fix(verify): count all OpenSSH key types + avoid 0\n0 integer-expr error

Dobby · claude · Dobby · commit 403408f2b5fd · 2026-04-23T21:44:19.000Z
Step [5/5] External Access Lockout reported "SSH keys: 0\n0 authorized"
and "[: 0\n0: integer expression expected" for users whose authorized_keys
contained a valid key. Two bugs combined:

1. `grep -c '^ssh-' ... || echo 0` — when grep finds zero matches it still
   prints "0\n" AND exits 1, so `|| echo 0` appends another "0\n".
   Command substitution strips only the final trailing newline, leaving
   KEY_COUNT="0\n0". This broke both the rendered output (two lines) and
   the subsequent [ "$KEY_COUNT" -le 1 ] comparison (bash's `[` refuses
   multi-line strings as integers).
2. The `^ssh-` regex missed ecdsa-sha2-* and sk-* key types, so an ECDSA
   or hardware-backed key was counted as zero even when validly present.

Fix:
- Broaden regex to `^(ssh-|ecdsa-|sk-)` to cover all standard OpenSSH
  public-key type prefixes.
- Swallow grep's exit-1 on zero matches with `|| :` (no stdout) instead
  of `|| echo 0`.
- Pre-check file readability and defensively reset KEY_COUNT to 0 if it
  somehow ends up non-numeric, so `[ -le 1 ]` is always comparing a
  single digit.

Bumps VERSION to v1.5.8.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/privateclaw b/privateclaw
@@ -5,7 +5,7 @@ set -e
 # TEE verification and management for PrivateClaw CVMs.
 # https://github.com/lunal-dev/privateclaw-cli (repo name unchanged)
 
-VERSION="v1.5.7"
+VERSION="v1.5.8"
 
 ATTEST_DIR="/etc/privateclaw"
 EVIDENCE_FILE="$ATTEST_DIR/evidence.json"
@@ -676,8 +676,28 @@ PYEOF
   # ==========================================================================
   echo "[5/$TOTAL_CHECKS] External Access Lockout"
 
-  KEY_COUNT=$(grep -c '^ssh-' "$ADMIN_HOME/.ssh/authorized_keys" 2>/dev/null || echo 0)
-  KEY_COUNT="${KEY_COUNT:-0}"
+  # Count authorized SSH keys. Two subtleties bit the previous version:
+  #  1. `grep -c` exits 1 when it finds zero matches. Combined with a
+  #     `|| echo 0` fallback, stdout concatenated "0\n" (from grep) + "0\n"
+  #     (from echo); command substitution stripped the trailing newline,
+  #     leaving KEY_COUNT="0\n0". That broke the display (two-line
+  #     "0\n0 authorized") AND the numeric comparison ([: 0\n0: integer
+  #     expression expected).
+  #  2. The old regex `^ssh-` missed ecdsa-* and sk-* key types, so users
+  #     with ECDSA or hardware-security keys would get KEY_COUNT=0 and
+  #     FAIL the step even with a valid key configured.
+  # Fix: match all standard OpenSSH key-type prefixes, and swallow grep's
+  # non-zero exit with `|| :` (no extra stdout) instead of `|| echo 0`.
+  if [ -r "$ADMIN_HOME/.ssh/authorized_keys" ]; then
+    KEY_COUNT=$(grep -cE '^(ssh-|ecdsa-|sk-)' "$ADMIN_HOME/.ssh/authorized_keys" 2>/dev/null || :)
+  else
+    KEY_COUNT=0
+  fi
+  # Defensive: if KEY_COUNT is empty or contains non-digits, reset to 0
+  # so the `[ -le 1 ]` comparison below never sees a multi-line string.
+  case "$KEY_COUNT" in
+    ''|*[!0-9]*) KEY_COUNT=0 ;;
+  esac
   echo "  SSH keys:      $KEY_COUNT authorized"
 
   if command -v ufw &>/dev/null; then
