#!/bin/bash

archlinux=true
archlinux_arm=true
archlinux_git=true
local=false
parabola=true
wishlist=true

while [ $# -gt 0 ]; do

  case "x$1" in
    'x-l')
      local=true
    ;;
    'x--no-archlinux')
      archlinux=false
    ;;
    'x--no-archlinux-arm')
      archlinux_arm=false
    ;;
    'x--no-archlinux-git')
      archlinux_git=false
    ;;
    'x--no-parabola')
      parabola=false
    ;;
    'x--no-wishlist')
      wishlist=false
    ;;
    *)
      >&2 printf 'unknown parameter %s\n' "$1"
      >&2 printf 'known parameters:\n'
      >&2 printf '  -%s  %s\n' \
        'l' 'update local keyring'
      >&2 printf '  --no-%s\n    do not update keys from/mentioned in\n    %s\n' \
        'archlinux' 'locally running archlinux keyring' \
        'archlinux-arm' 'archlinuxarm keyring package' \
        'archlinux-git' 'archlinux sources (PKGBUILDs) git repository' \
        'parabola' 'parabola keyring package sources' \
        'wishlist' 'our keyserver'"'"'s wishlist'
      exit 1
    ;;
  esac
  shift

done

if ${parabola}; then
  parabola_keyring_version=$(
    curl -Ss 'https://repo.parabola.nu/other/parabola-keyring/' \
    | sed '
      s@^.*<a href="parabola-keyring-\([0-9.]\+\)\.tar\.gz">.*$@\1@
      t
      d
    ' \
    | sort -V \
    | tail -n1
  )
  parabola_keyring="https://repo.parabola.nu/other/parabola-keyring/parabola-keyring-${parabola_keyring_version}.tar.gz"
fi

if ${archlinux_arm}; then
  archlinuxarm_keyring=$(
    curl -Ss 'https://arch.eckner.net/archlinuxarm/arm/core/' \
    | sed '
      s@^.*<a href="archlinuxarm-keyring-\([0-9.]\+-[0-9]\+\)-any\.pkg\.tar\.xz">.*$@\1@
      t
      d
    ' \
    | sort -V \
    | tail -n1 \
    | sed '
      s@^.*$@https://arch.eckner.net/archlinuxarm/arm/core/archlinuxarm-keyring-\0-any.pkg.tar.xz@
    '
  )
fi

{
  {
    if ${archlinux_git}; then
      find \
        /usr/src/archlinux/{packages,community}/ \
        /usr/src/archlinux32/packages/ \
        ~/eigeneSkripte/archPackages/ \
        -type f -name PKGBUILD \
        -exec sed -n '
          /^\s*validpgpkeys=.*)/p
          /^\s*validpgpkeys=[^)]\+$/,/)/p
        ' {} + 2>/dev/null \
      | sed '
        s/#.*$//
        s/^\s*validpgpkeys=(//
        s/).*$//
      ' \
      | tr -d '" \t'"'"
    fi
    curl -Ss 'https://archlinux32.org/key-wishlist'
    {
      if ${archlinux_arm}; then
        curl -Ss "${archlinuxarm_keyring}" \
        | bsdtar -Oxf - usr/share/pacman/keyrings/archlinuxarm-{trusted,revoked}
      fi
      if ${parabola}; then
        curl -Ss "${parabola_keyring}" \
        | bsdtar -Oxf - parabola-keyring-${parabola_keyring_version}/parabola-{trusted,revoked}
      fi
    } \
    | cut -d: -f1
  } \
  | sort -u \
  | grep -x '[0-9a-fA-F]\{16,40\}' \
  | while read -r key_id; do
    key=$(gpg -a --export "${key_id}" 2>/dev/null)
    if [ -z "${key}" ]; then
      /usr/src/skripte/gpg-safe-import/gpg-safe-import --recv-keys "${key_id}"
      key=$(gpg -a --export "${key_id}" 2>/dev/null)
    fi
    if [ -z "${key}" ]; then
      >&2 printf 'key "%s" is unknown\n' "${key_id}"
      continue
    fi
    printf '%s\n' "${key}"
  done
  if ${archlinux}; then
    gpg --homedir /etc/pacman.d/gnupg -a --export
  fi
  if ${archlinux_arm}; then
    curl -Ss "${archlinuxarm_keyring}" \
    | bsdtar -Oxf - usr/share/pacman/keyrings/archlinuxarm.gpg
  fi
  if ${parabola}; then
    curl -Ss "${parabola_keyring}" \
    | bsdtar -Oxf - parabola-keyring-${parabola_keyring_version}/parabola.gpg
  fi
} \
| if ${local}; then
  sudo su http -s /bin/bash -c 'gpg --import'
else
  ssh archlinux32 "sudo su http -s /bin/bash -c 'gpg --import'"
fi