archy/scripts/trust-archipelago-cert.sh

#!/bin/bash
#
# Trust the Archipelago server's self-signed certificate on macOS.
# Run this to eliminate "Not secure" when accessing https://192.168.1.228
#
# Usage: ./scripts/trust-archipelago-cert.sh [host]
# Default host: 192.168.1.228
#
# Requires: SSH access to archipelago@host (uses deploy-config.sh password)
#

set -e

HOST="${1:-192.168.1.228}"
CERT_FILE="/tmp/archipelago-${HOST}.crt"
KEYCHAIN="${HOME}/Library/Keychains/login.keychain-db"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_DIR="$(dirname "$SCRIPT_DIR")"

# Try to fetch cert from server via SSH (most reliable)
SSH_KEY="${ARCHIPELAGO_SSH_KEY:-$HOME/.ssh/archipelago-deploy}"
echo "Fetching certificate from server..."
if [ -f "$SSH_KEY" ]; then
  ssh -o StrictHostKeyChecking=no -i "$SSH_KEY" archipelago@${HOST} \
    'sudo -n cat /etc/archipelago/ssl/archipelago.crt' > "$CERT_FILE" 2>/dev/null || true
elif [ -f "$SCRIPT_DIR/deploy-config.sh" ]; then
  # Last-resort fallback: password auth (leaks credentials to process list)
  . "$SCRIPT_DIR/deploy-config.sh"
  echo "WARNING: SSH key not found at $SSH_KEY — falling back to password auth"
  if command -v sshpass >/dev/null 2>&1; then
    sshpass -p "$ARCHIPELAGO_PASSWORD" ssh -o StrictHostKeyChecking=no archipelago@${HOST} \
      'sudo -n cat /etc/archipelago/ssl/archipelago.crt' > "$CERT_FILE" 2>/dev/null || true
  else
    echo "WARNING: No SSH key and sshpass not installed — skipping SSH fetch"
  fi
fi

# Fallback: fetch via openssl (can hang on some systems)
if [ ! -s "$CERT_FILE" ]; then
  echo "Fetching certificate via TLS..."
  (echo "Q"; sleep 1) | openssl s_client -connect "${HOST}:443" -servername "${HOST}" 2>/dev/null | \
    openssl x509 -outform PEM > "$CERT_FILE"
fi

if [ ! -s "$CERT_FILE" ]; then
  echo "Failed to fetch certificate. Ensure deploy-config.sh exists and SSH works, or the server is reachable."
  exit 1
fi

echo "Adding to your login keychain..."

# Remove old cert if present (by common name)
security delete-certificate -c "archipelago.local" "$KEYCHAIN" 2>/dev/null || true

# Add to user keychain with trust (no sudo needed)
if security add-trusted-cert -d -r trustRoot -k "$KEYCHAIN" "$CERT_FILE" 2>/dev/null; then
  echo "   Certificate trusted successfully."
elif security add-trusted-cert -d -r trustAsRoot -k "$KEYCHAIN" "$CERT_FILE" 2>/dev/null; then
  echo "   Certificate trusted successfully."
else
  # Fallback: add cert and open Keychain Access for manual trust
  cp "$CERT_FILE" "$HOME/Desktop/archipelago-${HOST}.crt"
  echo ""
  echo "   Could not auto-trust. Certificate saved to Desktop."
  echo "   Double-click archipelago-${HOST}.crt to add it, then in Keychain Access"
  echo "   find it, double-click, expand Trust → set to 'Always Trust'."
  CERT_FILE=""  # Don't delete, we copied to Desktop
fi

rm -f "$CERT_FILE"

echo ""
echo "✅ Done. Restart your browser fully (quit Chrome/Safari) and visit https://${HOST}"
Refactor Indeehub integration and enhance deployment documentation - Updated Indeehub references throughout the codebase, changing the name from "IndeedHub" to "Indeehub" for consistency. - Implemented a virtual app structure for Indeehub, allowing it to open an external URL without requiring a container. - Enhanced deployment scripts and documentation to clarify SSH access and password management for Indeehub. - Improved error handling and retry logic in various components to ensure better user experience during onboarding and app interactions. - Updated CSS for visual enhancements and added new buttons for improved navigation in the AppLauncherOverlay. 2026-03-01 17:53:18 +00:00			`#!/bin/bash`
			`#`
			`# Trust the Archipelago server's self-signed certificate on macOS.`
			`# Run this to eliminate "Not secure" when accessing https://192.168.1.228`
			`#`
			`# Usage: ./scripts/trust-archipelago-cert.sh [host]`
			`# Default host: 192.168.1.228`
			`#`
			`# Requires: SSH access to archipelago@host (uses deploy-config.sh password)`
			`#`

