#!/bin/bash
set -eo pipefail

if [[ -z "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" ]]; then
	echo "CI_MERGE_REQUEST_DIFF_BASE_SHA is not set"
	exit 1
fi

GNUPGHOME="$(mktemp -d --tmpdir archlinux-keyring-XXXXXXXXX)"
export GNUPGHOME
trap 'rm -rf $GNUPGHOME' EXIT INT TERM QUIT

for NEW_KEY in $(git diff --color=never "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" -- master-keyids packager-keyids | grep -oP '^\+(\K[A-Z0-9]{40})'); do
	echo "Receive gpg key ${NEW_KEY} ..."
	gpg --recv "${NEW_KEY}"

	echo "Export gpg key ${NEW_KEY} ..."
	gpg --export "${NEW_KEY}" > "${GNUPGHOME}/${NEW_KEY}"

	echo "Lint gpg key ${NEW_KEY} via hokey..."
	hokey lint < "${GNUPGHOME}/${NEW_KEY}"
	echo "Lint gpg key ${NEW_KEY} via sq-keyring-linter..."
	sq-keyring-linter "${GNUPGHOME}/${NEW_KEY}"
done

for REMOVED_KEY in $(git diff --color=never "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" -- packager-keyids | grep -oP '^\-(\K[A-Z0-9]{40})'); do
	echo "Check if removed packager key ${REMOVED_KEY} is added to revoked keys..."
	git diff --color=never "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" -- packager-revoked-keyids | grep -E "^\+${REMOVED_KEY}\s"

	echo "Receive gpg key ${REMOVED_KEY} ..."
	gpg --recv "${REMOVED_KEY}"

	SHORT_KEYID="${REMOVED_KEY:24:16}"
	echo "Check if key ${SHORT_KEYID} is still used by a package..."
	if pacman -Sii | grep -m1 "${SHORT_KEYID}"; then
		exit 1
	fi
done