macOS OpenSSH Client Patcher for Hardware Security Key Support (ED25519-SK With YubiKey Etc.)

guide_macskeyinstaller.md

🔐 macOS OpenSSH Patcher for Hardware Security Keys

Supports ED25519-SK with Yubikey and other FIDO2 hardware security keys!

🤔 Discussion

Despite being compiled to support hardware security keys that take advantage of the FIDO2 protocol, the built-in OpenSSH client on macOS Sonoma and above lacks the middleware/library to support these devices. To keep using the built-in client - which is often the most stable and secure method for SSH connections - we need to compile the Security Key Provider from OpenSSH source and tell the macOS client about it ourselves.

This script does all of that for you on both Apple Silicon and Intel Mac computers!

The script installs openssl and libfido2 along with the required build tools from Homebrew. It then clones the latest main branch of OpenSSH Portable and builds from it the Security Key Provider library: sk-libfido2.dylib. It finally moves the built library to /usr/local/lib/, modifies ~/.zshenv to export the environment variable SSH_SK_PROVIDER=/usr/local/lib/sk-libfido2.dylib to tell the SSH client about it, and cleans everything up!

📝 Instructions

Before getting started, make sure you:

• are running macOS 14.0 Sonoma or higher. See the next section for solutions on older versions.
• have Xcode Command Line Tools installed. You can check/install it by typing xcode-select --install in your Terminal.
• have Homebrew installed. Click here for instructions.

Then, proceed with the installation:

• Save macskeyinstaller.sh below to your Downloads folder. You can do this by right-clicking the Raw button and selecting Download Linked File.
• Open a new Terminal and go to your Downloads folder by executing cd Downloads.
• Run the script by executing bash macskeyinstaller.sh. Do not run with sudo.
• Enter your login password when prompted as copying the library to /usr/local/lib/ requires root privileges.
• When the script is done running, restart your Terminal for the changes to take effect.

Use your hardware security key to create a new ED25519-SK SSH Key:

There are great instructions on this on the Yubico website! Follow the instructions for Linux instead of macOS! Click here to see them.

📕Helpful Reading

These discussions and forum posts were what enabled and inspired me to create this script. I highly suggest checking them out for more technical details.

• https://developer.apple.com/forums/thread/698683
• Yubico/libfido2#464
• https://gist.github.com/thelastlin/c45b96cf460919e39ab5807b6d20ac2a
• https://gist.github.com/surjikal/aaf0729af90bdc83064b

Copyright 2025 Mehmet Bertan Tarakcioglu (github.com/BertanT), under the MIT License.

macskeyinstaller.sh

#!/bin/bash

################################################################################################
# macskeyinstaller.sh
# Last Updated: January 13, 2025
#
# macOS OpenSSH Client Patcher for Hardware Security Key Support (ED25519-SK With YubiKey Etc.)
# Check out https://gist.github.com/BertanT/9d222da115ca2d1274ef34735c4260cf for details!
#
# Copyright 2025 Mehmet Bertan Tarakcioglu (github.com/BertanT), under the MIT License.
################################################################################################

# Exit early if there is an error
set -e

printf "\n* Hello! This script compiles and installs the security key provider for the built-in macOS Open SSH client to enable support for hardware security keys (such as a YubiKey)."

# Check if the script is running as root
if [ "$(id -u)" -eq 0 ]; then
  printf "\n!!! Error: For safety reasons, this script cannot be run as root. If using sudo, please try again without it.\n" >&2
  exit 1
fi

# Function to compare macOS version strings
version_ge() {
  [[ "$(echo -e "$1\n$2" | sort -V | head -n1)" == "$2" ]]
}

# function to get the current macOS Version
macos_version=$(sw_vers -productVersion | cut -d '.' -f1,2)

# Check if running at least macOS Sonoma
if ! version_ge "$macos_version" "14.0"; then
  printf "\n!!! Error: macOS version is $macos_version. This script requires at least macOS Sonoma (14.0).\n" >&2
  exit 1
fi
printf "\n* macOS version is supported!"

# Check if Homebrew is installed
if ! which brew &>/dev/null; then
  printf "\n!!! Error: This script requires Homebrew to install dependencies! Please install Homebrew and try again\n" >&2
  exit 1
fi
printf "\n* Homebrew is installed!"

printf "\n* Cloning the latest main branch of openssh-portable from GitHub. This may take a while..."
git clone --quiet https://github.com/openssh/openssh-portable.git
cd openssh-portable

printf "\n* Installing dependencies from Homebrew: libfido2, openssl, autoconf, automake, libtool\n"
brew install libfido2 openssl autoconf automake libtool pkgconf

printf "\n* Generating configuration script."
autoreconf -i

printf "\n* Exporting flags."