			`set -e`

			`HOST="${1:-192.168.1.228}"`
			`CERT_FILE="/tmp/archipelago-${HOST}.crt"`
			`KEYCHAIN="${HOME}/Library/Keychains/login.keychain-db"`
			`SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"`
			`PROJECT_DIR="$(dirname "$SCRIPT_DIR")"`

			`# Try to fetch cert from server via SSH (most reliable)`
fix: deploy locking, safe eval replacement, first-boot error handling, script hardening - S4: Add Bitcoin readiness gate and container tracking with final summary - S5: Replace eval "$DB_PASSWORDS" with safe case-based variable parsing - S6: Add deploy locking with stale lock detection (30min timeout) - S7: Deploy rollback already implemented — verified existing mechanism - S8: Switch trust-archipelago-cert.sh to SSH key auth, sshpass as fallback - S9: Pipe MariaDB SQL via stdin to avoid password in ps output - S17: Add disk space pre-flight check (abort if >85% full) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-21 01:39:22 +00:00			`SSH_KEY="${ARCHIPELAGO_SSH_KEY:-$HOME/.ssh/archipelago-deploy}"`
			`echo "Fetching certificate from server..."`
			`if [ -f "$SSH_KEY" ]; then`
			`ssh -o StrictHostKeyChecking=no -i "$SSH_KEY" archipelago@${HOST} \`
			`'sudo -n cat /etc/archipelago/ssl/archipelago.crt' > "$CERT_FILE" 2>/dev/null \|\| true`
			`elif [ -f "$SCRIPT_DIR/deploy-config.sh" ]; then`
			`# Last-resort fallback: password auth (leaks credentials to process list)`
Refactor Indeehub integration and enhance deployment documentation - Updated Indeehub references throughout the codebase, changing the name from "IndeedHub" to "Indeehub" for consistency. - Implemented a virtual app structure for Indeehub, allowing it to open an external URL without requiring a container. - Enhanced deployment scripts and documentation to clarify SSH access and password management for Indeehub. - Improved error handling and retry logic in various components to ensure better user experience during onboarding and app interactions. - Updated CSS for visual enhancements and added new buttons for improved navigation in the AppLauncherOverlay. 2026-03-01 17:53:18 +00:00			`. "$SCRIPT_DIR/deploy-config.sh"`
fix: deploy locking, safe eval replacement, first-boot error handling, script hardening - S4: Add Bitcoin readiness gate and container tracking with final summary - S5: Replace eval "$DB_PASSWORDS" with safe case-based variable parsing - S6: Add deploy locking with stale lock detection (30min timeout) - S7: Deploy rollback already implemented — verified existing mechanism - S8: Switch trust-archipelago-cert.sh to SSH key auth, sshpass as fallback - S9: Pipe MariaDB SQL via stdin to avoid password in ps output - S17: Add disk space pre-flight check (abort if >85% full) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-21 01:39:22 +00:00			`echo "WARNING: SSH key not found at $SSH_KEY — falling back to password auth"`
Refactor Indeehub integration and enhance deployment documentation - Updated Indeehub references throughout the codebase, changing the name from "IndeedHub" to "Indeehub" for consistency. - Implemented a virtual app structure for Indeehub, allowing it to open an external URL without requiring a container. - Enhanced deployment scripts and documentation to clarify SSH access and password management for Indeehub. - Improved error handling and retry logic in various components to ensure better user experience during onboarding and app interactions. - Updated CSS for visual enhancements and added new buttons for improved navigation in the AppLauncherOverlay. 2026-03-01 17:53:18 +00:00			`if command -v sshpass >/dev/null 2>&1; then`
fix: deploy locking, safe eval replacement, first-boot error handling, script hardening - S4: Add Bitcoin readiness gate and container tracking with final summary - S5: Replace eval "$DB_PASSWORDS" with safe case-based variable parsing - S6: Add deploy locking with stale lock detection (30min timeout) - S7: Deploy rollback already implemented — verified existing mechanism - S8: Switch trust-archipelago-cert.sh to SSH key auth, sshpass as fallback - S9: Pipe MariaDB SQL via stdin to avoid password in ps output - S17: Add disk space pre-flight check (abort if >85% full) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-21 01:39:22 +00:00			`sshpass -p "$ARCHIPELAGO_PASSWORD" ssh -o StrictHostKeyChecking=no archipelago@${HOST} \`
Refactor Indeehub integration and enhance deployment documentation - Updated Indeehub references throughout the codebase, changing the name from "IndeedHub" to "Indeehub" for consistency. - Implemented a virtual app structure for Indeehub, allowing it to open an external URL without requiring a container. - Enhanced deployment scripts and documentation to clarify SSH access and password management for Indeehub. - Improved error handling and retry logic in various components to ensure better user experience during onboarding and app interactions. - Updated CSS for visual enhancements and added new buttons for improved navigation in the AppLauncherOverlay. 2026-03-01 17:53:18 +00:00			`'sudo -n cat /etc/archipelago/ssl/archipelago.crt' > "$CERT_FILE" 2>/dev/null \|\| true`
fix: deploy locking, safe eval replacement, first-boot error handling, script hardening - S4: Add Bitcoin readiness gate and container tracking with final summary - S5: Replace eval "$DB_PASSWORDS" with safe case-based variable parsing - S6: Add deploy locking with stale lock detection (30min timeout) - S7: Deploy rollback already implemented — verified existing mechanism - S8: Switch trust-archipelago-cert.sh to SSH key auth, sshpass as fallback - S9: Pipe MariaDB SQL via stdin to avoid password in ps output - S17: Add disk space pre-flight check (abort if >85% full) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-21 01:39:22 +00:00			`else`
			`echo "WARNING: No SSH key and sshpass not installed — skipping SSH fetch"`
Refactor Indeehub integration and enhance deployment documentation - Updated Indeehub references throughout the codebase, changing the name from "IndeedHub" to "Indeehub" for consistency. - Implemented a virtual app structure for Indeehub, allowing it to open an external URL without requiring a container. - Enhanced deployment scripts and documentation to clarify SSH access and password management for Indeehub. - Improved error handling and retry logic in various components to ensure better user experience during onboarding and app interactions. - Updated CSS for visual enhancements and added new buttons for improved navigation in the AppLauncherOverlay. 2026-03-01 17:53:18 +00:00			`fi`
			`fi`

