|
1 | 1 | #!/bin/bash |
2 | 2 |
|
3 | | -set -ex |
| 3 | +set -euxo pipefail |
4 | 4 |
|
5 | 5 | exit_updater() { |
6 | 6 | local exit_code=$? |
|
22 | 22 |
|
23 | 23 | REPO_URL=https://gitlab.freedesktop.org/pulseaudio/pulseaudio.git |
24 | 24 |
|
25 | | -LATEST_REPO_VERSION="$(git ls-remote --exit-code --refs --tags --sort="v:refname" "$REPO_URL" '*.*' | tail -n1 | cut -d/ -f3 | sed 's/^v//')" |
| 25 | +LATEST_REPO_VERSION=$( |
| 26 | + git ls-remote --exit-code --refs --tags --sort="v:refname" "$REPO_URL" | |
| 27 | + head -c $((1 << 16)) | |
| 28 | + sed -nE $'$ s%^[0-9a-f]{40}\trefs/tags/v([0-9]+(\\.[0-9]{1,5}){1,2})$%\\1%p' |
| 29 | +) |
26 | 30 | LATEST_QUBES_VERSION="$(find "$LOCALDIR/pulse" -type d -name "pulsecore-*" | sed "s|$LOCALDIR/pulse/pulsecore-||" | sort -g | tail -1)" |
27 | 31 |
|
28 | 32 | trap 'exit_updater' 0 1 2 3 6 15 |
29 | 33 |
|
30 | 34 | if [ "${LATEST_QUBES_VERSION}" != "${LATEST_REPO_VERSION}" ] && [ ! -e "$LOCALDIR/pulse/pulsecore-${LATEST_REPO_VERSION}" ]; then |
31 | 35 | cd "$TMPDIR" |
| 36 | + mkdir gnupg-tmp gnupg git |
| 37 | + export "GNUPGHOME=$PWD/gnupg" |
| 38 | + cd git |
32 | 39 |
|
33 | | - git clone --depth 1 --branch "v$LATEST_REPO_VERSION" "$REPO_URL" . |
| 40 | + git clone --no-checkout --depth 1 --branch "v$LATEST_REPO_VERSION" "$REPO_URL" . |
34 | 41 |
|
| 42 | + trusted_signers=( |
| 43 | + 52DFA7B8BAC74687C8A88EF48165E3D1987E2132 |
| 44 | + B61E1D411D57BD16F11536162477064CE8B9F3BD |
| 45 | + ) |
35 | 46 | # Import keys of repo taggers |
36 | | - for key in \ |
37 | | - 52DFA7B8BAC74687C8A88EF48165E3D1987E2132 \ |
38 | | - B61E1D411D57BD16F11536162477064CE8B9F3BD; do |
39 | | - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" || |
40 | | - gpg --batch --keyserver keys.openpgp.org --recv-keys "$key" || |
41 | | - gpg --batch --keyserver pgp.mit.edu --recv-keys "$key" || |
42 | | - gpg --batch --keyserver keyserver.pgp.com --recv-keys "$key" || |
43 | | - gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$key" |
44 | | - done |
| 47 | + for key in "${trusted_signers[@]}"; do |
| 48 | + echo "$key:6:" | gpg --import-ownertrust |
| 49 | + for i in keyserver.ubuntu.com keys.openpgp.org pgp.mit.edu keyserver.pgp.com; do |
| 50 | + sq keyserver --server "$i" get --binary -- "0x$key" && break |
| 51 | + done |
| 52 | + done | gpg --homedir=../gnupg-tmp --import --no-armor |
| 53 | + gpg --homedir=../gnupg-tmp --export -- "${trusted_signers[@]}" | gpg --import --no-armor |
| 54 | + |
| 55 | + for key in "${trusted_signers[@]}"; do |
| 56 | + echo "$key:6:" |
| 57 | + done | gpg --import-ownertrust |
| 58 | + |
| 59 | + tag_to_verify="refs/tags/v$LATEST_REPO_VERSION" |
45 | 60 |
|
46 | 61 | # Verify integrity |
47 | | - git -c gpg.program=gpg tag -v "$(git describe)" |
| 62 | + git -c gpg.openpgp.program=gpg -c gpg.minTrustLevel=ultimate verify-tag "$tag_to_verify" || exit |
| 63 | + git checkout "$tag_to_verify^{commit}" |
48 | 64 |
|
49 | 65 | # remove unwanted files |
50 | 66 | find "src/pulsecore" -type f ! -regex '.*\.h$' -exec rm -f {} \; |
|
0 commit comments