# Determine the CPU architecture and set the appropriate Homebrew base path
if [[ "$(uname -m)" == "arm64" ]]; then
  BREW_PREFIX="/opt/homebrew"
elif [[ "$(uname -m)" == "x86_64" ]]; then
  BREW_PREFIX="/usr/local"
else
  echo "!!! Error: Unknown CPU architecture $(uname -m).\n" >&2
  exit 1
fi

# Get the appropriate paths for the Homebrew dependecies as they differ through version
BREW_OPENSSL_PATH=$(ls -d $BREW_PREFIX/Cellar/openssl@3/*)
BREW_LIBFIDO2_PATH=$(ls -d $BREW_PREFIX/Cellar/libfido2/*)
export CFLAGS="-L$BREW_OPENSSL_PATH/lib -I$BREW_OPENSSL_PATH/include -L$BREW_LIBFIDO2_PATH/lib -I$BREW_LIBFIDO2_PATH/include -Wno-error=implicit-function-declaration"
export LDFLAGS="-L$BREW_OPENSSL_PATH/lib -L$BREW_LIBFIDO2_PATH/lib"

printf "\n* Configuring build. This may take a while..."
./configure --quiet --with-security-key-standalone

printf "\n* Cleaning previous build for good measure."
make --quiet clean

printf "\n* Building OpenSSH Portable."
make --quiet

printf "\n* Copying the Security Key Provider library to /usr/local/lib."
printf "\n  We need root privileges to modify system files.\n"
sudo mkdir -p /usr/local/lib
sudo mv sk-libfido2.dylib /usr/local/lib/

# Check if the script is running in ZSH. If not, give the user instructions.
# Otherwise, modify .zshenv to set the environment variable if not already present.
if [[ "$SHELL" == *zsh* ]]; then
	printf "\n* Configuring the ~/.zshenv for the System SSH use the Security Key Provider we just built"
    if ! grep -q "export SSH_SK_PROVIDER=/usr/local/lib/sk-libfido2.dylib" "$HOME/.zshenv" &>/dev/null; then
        echo "export SSH_SK_PROVIDER=/usr/local/lib/sk-libfido2.dylib" >> "$HOME/.zshenv"
        printf "\n* Added SSH_SK_PROVIDER to ~/.zshenv."
    else
        printf "\n* SSH_SK_PROVIDER is already configured in ~/.zshenv."
    fi
else
	printf "*\n Since you are not on ZSH, you will need to manually configure your shell profile to tell the System SSH client to use the Security Key Provider we just built."
	printf "\n  The shell profile should export the environment variable as follows:"
	printf "\n  export SSH_SK_PROVIDER=/usr/local/lib/sk-libfido2.dylib"
fi

printf "\n* Exiting the directory and deleting the repository we cloned. We don't need it anymore"
cd ..
rm -rf openssh-portable

printf "\n\n* That's it! After restarting your terminal session, you can plug in your hardware security key and test the installation using:"
printf "\n  ssh-keygen -t ed25519-sk -O resident -O verify-required -C \"Your Comment\""
printf "\n\nHave a nice day! :)\n\n"

Hi @BertanT

Thanks for making the script - I tried it this morning and wanted to provide feedback that may be useful for you and others.

• Unfortunately, originally the script generated a sk-libfido2.dylib didn't work for me. (see below)
• But after running michaelroosz/ssh/libsk-libfido2-install, I then tried the script/build again and this time the resulting sk-libfido2.dylib worked (see below)

My env

• Used OpenSSH Portable git describe commit: V_9_7_P1-389-g826483d51
• My Laptop/OS/uname info: Apple M1 Pro - Sequoia 15.2 - Darwin 24.2.0 Darwin Kernel Version 24.2.0: Fri Dec 6 19:01:59 PST 2024; root:xnu-11215.61.5~2/RELEASE_ARM64_T6000 arm64

Bad build resulted in this:

$ SSH_SK_PROVIDER=$PWD/sk-libfido2.dylib ssh-keygen -t ed25519-sk -f ed25519-sk -vvv
...
debug1: sshsk_enroll: provider "/Users/aff0/workspaces/macskeyinstaller/openssh-portable.ORIG/sk-libfido2.dylib", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
lib_contains_symbol: /Users/aff0/workspaces/macskeyinstaller/openssh-portable.ORIG/sk-libfido2.dylib does not contain expected string sk_api_version
provider /Users/aff0/workspaces/macskeyinstaller/openssh-portable.ORIG/sk-libfido2.dylib is not an OpenSSH FIDO library
debug1: ssh-sk-helper: Enrollment failed: invalid format
...
Key enrollment failed: invalid format

After the original script didn't work, I gave up and installed michaelroosz/ssh/libsk-libfido2-install and its libsk-libfido2.dylib worked fine.