			`# Fallback: fetch via openssl (can hang on some systems)`
			`if [ ! -s "$CERT_FILE" ]; then`
			`echo "Fetching certificate via TLS..."`
			`(echo "Q"; sleep 1) \| openssl s_client -connect "${HOST}:443" -servername "${HOST}" 2>/dev/null \| \`
			`openssl x509 -outform PEM > "$CERT_FILE"`
			`fi`

			`if [ ! -s "$CERT_FILE" ]; then`
			`echo "Failed to fetch certificate. Ensure deploy-config.sh exists and SSH works, or the server is reachable."`
			`exit 1`
			`fi`

			`echo "Adding to your login keychain..."`

			`# Remove old cert if present (by common name)`
			`security delete-certificate -c "archipelago.local" "$KEYCHAIN" 2>/dev/null \|\| true`

			`# Add to user keychain with trust (no sudo needed)`
			`if security add-trusted-cert -d -r trustRoot -k "$KEYCHAIN" "$CERT_FILE" 2>/dev/null; then`
			`echo " Certificate trusted successfully."`
			`elif security add-trusted-cert -d -r trustAsRoot -k "$KEYCHAIN" "$CERT_FILE" 2>/dev/null; then`
			`echo " Certificate trusted successfully."`
			`else`
			`# Fallback: add cert and open Keychain Access for manual trust`
			`cp "$CERT_FILE" "$HOME/Desktop/archipelago-${HOST}.crt"`
			`echo ""`
			`echo " Could not auto-trust. Certificate saved to Desktop."`
			`echo " Double-click archipelago-${HOST}.crt to add it, then in Keychain Access"`
			`echo " find it, double-click, expand Trust → set to 'Always Trust'."`
			`CERT_FILE="" # Don't delete, we copied to Desktop`
			`fi`

			`rm -f "$CERT_FILE"`

			`echo ""`
			`echo "✅ Done. Restart your browser fully (quit Chrome/Safari) and visit https://${HOST}"`