39 lines
1.3 KiB
Plaintext
39 lines
1.3 KiB
Plaintext
|
#!/bin/bash
|
||
|
set -eo pipefail
|
||
|
|
||
|
if [[ -z "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" ]]; then
|
||
|
echo "CI_MERGE_REQUEST_DIFF_BASE_SHA is not set"
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
GNUPGHOME="$(mktemp -d --tmpdir archlinux-keyring-XXXXXXXXX)"
|
||
|
export GNUPGHOME
|
||
|
trap 'rm -rf $GNUPGHOME' EXIT INT TERM QUIT
|
||
|
|
||
|
for NEW_KEY in $(git diff --color=never "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" -- master-keyids packager-keyids | grep -oP '^\+(\K[A-Z0-9]{40})'); do
|
||
|
echo "Receive gpg key ${NEW_KEY} ..."
|
||
|
gpg --recv "${NEW_KEY}"
|
||
|
|
||
|
echo "Export gpg key ${NEW_KEY} ..."
|
||
|
gpg --export "${NEW_KEY}" > "${GNUPGHOME}/${NEW_KEY}"
|
||
|
|
||
|
echo "Lint gpg key ${NEW_KEY} via hokey..."
|
||
|
hokey lint < "${GNUPGHOME}/${NEW_KEY}"
|
||
|
echo "Lint gpg key ${NEW_KEY} via sq-keyring-linter..."
|
||
|
sq-keyring-linter "${GNUPGHOME}/${NEW_KEY}"
|
||
|
done
|
||
|
|
||
|
for REMOVED_KEY in $(git diff --color=never "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" -- packager-keyids | grep -oP '^\-(\K[A-Z0-9]{40})'); do
|
||
|
echo "Check if removed packager key ${REMOVED_KEY} is added to revoked keys..."
|
||
|
git diff --color=never "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" -- packager-revoked-keyids | grep -E "^\+${REMOVED_KEY}\s"
|
||
|
|
||
|
echo "Receive gpg key ${REMOVED_KEY} ..."
|
||
|
gpg --recv "${REMOVED_KEY}"
|
||
|
|
||
|
SHORT_KEYID="${REMOVED_KEY:24:16}"
|
||
|
echo "Check if key ${SHORT_KEYID} is still used by a package..."
|
||
|
if pacman -Sii | grep -m1 "${SHORT_KEYID}"; then
|
||
|
exit 1
|
||
|
fi
|
||
|
done
|