$ shellcheck ec2-instance-connect/eic_curl_authorized_keys ec2-instance-connect/eic_parse_authorized_keys ec2-instance-connect/eic_run_authorized_keys In ec2-instance-connect/eic_curl_authorized_keys line 36: elif [ ! $(cat /sys/devices/virtual/dmi/id/board_asset_tag) = $instance ] ; then ^-- SC2046: Quote this to prevent word splitting. ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_curl_authorized_keys line 41: elif [ ! $(cat /sys/hypervisor/uuid | cut -c1-3) = "ec2" ] ; then ^-- SC2046: Quote this to prevent word splitting. ^-- SC2002: Useless cat. Consider 'cmd < file | ..' or 'cmd file | ..' instead. In ec2-instance-connect/eic_curl_authorized_keys line 58: if [ $? -ne 0 ] ; then ^-- SC2181: Check exit code directly with e.g. 'if mycmd;', not indirectly with $?. In ec2-instance-connect/eic_curl_authorized_keys line 64: if [ $(eval "${curl_cmd} -o /dev/null -I -w %{http_code} http://169.254.169.254/latest/meta-data/managed-ssh-keys/active-keys/${1}/") -eq 404 ] ^-- SC2046: Quote this to prevent word splitting. In ec2-instance-connect/eic_curl_authorized_keys line 72: if [ $? -ne 0 ] ^-- SC2181: Check exit code directly with e.g. 'if mycmd;', not indirectly with $?. In ec2-instance-connect/eic_curl_authorized_keys line 79: region=$(echo $zone | sed -n 's/\(\([a-z]\+-\)\+[0-9]\+\).*/\1/p') ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_curl_authorized_keys line 81: if [ $? -ne 0 ] ^-- SC2181: Check exit code directly with e.g. 'if mycmd;', not indirectly with $?. In ec2-instance-connect/eic_curl_authorized_keys line 90: chmod 700 $userpath # Disallow any other writes to tempdir ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_curl_authorized_keys line 91: signerkeyfile=signer-cert.pem ^-- SC2034: signerkeyfile appears unused. Verify it or export it. In ec2-instance-connect/eic_curl_authorized_keys line 92: keysfile=allowed-keys ^-- SC2034: keysfile appears unused. Verify it or export it. In ec2-instance-connect/eic_curl_authorized_keys line 105: if [ $? -ne 0 ] ^-- SC2181: Check exit code directly with e.g. 'if mycmd;', not indirectly with $?. In ec2-instance-connect/eic_curl_authorized_keys line 110: ocsp_path=$(mktemp -d $userpath/eic-ocsp-XXXXXXXX) ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_curl_authorized_keys line 111: chmod 700 $ocsp_path # Disallow any other writes to tempdir ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_curl_authorized_keys line 114: eval "${curl_cmd}" "http://169.254.169.254/latest/meta-data/managed-ssh-keys/signer-ocsp/${word}" | base64 -d > $ocsp_path/$word ^-- SC2086: Double quote to prevent globbing and word splitting. ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_curl_authorized_keys line 115: if [ $? -ne 0 ] ^-- SC2181: Check exit code directly with e.g. 'if mycmd;', not indirectly with $?. In ec2-instance-connect/eic_curl_authorized_keys line 119: chmod 400 $ocsp_path/$word # Disable access to staple file ^-- SC2086: Double quote to prevent globbing and word splitting. ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_curl_authorized_keys line 128: output=$($DIR/eic_parse_authorized_keys -x false -r "${curl_command}" -o "${OPENSSL}" -d "${userpath}" -s "${certificate}" -i "${instance}" -c "${expected_signer}" -a "${ca_path}" -v "${ocsp_path}") ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_curl_authorized_keys line 131: output=$($DIR/eic_parse_authorized_keys -x false -r "${curl_command}" -o "${OPENSSL}" -d "${userpath}" -s "${certificate}" -i "${instance}" -c "${expected_signer}" -a "${ca_path}" -v "${ocsp_path}" -f "${2}") ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 49: cname=$($2 x509 -noout -subject -in $3 2>/dev/null | sed -n -e 's/^.*CN=//p') ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 50: fingerprint=$($2 x509 -noout -fingerprint -sha1 -inform pem -in $3 2>/dev/null | sed -n 's/SHA1 Fingerprint[[:space:]]*=[[:space:]]*\(.*\)/\1/p' | tr -d ':') ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 51: ocsp_out=$($2 ocsp -no_nonce -issuer $4 -cert $3 -VAfile $4 -respin $5/$fingerprint 2>/dev/null) ^-- SC2086: Double quote to prevent globbing and word splitting. ^-- SC2086: Double quote to prevent globbing and word splitting. ^-- SC2086: Double quote to prevent globbing and word splitting. ^-- SC2086: Double quote to prevent globbing and word splitting. ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 52: if [ $? -ne 0 ] || ! startswith "${ocsp_out}" "${3}: good" ; then ^-- SC2181: Check exit code directly with e.g. 'if mycmd;', not indirectly with $?. In ec2-instance-connect/eic_parse_authorized_keys line 53: fail $1 "EC2 Instance Connect could not verify certificate ${cname} has not been revoked. No keys have been trusted." ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 117: ca_bundles_dir=$(mktemp -d $tmpdir/eic-cert-XXXXXXXX) ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 118: chmod 700 $ca_bundles_dir ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 119: end=$(find $tmpdir -maxdepth 1 -type f -name "cert*.pem" -regextype sed -regex ".