215,7 +224,7 @@ INSTALL_RESPONSE=$(curl -s -w "\n%{http_code}" -X POST \
215224 ' {client_id: $client_id, repository_selection: $repository_selection}' ) " )
216225
217226INSTALL_HTTP_CODE=$( echo " ${INSTALL_RESPONSE} " | tail -1)
218- INSTALL_BODY=$( echo " ${INSTALL_RESPONSE} " | head -n -1 )
227+ INSTALL_BODY=$( echo " ${INSTALL_RESPONSE} " | sed ' $d ' )
219228
220229case " ${INSTALL_HTTP_CODE} " in
221230 200|201)
0 commit comments