#!/bin/sh

set -e

if [ $# -eq 0 ]; then
    echo "No arguments provided. Aborting..."
    exit 1
fi

if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
    echo "usage: ./repo-sign.sh [-h] [REPO_PATH PUB_KEY_FULLPATH GPG_SUBKEY_ID]

Deploys packages for you.

Possible values for the arguments:

REPO_PATH          path of the repositpry
GPG_SUBKEY_ID      fingerprint of the (sub)key to use to sign

Dependencies: -
"
    exit 0
fi

if [ $# -lt 2 ]; then
    echo "Mandatory arguments: 'REPO_PATH', 'PUB_KEY_FULLPATH'. Aborting..."
    exit 1
fi

REPO_PATH="${1}"
PUB_KEY_FULLPATH="${1}"
[ -n "${3+x}" ] && GPG_SUBKEY_ID="${3}"

if [ ! -f "${GNUPGHOME}/pubring.kbx" ]; then
    echo "The file 'pubring.kbx' file has not been found. Generating automatically a new one with a new set of keys..."
    KEY_NAME="Joe Tester"
    KEY_PASSPHRASE="over-the-lazy-dog"
    cat >foo_keys <<EOF
         %echo Generating a basic OpenPGP key
         Key-Type: RSA
         Key-Usage: sign
         Key-Length: 4096
         Subkey-Type: RSA
         Subkey-Usage: sign
         Subkey-Length: 4096
         Name-Real: ${KEY_NAME}
         Name-Comment: with stupid passphrase
         Name-Email: joe@foo.bar
         Expire-Date: 0
         Passphrase: ${KEY_PASSPHRASE}
         # Do a commit here, so that we can later print "done" :-)
         %commit
         %echo done
EOF
    gpg --batch --generate-key foo_keys
    echo "${KEY_PASSPHRASE}" > "${GNUPGHOME}/passphrase"
fi

if [ -z "${GPG_SUBKEY_ID+x}" ]; then
    echo "A GPG key id has not been defined. Automatically selecting a fingerprint..."
    # List key and its subkey with their respective fingerprints | filter fingerprints of both keys | pick fingerprint of the second row
    # (the subkey seems to be listed always after its respective subkey)
    GPG_SUBKEY_ID="$(gpg --list-secret-key --with-subkey-fingerprint --with-colons | awk -F: '$1 == "fpr" {print $10;}' | sed -n '2 p')"
fi

# - Generate the armored pub key (NEW_KEY) that has to be published;
# - If the key does not exists in PUB_KEY_FULLPATH, place NEW_KEY;
# - If PUB_KEY_FULLPATH exixts but is not identical to NEW_KEY, then backup
#   the old key (PUB_KEY_FULLPATH) and replace it with the new one (NEW_KEY).
# - Else do nothing.
NEW_KEY="$(mktemp)"
gpg --armor --export "${GPG_SUBKEY_ID}" > "${NEW_KEY}"
if [ ! -f "${PUB_KEY_FULLPATH}" ];then
    echo "Public key not published. Generating and publishing it..."
    mv "${NEW_KEY}" "${PUB_KEY_FULLPATH}"
elif [ -f "${PUB_KEY_FULLPATH}" ] &&  ! cmp --silent "${PUB_KEY_FULLPATH}" "${NEW_KEY}"; then
    mv "${PUB_KEY_FULLPATH}" "${PUB_KEY_FULLPATH}".bak
    mv "${NEW_KEY}" "${PUB_KEY_FULLPATH}"
fi

echo "Signing the repo..."
gpg --passphrase-file "${GNUPGHOME}/passphrase" --pinentry-mode loopback --default-key "${GPG_SUBKEY_ID}" -abs -o - "${REPO_PATH}/Release" > "${REPO_PATH}/Release.gpg"
gpg --passphrase-file "${GNUPGHOME}/passphrase" --pinentry-mode loopback --default-key "${GPG_SUBKEY_ID}" --clearsign -o - "${REPO_PATH}/Release" > "${REPO_PATH}/InRelease"