From 068754e19667551367ee5bb21b1cdd5218c21213 Mon Sep 17 00:00:00 2001
From: Erich Eckner <git@eckner.net>
Date: Wed, 7 Aug 2019 12:11:06 +0200
Subject: bin/nit-picker: check packager-keys, too

---
 bin/nit-picker | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)

(limited to 'bin/nit-picker')

diff --git a/bin/nit-picker b/bin/nit-picker
index 102b831..24f274d 100755
--- a/bin/nit-picker
+++ b/bin/nit-picker
@@ -109,6 +109,16 @@ while pgrep -x ii >/dev/null \
       printf ' FROM `package_sources`'
       printf ';\n'
 
+      printf 'SELECT DISTINCT'
+      printf ' "binary-signature",'
+      mysql_package_name_query
+      printf ' FROM `binary_packages`'
+      mysql_join_binary_packages_architectures
+      mysql_join_binary_packages_binary_packages_in_repositories
+      mysql_join_binary_packages_in_repositories_repositories
+      printf ' WHERE `repositories`.`is_on_master_mirror`'
+      printf ';\n'
+
       printf 'SELECT DISTINCT'
       printf ' "binary-dependencies",'
       mysql_package_name_query
@@ -249,6 +259,68 @@ while pgrep -x ii >/dev/null \
             "${tmp_dir}/db-deps" \
             "${tmp_dir}/pkg-deps"
         ;;
+        'binary-signature')
+          ${master_mirror_rsync_command} \
+            "${master_mirror_rsync_directory}/pool/${parameters}" \
+            "${master_mirror_rsync_directory}/pool/${parameters}.sig" \
+            "${tmp_dir}/"
+          unset error_message
+          if ! gpg_output=$(
+            gpg --batch --status-fd 1 -q --homedir /etc/pacman.d/gnupg \
+              --verify "${tmp_dir}/${parameters}.sig" "${tmp_dir}/${parameters}" \
+              2>/dev/null
+          ); then
+            error_message="package ${parameters} has an invalid signature."
+          fi
+          if [ -z "${error_message}" ]; then
+            gpg_key=$(
+              printf '%s\n' "${gpg_output}" \
+              | sed '
+                s/^\[GNUPG:] KEY_CONSIDERED \([0-9A-F]\{40\}\) 0$/\1/
+                t
+                d
+              ' \
+              | sort -u
+            )
+            if [ -z "${gpg_key}" ]; then
+              error_message="cannot find pgp_key of package ${parameters}."
+            fi
+          fi
+          if [ -z "${error_message}" ]; then
+            for expiration in $(
+              gpg --batch --homedir /etc/pacman.d/gnupg --with-colons --list-keys "0x${gpg_key}" \
+              | grep '^\(sub\|pub\):' \
+              | cut -d: -f7
+            ); do
+              expiration_days=$(((expiration - $(date +%s))/24/60/60))
+              if [ ${expiration_days} -lt 100 ]; then
+                error_message=$(
+                  printf 'signing key %s (from %s) for package %s expires on %s (in %s < 100 days).\n' \
+                  "${gpg_key}" \
+                  "$(
+                    gpg --batch --homedir /etc/pacman.d/gnupg --with-colons --list-keys "0x${gpg_key}" \
+                    | grep '^\(uid\):' \
+                    | cut -d: -f10
+                  )" \
+                  "${parameters}" \
+                  "$(date -I -d@"${expiration}")" \
+                  "${expiration_days}"
+                )
+                break
+              fi
+            done
+          fi
+          if [ -n "${error_message}" ]; then
+            printf '%s\n' "${error_message}" \
+            | irc_say
+            if [ $# -eq 0 ]; then
+              sleep 60
+            fi
+          fi
+          rm \
+            "${tmp_dir}/${parameters}" \
+            "${tmp_dir}/${parameters}.sig"
+        ;;
         *)
           >&2 printf 'action "%s" is not yet implemented ...\n' "${action}"
         ;;
-- 
cgit v1.2.3-54-g00ecf