build: fix github web-flow PGPpubkeyFingerprint (#4417)

* build: fix github web-flow PGPpubkeyFingerprint
* git-verify: use extended regular expression to check alternative key
* build: break when external scripts return with error
* git-verify: use extended regular expression to check correctKey
* ci: maximize disk space in gh action
using https://github.com/marketplace/actions/maximize-build-disk-space

.github/workflows/amd64-lean-image.yml

@@ -31,6 +31,12 @@ jobs:
   amd64-image-build:
     runs-on: ubuntu-22.04
     steps:
+      - name: Maximize build space
+        uses: easimon/maximize-build-space@master
+        with:
+          root-reserve-mb: 12288
+          temp-reserve-mb: 12288
+
       - uses: actions/checkout@v4
 
       - name: Set values

build_sdcard.sh

@@ -748,8 +748,8 @@ fi
 
 # *** CACHE DISK IN RAM & KEYVALUE-STORE***
 echo "Activating CACHE RAM DISK ... "
-/home/admin/_cache.sh ramdisk on
-/home/admin/_cache.sh keyvalue on
+/home/admin/_cache.sh ramdisk on || exit 1
+/home/admin/_cache.sh keyvalue on || exit 1
 
 # *** Wifi, Bluetooth & other RaspberryPi configs ***
 if [ "${baseimage}" = "raspios_arm64"  ] || [ "${baseimage}" = "debian" ]; then
@@ -794,7 +794,7 @@ cp /home/admin/assets/background.service /etc/systemd/system/background.service
 systemctl enable background
 
 # *** BACKGROUND SCAN ***
-/home/admin/_background.scan.sh install
+/home/admin/_background.scan.sh install || exit 1
 
 #######
 # TOR #
@@ -863,13 +863,13 @@ echo "1. login fresh --> user:admin password:raspiblitz"
 echo -e "2. run --> release\n"
 
 # make sure that at least the code is available (also if no internet)
-/home/admin/config.scripts/blitz.display.sh prepare-install
+/home/admin/config.scripts/blitz.display.sh prepare-install || exit 1
 # (do last - because it might trigger reboot)
 if [ "${display}" != "headless" ] || [ "${baseimage}" = "raspios_arm64" ]; then
   echo "*** ADDITIONAL DISPLAY OPTIONS ***"
   echo "- calling: blitz.display.sh set-display ${display}"
-  /home/admin/config.scripts/blitz.display.sh set-display ${display}
-  /home/admin/config.scripts/blitz.display.sh rotate 1
+  /home/admin/config.scripts/blitz.display.sh set-display ${display} || exit 1
+  /home/admin/config.scripts/blitz.display.sh rotate 1 || exit 1
 fi
 
 echo "# BUILD DONE - see above"

home.admin/config.scripts/blitz.display.sh

@@ -250,7 +250,7 @@ function install_lcd() {
     sudo -u admin git checkout master
     sudo -u admin git reset --hard 5a206a7 || exit 1
     
-    sudo -u admin /home/admin/config.scripts/blitz.git-verify.sh 'GitHub' 'https://github.com/web-flow.gpg' '4AEE18F83AFDEB23' || exit 1
+    sudo -u admin /home/admin/config.scripts/blitz.git-verify.sh 'GitHub' 'https://github.com/web-flow.gpg' '(4AEE18F83AFDEB23|B5690EEEBB952194)' || exit 1
 
     # customized from https://github.com/tux1c/wavesharelcd-64bit-rpi/blob/master/install.sh
     # prepare X11

home.admin/config.scripts/blitz.git-verify.sh

@@ -15,7 +15,7 @@ fi
 # Example for commits created on GitHub:
 # PGPsigner="web-flow"
 # PGPpubkeyLink="https://github.com/${PGPsigner}.gpg"
-# PGPpubkeyFingerprint="4AEE18F83AFDEB23"
+# PGPpubkeyFingerprint="(4AEE18F83AFDEB23|B5690EEEBB952194)"
 
 # Example for commits signed with a personal PGP key:
 # PGPsigner="janoside"
@@ -49,7 +49,7 @@ fi
 
 echo "# importing key of ${PGPsigner}"
 gpg --import --import-options show-only /var/cache/raspiblitz/pgp_keys_${PGPsigner}.asc
-fingerprint=$(gpg --show-keys --keyid-format LONG /var/cache/raspiblitz/pgp_keys_${PGPsigner}.asc 2>/dev/null | grep "${PGPpubkeyFingerprint}" -c)
+fingerprint=$(gpg --show-keys --keyid-format LONG /var/cache/raspiblitz/pgp_keys_${PGPsigner}.asc 2>/dev/null | grep -Ec "${PGPpubkeyFingerprint}")
 if [ "${fingerprint}" -lt 1 ]; then
   echo
   echo "# WARNING --> the PGP fingerprint is not as expected for ${PGPsigner}" >&2
@@ -79,7 +79,7 @@ echo
 
 goodSignature=$(grep "Good signature from" -c <"$_temp")
 echo "# goodSignature(${goodSignature})"
-correctKey=$(tr -d " \t\n\r" <"$_temp" | grep "${PGPpubkeyFingerprint}" -c)
+correctKey=$(tr -d " \t\n\r" <"$_temp" | grep -Ec "${PGPpubkeyFingerprint}")
 echo "# correctKey(${correctKey})"
 
 if [ "${correctKey}" -lt 1 ] || [ "${goodSignature}" -lt 1 ]; then

home.admin/config.scripts/bonus.btcpayserver.sh

@@ -18,7 +18,7 @@ PGPpubkeyFingerprint="AB4CFA9895ACA0DBE27F6B346618763EF09186FE"
 # ---
 #PGPsigner="web-flow"
 #PGPpubkeyLink="https://github.com/web-flow.gpg"
-#PGPpubkeyFingerprint="4AEE18F83AFDEB23"
+#PGPpubkeyFingerprint="(4AEE18F83AFDEB23|B5690EEEBB952194)"
 