Here's the odd thing: I wanted to try to find the difference between the two builds and when I ran your script again, this time it generated a sk-libfido2.dylib library that worked!

$ SSH_SK_PROVIDER=$PWD/sk-libfido2.dylib ssh-keygen -t ed25519-sk -f ed25519-sk -vvv
...
debug1: sshsk_enroll: provider "/Users/aff0/workspaces/macskeyinstaller/openssh-portable/sk-libfido2.dylib", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: sshsk_open: provider /Users/aff0/workspaces/macskeyinstaller/openssh-portable/sk-libfido2.dylib implements version 0x000a0000
...
Your identification has been saved in ed25519-sk
Your public key has been saved in ed25519-sk.pub

So I think that michaelroosz/ssh/libsk-libfido2-install must have installed something or changed something that then results in a good build. I'm not sure what it would be, but here's some debug info I found.

Here's the diff between the config.status of the bad build (openssh-portable.ORIG) vs the config.status of the good build (openssh-portable):

$ diff openssh-portable.ORIG/config.status openssh-portable/config.status 
1678c1678
< S["LIBFIDO2"]=""
---
> S["LIBFIDO2"]="-L/opt/homebrew/Cellar/libfido2/1.15.0/lib -lfido2 -L/opt/homebrew/Cellar/openssl@3/3.4.0/lib -lcrypto"
1695c1695
< S["PKGCONFIG"]="no"
---
> S["PKGCONFIG"]="/opt/homebrew/bin/pkg-config"
1726c1726
< S["CPPFLAGS"]=" -DOPENSSL_API_COMPAT=0x10100000L"
---
> S["CPPFLAGS"]=" -DOPENSSL_API_COMPAT=0x10100000L -I/opt/homebrew/Cellar/libfido2/1.15.0/include -I/opt/homebrew/Cellar/openssl@3/3.4.0/include"
2089a2090,2098
> D["ENABLE_SK_INTERNAL"]=" /**/"
> D["HAVE_FIDO_ASSERT_SET_CLIENTDATA"]=" 1"
> D["HAVE_FIDO_CRED_PROT"]=" 1"
> D["HAVE_FIDO_CRED_SET_PROT"]=" 1"
> D["HAVE_FIDO_CRED_SET_CLIENTDATA"]=" 1"
> D["HAVE_FIDO_DEV_GET_TOUCH_BEGIN"]=" 1"
> D["HAVE_FIDO_DEV_GET_TOUCH_STATUS"]=" 1"
> D["HAVE_FIDO_DEV_SUPPORTS_CRED_PROT"]=" 1"
> D["HAVE_FIDO_DEV_IS_WINHELLO"]=" 1"

This dir listing shows what I had installed via brew during the bad vs good build:

• Dirs with timestamp 'Jan 29 07:29' show what was installed by the script during the bad build
• Dirs with timestamp 'Jan 29 12:47' show what michaelroosz/ssh/libsk-libfido2-install installed that then resulted in a successful build with the script

ls -lart /opt/homebrew/Cellar/                                                 

total 0
drwxr-xr-x  33 aff0  admin  1056 Jan 17 04:32 ..
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:45 ca-certificates
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:46 gmp
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:46 libunistring
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:46 gettext
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:46 libidn2
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:46 libtasn1
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:46 nettle
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:46 p11-kit
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:46 openssl@3
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:46 libevent
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:46 libnghttp2
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:46 unbound
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:46 gnutls
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:46 libgpg-error
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:46 libassuan
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:46 libgcrypt
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:46 libksba
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:46 libusb
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:46 npth
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:46 pinentry
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:46 readline
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:46 gnupg
drwxr-xr-x   3 aff0  admin    96 Jan 17 04:47 pinentry-mac
drwxr-xr-x   3 aff0  admin    96 Jan 17 05:06 gpgme
drwxr-xr-x@  3 aff0  admin    96 Jan 29 07:29 libcbor
drwxr-xr-x@  3 aff0  admin    96 Jan 29 07:29 libfido2
drwxr-xr-x@  3 aff0  admin    96 Jan 29 07:29 m4
drwxr-xr-x@  3 aff0  admin    96 Jan 29 07:29 autoconf
drwxr-xr-x@  3 aff0  admin    96 Jan 29 07:29 automake
drwxr-xr-x@  3 aff0  admin    96 Jan 29 07:29 libtool
drwxr-xr-x   3 aff0  admin    96 Jan 29 12:47 ssh-askpass
drwxr-xr-x   3 aff0  admin    96 Jan 29 12:47 mpdecimal
drwxr-xr-x   3 aff0  admin    96 Jan 29 12:47 sqlite
drwxr-xr-x   3 aff0  admin    96 Jan 29 12:47 xz
drwxr-xr-x   3 aff0  admin    96 Jan 29 12:47 [email protected]
drwxr-xr-x   3 aff0  admin    96 Jan 29 12:47 ldns
drwxr-xr-x   3 aff0  admin    96 Jan 29 12:47 pkgconf
drwxrwxr-x  40 aff0  admin  1280 Jan 29 12:47 .
drwxr-xr-x   3 aff0  admin    96 Jan 29 12:47 libsk-libfido2

