#!/bin/sh
#
# Copyright © 2005 Javier Fernandez-Sanguino Peña <jfs@computer.org>
# Copyright © 2005 Frank Lichtenheld <djpig@debian.org>
# Copyright © 2017, 2019, 2021 Guillem Jover <guillem@debian.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>.
#

# Verify that a .changes file has been OpenPGP signed and that the signatures
# are good.

FILE=$1
# If no gpg is found just exit
[ ! -x "$(command -v gpg)" ] && exit 0
# If the file is not found just exit with error
[ ! -r "$FILE" ] && exit 2

printf "Checking OpenPGP signatures before upload..."

# Use the exit status to determine if the signature is ok or not
gpg --weak-digest SHA1 --weak-digest RIPEMD160 --verify "$FILE" >/dev/null 2>&1
ret=$?
if [ $ret -eq 1 ]; then
  echo "OpenPGP verification of $FILE failed!"
  exit 1
elif [ $ret -eq 2 ]; then
  if grep -- '-----BEGIN PGP' "$FILE" >/dev/null 2>&1; then
    echo "OpenPGP signature cannot be checked, probably because of missing keys"
    exit 0
  else
    echo "OpenPGP signature is missing"
    exit 1
  fi
fi

echo ...signatures are ok

exit 0

