fix: fourth audit — nix build log, signing key validation, idempotent publish, hw-config cleanup

scripts/enroll.sh

@@ -145,6 +145,8 @@ ok   "Preflight passed ($(elapsed))"
 
 step 1 "Hardware configuration"
 
+rm -f "${HW_CONFIG}.tmp"  # clean up any stale temp from a previous interrupted run
+
 if [[ -f "${HW_CONFIG}" ]]; then
     ok "hardware-configuration.nix already present"
 else
@@ -354,6 +356,9 @@ else
 fi
 
 SIGNING_PUBKEY=$(grep -v '^untrusted comment' "${MINISIGN_PUB}" | head -1)
+[[ -n "${SIGNING_PUBKEY}" ]] || \
+    die "minisign public key file is empty or malformed: ${MINISIGN_PUB}
+    Delete and re-run: rm -f ${MINISIGN_PUB} ${MINISIGN_SEC} && sudo bash scripts/enroll.sh"
 info "Signing public key: ${SIGNING_PUBKEY}"
 
 # Write nix-cache-info and sign it. nginx serves the .minisig file alongside
@@ -380,13 +385,14 @@ ok "enroll.nix written — no Nix file patching needed ($(elapsed))"
 step 10 "Build NixOS closure + push to harmonia cache"
 
 info "Building builder-aarch64 system closure..."
+BUILD_LOG="/tmp/sourceos-enroll-nix-build-$(date +%s).log"
 CLOSURE=$(nix build "${REPO_ROOT}#nixosConfigurations.${HOST}.config.system.build.toplevel" \
-    --no-link --print-out-paths 2>/dev/null)
-# nix build returns empty stdout on failure (errors go to stderr). Verify both that
-# CLOSURE is non-empty and that the path actually exists in the Nix store.
+    --no-link --print-out-paths 2>"${BUILD_LOG}")
+# nix build emits errors only to stderr (captured to BUILD_LOG above).
+# Verify stdout produced a non-empty, existing store path.
 [[ -n "${CLOSURE}" && -e "${CLOSURE}" ]] || \
-    die "nix build failed — retry with:
-    nix build ${REPO_ROOT}#nixosConfigurations.${HOST}.config.system.build.toplevel --no-link --show-trace"
+    die "nix build failed. Build log: ${BUILD_LOG}
+    For full trace: nix build ${REPO_ROOT}#nixosConfigurations.${HOST}.config.system.build.toplevel --no-link --show-trace"
 ok "Built: ${CLOSURE}"
 
 # Harmonia must be running before we can push (it starts after pass-2 rebuild).

scripts/katello-sourceos-setup.sh

@@ -78,13 +78,26 @@ $HAMMER content-view add-repository --organization "${ORG}" \
     --repository "sourceos-closures-aarch64" \
     2>/dev/null || echo "  sourceos-closures-aarch64 already in view"
 
-# Publish version 1.0 to Library
-echo "--- publishing content view (this may take a minute)"
-$HAMMER content-view publish --organization "${ORG}" \
-    --name "sourceos-builder-aarch64" \
-    --description "Initial publish — dev channel bootstrap"
-
-# Promote to dev lifecycle environment
+# Publish version 1.0 to Library — skip if any version already exists.
+# Re-running katello-sourceos-setup.sh (e.g. during enroll.sh retry) must not
+# create a new CV version: publishing is slow (1-2 min) and the extra versions
+# are noise that complicates CV_VERSION selection in subsequent steps.
+echo "--- checking content view publish state"
+EXISTING_CV_VERSIONS=$($HAMMER --output json content-view version list \
+    --organization "${ORG}" \
+    --content-view "sourceos-builder-aarch64" 2>/dev/null | \
+    python3 -c "import json,sys; print(len(json.load(sys.stdin)))" 2>/dev/null || echo "0")
+
+if [[ "${EXISTING_CV_VERSIONS}" -eq 0 ]]; then
+    echo "--- publishing content view (this may take a minute)"
+    $HAMMER content-view publish --organization "${ORG}" \
+        --name "sourceos-builder-aarch64" \
+        --description "Initial publish — dev channel bootstrap"
+else
+    echo "  content view already has ${EXISTING_CV_VERSIONS} version(s) — skipping publish"
+fi
+
+# Promote to dev lifecycle environment (idempotent — hammer returns 0 if already promoted)
 echo "--- promoting to dev"
 CV_VERSION=$($HAMMER --output json content-view version list \
     --organization "${ORG}" \