Do as you like with that debug info. I'm good now that either method works for me, so I'm not going to dig any further into this.

Thanks again for putting your script together.

Hi @githubaff0!

I was able to replicate what I assume to be the same issue on a friend's computer. The script, however, was working as expected on my computer without having run michaelroosz's script before. So I am guessing that there is an issue with a dependency that michaelroosz's script installs, which I happened to already have.

With that said, I haven't had the chance to look at his script yet. I will be looking deeper into the issue and post any updates here.

Thank you so much for providing such a detailed report. I am glad that you were able to get the library working for your computer, and please feel free to post here if you run into any other issues!

I originally suspected it was pkgconf but I hadn't confirmed that until now. I've tried this test a few times and it's behaves consistently in my env.

macskeyinstaller.sh.ORIG_NO_INSTALL

$ diff -C2 macskeyinstaller.sh.ORIG macskeyinstaller.sh.ORIG_NO_INSTALL
*** macskeyinstaller.sh.ORIG	Sat Feb  1 11:09:19 2025
--- macskeyinstaller.sh.ORIG_NO_INSTALL	Sat Feb  1 11:09:05 2025
***************
*** 77,80 ****
--- 77,81 ----
  printf "\n* Building OpenSSH Portable."
  make --quiet
+ exit
  
  printf "\n* Copying the Security Key Provider library to /usr/local/lib."

With pkgconf uninstalled - fails with "does not contain expected string sk_api_version"

$ (brew uninstall pkgconf; \rm -rf openssh-portable; ./macskeyinstaller.sh.ORIG_NO_INSTALL; cd openssh-portable && SSH_SK_PROVIDER=$PWD/sk-libfido2.dylib ssh-keygen -t ed25519-sk -f ed25519-sk -vvv) | tee test-nopkgconf.txt

Uninstalling /opt/homebrew/Cellar/pkgconf/2.3.0_1... (27 files, 474.3KB)

* Hello! This script compiles and installs the security key provider for the built-in macOS Open SSH client to enable support for hardware security keys (such as a YubiKey).
...
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
...
debug1: sshsk_enroll: using random challenge
lib_contains_symbol: /Users/aff0/workspaces/macskeyinstaller/openssh-portable/sk-libfido2.dylib does not contain expected string sk_api_version
provider /Users/aff0/workspaces/macskeyinstaller/openssh-portable/sk-libfido2.dylib is not an OpenSSH FIDO library
...

With pkgconf preinstalled - works showing 'implements version 0x000a0000' and asks for passphrase

$ (brew install pkgconf; \rm -rf openssh-portable; ./macskeyinstaller.sh.ORIG_NO_INSTALL; cd openssh-portable && SSH_SK_PROVIDER=$PWD/sk-libfido2.dylib ssh-keygen -t ed25519-sk -f ed25519-sk -vvv) | tee test-pkgconf.txt    

...
==> Fetching pkgconf
...
* Hello! This script compiles and installs the security key provider for the built-in macOS Open SSH client to enable support for hardware security keys (such as a YubiKey).
...
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
...
debug1: sshsk_enroll: provider "/Users/aff0/workspaces/macskeyinstaller/openssh-portable/sk-libfido2.dylib", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: sshsk_open: provider /Users/aff0/workspaces/macskeyinstaller/openssh-portable/sk-libfido2.dylib implements version 0x000a0000
...