 # command info
 if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
@@ -506,7 +506,7 @@ if [ "$1" = "install" ]; then
   sudo -u btcpay git clone https://github.com/btcpayserver/btcpayserver.git 2>/dev/null
   cd btcpayserver || exit 1
   sudo -u btcpay git reset --hard $BTCPayVersion
-  #sudo -u btcpay /home/admin/config.scripts/blitz.git-verify.sh "web-flow" "https://github.com/web-flow.gpg" "4AEE18F83AFDEB23" || exit 1
+  #sudo -u btcpay /home/admin/config.scripts/blitz.git-verify.sh "web-flow" "https://github.com/web-flow.gpg" "(4AEE18F83AFDEB23|B5690EEEBB952194)" || exit 1
 
   echo "# verify signature of ${PGPsigner}"
   sudo -u btcpay /home/admin/config.scripts/blitz.git-verify.sh "${PGPsigner}" "${PGPpubkeyLink}" "${PGPpubkeyFingerprint}" || exit 1

home.admin/config.scripts/bonus.circuitbreaker.sh

@@ -19,7 +19,7 @@ fi
 
 PGPsigner="web-flow"
 PGPpubkeyLink="https://github.com/${PGPsigner}.gpg"
-PGPpubkeyFingerprint="4AEE18F83AFDEB23"
+PGPpubkeyFingerprint="(4AEE18F83AFDEB23|B5690EEEBB952194)"
 
 # PGPsigner="joostjager"
 # PGPpubkeyLink="https://github.com/${PGPsigner}.gpg"

home.admin/config.scripts/bonus.ckbunker.sh

@@ -19,7 +19,7 @@ source /mnt/hdd/raspiblitz.conf
 
 GITHUB_SIGN_AUTHOR="web-flow"
 GITHUB_SIGN_PUBKEYLINK="https://github.com/web-flow.gpg"
-GITHUB_SIGN_FINGERPRINT="4AEE18F83AFDEB23"
+GITHUB_SIGN_FINGERPRINT="(4AEE18F83AFDEB23|B5690EEEBB952194)"
 
 PORT_CLEAR="9823"
 PORT_SSL="9824"

home.admin/config.scripts/bonus.fints.sh

@@ -15,7 +15,7 @@ GITHUB_TAG=""
 # leave GITHUB_SIGN_AUTHOR empty to skip verifying
 GITHUB_SIGN_AUTHOR="" #web-flow
 GITHUB_SIGN_PUBKEYLINK="https://github.com/web-flow.gpg"
-GITHUB_SIGN_FINGERPRINT="4AEE18F83AFDEB23"
+GITHUB_SIGN_FINGERPRINT="(4AEE18F83AFDEB23|B5690EEEBB952194)"
 
 # port numbers the app should run on
 # delete if not an web app

home.admin/config.scripts/bonus.loop.sh

@@ -28,7 +28,7 @@ fi
 # releases are creatd on GitHub
 PGPsigner="web-flow"
 PGPpubkeyLink="https://github.com/${PGPsigner}.gpg"
-PGPpubkeyFingerprint="4AEE18F83AFDEB23"
+PGPpubkeyFingerprint="(4AEE18F83AFDEB23|B5690EEEBB952194)"
 
 # TODO download with .tar.gz
 #PGPsigner="alexbosworth"

home.admin/config.scripts/bonus.template.sh

@@ -26,7 +26,7 @@ GITHUB_TAG="v0.1"
 # leave GITHUB_SIGN_AUTHOR empty to skip verifying
 GITHUB_SIGN_AUTHOR="web-flow"
 GITHUB_SIGN_PUBKEYLINK="https://github.com/web-flow.gpg"
-GITHUB_SIGN_FINGERPRINT="4AEE18F83AFDEB23"
+GITHUB_SIGN_FINGERPRINT="(4AEE18F83AFDEB23|B5690EEEBB952194)"
 
 # port numbers the app should run on
 # delete if not an web app

home.admin/config.scripts/cl-plugin.http.sh

@@ -17,7 +17,7 @@ fi
 
 PGPsigner="web-flow"
 PGPpubkeyLink="https://github.com/${PGPsigner}.gpg"
-PGPpubkeyFingerprint="4AEE18F83AFDEB23"
+PGPpubkeyFingerprint="(4AEE18F83AFDEB23|B5690EEEBB952194)"
 
 # source <(/home/admin/config.scripts/network.aliases.sh getvars cl <mainnet|testnet|signet>)
 source <(/home/admin/config.scripts/network.aliases.sh getvars cl mainnet)

home.admin/config.scripts/cl.rest.sh

@@ -21,7 +21,7 @@ fi
 # Example for commits created on GitHub:
 #PGPsigner="web-flow"
 #PGPpubkeyLink="https://github.com/${PGPsigner}.gpg"
-#PGPpubkeyFingerprint="4AEE18F83AFDEB23"
+#PGPpubkeyFingerprint="(4AEE18F83AFDEB23|B5690EEEBB952194)"
 
 PGPsigner="saubyk"
 PGPpubkeyLink="https://github.com/${PGPsigner}.gpg"