#!/bin/sh
# Script by Ypnose - http://ywstd.fr
set -e

# To generate a signify key pair, use this command:
# $ signify -G -c 'my awesome repo' -p repo.pub -s repo.sec

####################

# Environment
SOLBASE="${SOLBASE:-/opt/rypp}"
RYPP_ARCD="${SOLBASE}/repo}"
RYPP_SECK="${SOLBASE}/keys/repo.sec}"
RYPP_PUBK="${SOLBASE}/keys/repo.pub}"
LC_ALL=C
export LC_ALL

####################

p_err() {
	printf "ERR: %s\n" "$1" >&2
	exit 1
}

####################

if [ ! -d "$RYPP_ARCD" ]; then
	p_err "$RYPP_ARCD repo directory is missing"
fi

# People are not reliable (find(1) doesn't return a helpful $? too)
if [ -z "$(find "$RYPP_ARCD" -type f -iname "*.rypp.tgz")" ]; then
	p_err "No package found in $RYPP_ARCD"
fi

if [ ! -x "$(command -v signify)" ]; then
	p_err "signify not found in the PATH"
fi

# Keys are there?
for k in "$RYPP_SECK" "$RYPP_PUBK"; do
	if [ ! -r "$k" ]; then
		p_err "$k is either missing or unreadable"
	fi
done

cd "$RYPP_ARCD"

# Clear existing files if any
rm -f SHA256SUM SHA256SUM.mes SHA256SUM.sign

# Archive list
for f in *.rypp.tgz; do
	if [ "${f%%_*}" = "$R_PKN" ]; then
		p_err "Another '${R_PKN}' version was already registered (${R_PKL})"
	fi
	R_PKN="${f%%_*}"
	R_PKL="${f%.rypp*}"
	printf "%s\n" "$R_PKL"
done >RYPPLIST

# Checksums
sha256sum RYPPLIST *.rypp.tgz | while IFS=' ' read -r R_SUM R_ARC; do
	printf "%s  %s\n" "$R_SUM" "$R_ARC" >>SHA256SUM
	# Emulate OpenBSD sha256(1) output
	printf "SHA256 (%s) = %s\n" "$R_ARC" "$R_SUM" >>SHA256SUM.mes
done

# Sign checksums file (embed message after signature)
signify -S -e -s "$RYPP_SECK" -m SHA256SUM.mes -x SHA256SUM.sign
rm SHA256SUM.mes

# Full public key path is not necessary
inplace SHA256SUM.sign sed "1c untrusted comment: verify with ${RYPP_PUBK##*/}"

# Verify signatures using the public key. If a problem occurs online, we
# are 101% sure it's not from us...
signify -C -p "$RYPP_PUBK" -x SHA256SUM.sign

printf "%s\n" "DONE"
exit