Merge branch 'TinCanTech-ci-enable-shell-switch-errexit'

TinCanTech · TinCanTech · commit afb2b0a7b127 · 2025-12-18T20:44:33.000Z
Signed-off-by: Richard T Bonhomme &lt;tincantech@protonmail.com&gt;
diff --git a/.github/workflows/action.yml b/.github/workflows/action.yml
@@ -26,6 +26,7 @@ jobs:
       EASYRSA_NIX: 1
       TERM: xterm-256color
       EASYRSA_SILENT_SSL: 1
+      EASYRSA_SET_ERREXIT: 1
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
@@ -53,6 +54,7 @@ jobs:
       EASYRSA_WIN_QUICK: 1
       TERM: xterm-256color
       EASYRSA_SILENT_SSL: 1
+      EASYRSA_SET_ERREXIT: 1
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
@@ -80,6 +82,7 @@ jobs:
       EASYRSA_MAC: 1
       TERM: xterm-256color
       EASYRSA_SILENT_SSL: 1
+      EASYRSA_SET_ERREXIT: 1
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
diff --git a/ChangeLog b/ChangeLog
@@ -1,5 +1,9 @@
 Easy-RSA 3 ChangeLog
 
+3.2.6 (TBD)
+
+   * CI: Enable shell switch errexit, set by env-var $EASYRSA_SET_ERREXIT (772d6f6) (#1417)
+
 3.2.5 (2025-12-13)
 
    * ssl_cert_digest(): Support Edwards curve with LibreSSL (1eaa31e) (#1415)
diff --git a/doc/EasyRSA-Advanced.md b/doc/EasyRSA-Advanced.md
@@ -170,7 +170,7 @@ short description is shown below:
  *  `EASYRSA_PASSOUT` (CLI: `--passout`) - allows to specify a source for
     password using any openssl password options like pass:1234 or env:var
  *  `EASYRSA_NO_PASS` (CLI: `--nopass`) - disable use of passwords
- *  `EASYRSA_UMASK` (CLI: `--umask`) - safe umask to use for file creation.
+ *  `EASYRSA_UMASK` (CLI: `--umask`) - safe umask to use for file creation
     Defaults to `077`
  *  `EASYRSA_NO_UMASK` (CLI: `--no-umask`) - disable safe umask. Files will be
     created using the system's default
@@ -183,5 +183,6 @@ short description is shown below:
  *  `EASYRSA_FORCE_SAFE_SSL` (CLI: `--force-safe-ssl`) - expand environment
     variables in SSL config
  *  `EASYRSA_FORCE_VARS` (CLI: `--force-vars`) - ignore known errors in 'vars' file
+ *  `EASYRSA_SET_ERREXIT` - Enable `errexit`, IE. `set -e`, within `easyrsa` script
 
 **NOTE:** the global options must be provided before the commands.
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -1080,6 +1080,7 @@ and then try running the easyrsa command again."
 	fi
 
 	# if 'cleanup' is called without 'ok' then an error occurred
+	print "*** Easy-RSA has encountered a FATAL error, please report this."
 	verbose "Exit: Final Fail = true"
 	exit 1 # Exit: Final Fail, unknown error
 } # => cleanup()
@@ -1500,8 +1501,8 @@ Your newly created PKI dir is:
 
 	# Select and show Auto-configured vars file
 	unset -v EASYRSA_NO_VARS EASYRSA_VARS_FILE
-	select_vars
-	if [ "$EASYRSA_VARS_FILE" ]; then
+
+	if select_vars; then
 		information "\
 IMPORTANT: PKI algorithm is $auto_algo${NL}
 Using Easy-RSA Auto-configured 'vars' file:
@@ -6778,6 +6779,11 @@ trap "exit 15" 15
 # Get host details - No configurable input allowed
 detect_host
 
+# Allow selective use of 'set -e'
+if [ "$EASYRSA_SET_ERREXIT" ]; then
+	set -e || die "Cannot set -e"
+fi
+
 # Protect variables from alteration by sourcing vars file
 # undocumented, not designed for use
 [ -z "$EASYRSA_ALIAS_DAYS" ] || \