*/cert[0-9]\+\.pem" | wc -l) ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 120: if [ $(expr $end) -gt 0 ] ; then ^-- SC2046: Quote this to prevent word splitting. ^-- SC2003: expr is antiquated. Consider rewriting this using $((..)), ${} or [[ ]]. ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 122: for i in `seq 1 $end` ; do ^-- SC2006: Use $(..) instead of legacy `..`. ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 143: cat $(find $tmpdir -maxdepth 1 -type f -name "cert*.pem" -regextype sed -regex ".*/cert[0-9]\+\.pem$") > $tmpdir/ca-trust.pem 2>/dev/null ^-- SC2046: Quote this to prevent word splitting. ^-- SC2086: Double quote to prevent globbing and word splitting. ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 147: cat "${ca_bundles_dir}/${underscored}" >> $tmpdir/ca-trust.pem 2>/dev/null ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 149: cat "${ca_path}" >> $tmpdir/ca-trust.pem 2>/dev/null ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 154: signer_cn=$($OPENSSL x509 -noout -subject -in $tmpdir/cert.pem | sed -n -e 's/^.*CN[[:space:]]*=[[:space:]]*//p') ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 156: fail $is_debug "EC2 Instance Connect encountered an unrecognized signer certificate. No keys have been trusted." ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 165: verify_out=$($OPENSSL verify -x509_strict -CApath ${ca_path_option} -CAfile $tmpdir/ca-trust.pem $tmpdir/cert.pem) ^-- SC2086: Double quote to prevent globbing and word splitting. ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 166: if [ $? -ne 0 ] || [ "${verify_out}" != "${tmpdir}/cert.pem: OK" ] ; then ^-- SC2181: Check exit code directly with e.g. 'if mycmd;', not indirectly with $?. In ec2-instance-connect/eic_parse_authorized_keys line 167: fail $is_debug "EC2 Instance Connect could not verify the signer trust chain. No keys have been trusted." ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 172: mv $tmpdir/cert.pem $tmpdir/cert0.pem # Better naming consistency for loop ^-- SC2086: Double quote to prevent globbing and word splitting. ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 173: for i in `seq 0 $(( $end - 1 ))` ; do ^-- SC2006: Use $(..) instead of legacy `..`. ^-- SC2004: $/${} is unnecessary on arithmetic variables. In ec2-instance-connect/eic_parse_authorized_keys line 188: verifyocsp $is_debug $OPENSSL "${tmpdir}/cert${i}.pem" "${tmpdir}/cert$(( $i + 1)).pem" "${ocsp_dir_path}" ^-- SC2086: Double quote to prevent globbing and word splitting. ^-- SC2086: Double quote to prevent globbing and word splitting. ^-- SC2004: $/${} is unnecessary on arithmetic variables. In ec2-instance-connect/eic_parse_authorized_keys line 192: rm -rf $ca_bundles_dir ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 196: if [ $? -ne 0 ] ; then # $? must be numeric 0-255 and requires no quote escaping ^-- SC2181: Check exit code directly with e.g. 'if mycmd;', not indirectly with $?. In ec2-instance-connect/eic_parse_authorized_keys line 197: fail $is_debug "EC2 Instance Connect failed to extract the public key from the signer certificate. No keys have been trusted." ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 203: if [ ! -z ${expected_key+x} ] ; then ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 249: timestamp=$(removeprefix $line "#Timestamp=") ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 251: instance_id=$(removeprefix $line "#Instance=") ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 253: caller=$(removeprefix $line "#Caller=") ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 255: request=$(removeprefix $line "#Request=") ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 280: echo -n $sigline > /tmp/sigline ^-- SC2039: In POSIX sh, echo flags are undefined. In ec2-instance-connect/eic_parse_authorized_keys line 291: if [ ! -z "${instance_id}" ] && [ $timestamp -ne 0 ] ; then ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 293: expiration=$(expr "${timestamp}") ^-- SC2003: expr is antiquated. Consider rewriting this using $((..)), ${} or [[ ]]. In ec2-instance-connect/eic_parse_authorized_keys line 297: if [ "${current_instance_id}" = "${instance_id}" ] && [ $expiration -gt $curtime ] ; then ^-- SC2086: Double quote to prevent globbing and word splitting. ^-- SC2086: Double quote to prevent globbing and word splitting. In ec2-instance-connect/eic_parse_authorized_keys line 303: if [ $? -eq 0 ] ; then ^-- SC2181: Check exit code directly with e.g. 'if mycmd;', not indirectly with $?. In ec2-instance-connect/eic_parse_authorized_keys line 338: count=$(expr "${count}" + 1) ^-- SC2003: expr is antiquated. Consider rewriting this using $((..)), ${} or [[ ]]. In ec2-instance-connect/eic_run_authorized_keys line 20: timeout 5s $DIR/eic_curl_authorized_keys "$@" ^-- SC2086: Double quote to prevent globbing and word splitting.