software/selenium: fix ssh key fingerprint

software/seleniumserver/buildout.hash.cfg

@@ -19,4 +19,4 @@ md5sum = c4ac5de141ae6a64848309af03e51d88
 
 [template-selenium]
 filename = instance-selenium.cfg.in
-md5sum = 4f557a7b3aa9b4df1ca1fa6a754ca657
+md5sum = 1f0b67d2a542e94380c35afc9cd1946b

software/seleniumserver/instance-selenium.cfg.in

@@ -184,18 +184,23 @@ extra-args=-t dsa
 <=ssh-keygen-base
 extra-args=-t ecdsa -b 521
 
-[ssh-key-fingerprint-command]
-recipe = plone.recipe.command
-# recent openssh client display ECDSA key's fingerprint as SHA256
-command = ${openssh-output:keygen} -lf $${ssh-host-ecdsa-key:output}
-
-[ssh-key-fingerprint]
+[ssh-key-fingerprint-shelloutput]
 recipe = collective.recipe.shelloutput
-# XXX because collective.recipe.shelloutput ignore errors, we run the same
-# command in a plone.recipe.command so that if fails if something goes wrong.
+# recent openssh client display ECDSA key's fingerprint as SHA256
 commands =
-  fingerprint = $${ssh-key-fingerprint-command:command}
+  fingerprint = ${openssh-output:keygen} -lf $${ssh-host-ecdsa-key:output}
 
+[ssh-key-fingerprint]
+recipe = plone.recipe.command
+stop-on-error = true
+# XXX because collective.recipe.shelloutput ignore errors and capture output
+# "Error ...", we use a plone.recipe.command to check that this command did
+# not fail.
+# This command will always fail on first buildout run, because
+# collective.recipe.shelloutput is evaluated at buildout recipes __init__ step,
+# but the key file is created later at install step.
+command = echo "$${:fingerprint}" | ( grep ^Error || exit 0 && exit 1 )
+fingerprint = $${ssh-key-fingerprint-shelloutput:fingerprint}
 
 [sshd-config]
 recipe = slapos.recipe.template:jinja2