Diff of build output between without pkgconf vs with pkgconf

$ diff -C1 test-nopkgconf.txt test-pkgconf.txt                         
*** test-nopkgconf.txt	Sat Feb  1 11:33:20 2025
--- test-pkgconf.txt	Sat Feb  1 11:35:21 2025
***************
*** 1,2 ****
! Uninstalling /opt/homebrew/Cellar/pkgconf/2.3.0_1... (27 files, 474.3KB)
  
--- 1,11 ----
! ==> Downloading https://ghcr.io/v2/homebrew/core/pkgconf/manifests/2.3.0_1-1
! Already downloaded: /Users/aff0/Library/Caches/Homebrew/downloads/4a660f26297baafd06fb3109f473edfa592f4aa00adbd8a2506b05d0374c5c1d--pkgconf-2.3.0_1-1.bottle_manifest.json
! ==> Fetching pkgconf
! ==> Downloading https://ghcr.io/v2/homebrew/core/pkgconf/blobs/sha256:6b946f8b716f639a88b6fb05fadf57de8309a53d04d4daef93dda1365f0222e3
! Already downloaded: /Users/aff0/Library/Caches/Homebrew/downloads/e6b0ced15213e02c1914d4dfc12d9fc60b77cca3b997b96a70e44106a6ef239d--pkgconf--2.3.0_1.arm64_sequoia.bottle.1.tar.gz
! ==> Pouring pkgconf--2.3.0_1.arm64_sequoia.bottle.1.tar.gz
! 🍺  /opt/homebrew/Cellar/pkgconf/2.3.0_1: 27 files, 474.3KB
! ==> Running `brew cleanup pkgconf`...
! Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
! Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
  
***************
*** 36,38 ****
                     PKCS#11 support: yes
!                   U2F/FIDO support: yes
  
--- 45,47 ----
                     PKCS#11 support: yes
!                   U2F/FIDO support: built-in
  
***************
*** 41,43 ****
      Compiler flags: -L/opt/homebrew/Cellar/openssl@3/3.4.0/lib -I/opt/homebrew/Cellar/openssl@3/3.4.0/include -L/opt/homebrew/Cellar/libfido2/1.15.0/lib -I/opt/homebrew/Cellar/libfido2/1.15.0/include -Wno-error=implicit-function-declaration -pipe -Wunknown-warning-option -Wno-error=format-truncation -Qunused-arguments -Wall -Wextra -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-result -Wimplicit-fallthrough -Wmisleading-indentation -Wbitwise-instead-of-logical -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fzero-call-used-regs=used -ftrivial-auto-var-init=zero -mretpoline -fno-builtin-memset -fPIE  
! Preprocessor flags:  -DOPENSSL_API_COMPAT=0x10100000L
        Linker flags: -L/opt/homebrew/Cellar/openssl@3/3.4.0/lib -L/opt/homebrew/Cellar/libfido2/1.15.0/lib -pie 
--- 50,52 ----
      Compiler flags: -L/opt/homebrew/Cellar/openssl@3/3.4.0/lib -I/opt/homebrew/Cellar/openssl@3/3.4.0/include -L/opt/homebrew/Cellar/libfido2/1.15.0/lib -I/opt/homebrew/Cellar/libfido2/1.15.0/include -Wno-error=implicit-function-declaration -pipe -Wunknown-warning-option -Wno-error=format-truncation -Qunused-arguments -Wall -Wextra -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-result -Wimplicit-fallthrough -Wmisleading-indentation -Wbitwise-instead-of-logical -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fzero-call-used-regs=used -ftrivial-auto-var-init=zero -mretpoline -fno-builtin-memset -fPIE  
! Preprocessor flags:  -DOPENSSL_API_COMPAT=0x10100000L -I/opt/homebrew/Cellar/libfido2/1.15.0/include -I/opt/homebrew/Cellar/openssl@3/3.4.0/include
        Linker flags: -L/opt/homebrew/Cellar/openssl@3/3.4.0/lib -L/opt/homebrew/Cellar/libfido2/1.15.0/lib -pie 
***************
*** 45,46 ****
--- 54,56 ----
       +for channels: -lcrypto  -lz
+         +for FIDO2: -L/opt/homebrew/Cellar/libfido2/1.15.0/lib -lfido2 -L/opt/homebrew/Cellar/openssl@3/3.4.0/lib -lcrypto
           +for sshd:  -lsandbox

Hello @githubaff0!

Thank you so much for looking into this. Your fix seems to solve the problem!

I first checked my computer and I indeed had pkgconf already installed via brew - I must have missed it when writing up the script. I have now updated the script to install it. After also testing the new version on a friend's computer, it works as expected.

If you run into any issues or need any other help regarding the script, please let me know. Thank you so much again for resolving the issue :)

Thank you for this! Got it working thanks to your script.

One suggestion is to add set -e (or something else to get the script to stop if something fails). I had two versions of openssl in brew which made the config fail, but since the script kept going I thought everything worked (and the cloned repo, including the config.log, was deleted).

@erilor Sorry I got completely sidetracked about this. I updated to script as you suggested. Thank you so much for your help :)