Move update key generation to the update lockfile script

.github/workflows/android-audit.yml

@@ -90,10 +90,7 @@ jobs:
           cp dist-assets/maybenot_machines android/app/build/extraAssets/maybenot_machines
 
       - name: Re-generate lockfile
-        run: android/scripts/update-lockfile.sh
-
-      - name: Re-generate lockfile keys
-        run: android/scripts/update-lockfile-keys.sh   
+        run: android/scripts/update-lockfile.sh   
 
       - name: Ensure no changes
         run: git diff --exit-code

android/scripts/update-lockfile.sh

@@ -29,7 +29,7 @@ export GRADLE_USER_HOME
 
 function cleanup {
     echo "Cleaning up temp dirs..."
-    rm -rf -- "$GRADLE_USER_HOME" "$TEMP_GRADLE_PROJECT_CACHE_DIR"
+    rm -rf -- "$GRADLE_USER_HOME" "$TEMP_GRADLE_PROJECT_CACHE_DIR" ../gradle/verification-metadata.dryrun.xml ../gradle/verification-keyring.dryrun.keys ../gradle/verification-keyring.dryrun.gpg
 }
 
 trap cleanup EXIT
@@ -50,3 +50,55 @@ for GRADLE_TASK in "${GRADLE_TASKS[@]}"; do
     ../gradlew -q -p .. --project-cache-dir "$TEMP_GRADLE_PROJECT_CACHE_DIR" -M sha256 "$GRADLE_TASK" "${EXCLUDED_GRADLE_TASKS[@]}"
     echo ""
 done
+
+echo "### Updating dependency lockfile verification keys ###"
+echo ""
+
+echo "Set key servers true temporarily"
+sed -Ei 's,key-servers enabled="[^"]+",key-servers enabled="true",' ../gradle/verification-metadata.xml
+
+# Generate keys
+
+echo "Generating new trusted keys..."
+../gradlew -q -p .. --project-cache-dir "$TEMP_GRADLE_PROJECT_CACHE_DIR" -M pgp,sha256 "${GRADLE_TASKS[@]}" --export-keys --dry-run "${EXCLUDED_GRADLE_TASKS[@]}"
+
+# Move keys from dry run file to existing file (This part is taken from: https://gitlab.com/fdroid/fdroidclient/-/blob/master/gradle/update-verification-metadata.sh)
+# extract the middle of the new file, https://github.com/gradle/gradle/issues/18569
+grep -B 10000 "<trusted-keys>" ../gradle/verification-metadata.dryrun.xml > "$TEMP_GRADLE_PROJECT_CACHE_DIR/new.head"
+grep -A 10000 "</trusted-keys>" ../gradle/verification-metadata.dryrun.xml > "$TEMP_GRADLE_PROJECT_CACHE_DIR/new.tail"
+numTopLines="$(cat "$TEMP_GRADLE_PROJECT_CACHE_DIR/new.head" | wc -l)"
+numTopLinesPlus1="$(($numTopLines + 1))"
+numBottomLines="$(cat "$TEMP_GRADLE_PROJECT_CACHE_DIR/new.tail" | wc -l)"
+numLines="$(cat ../gradle/verification-metadata.dryrun.xml | wc -l)"
+numMiddleLines="$(($numLines - $numTopLines - $numBottomLines))"
+# also remove 'version=' lines, https://github.com/gradle/gradle/issues/20192
+cat ../gradle/verification-metadata.dryrun.xml | tail -n "+$numTopLinesPlus1" | head -n "$numMiddleLines" | sed 's/ version="[^"]*"//' > "$TEMP_GRADLE_PROJECT_CACHE_DIR/new.middle"
+
+# extract the top and bottom of the old file
+grep -B 10000 "<trusted-keys>" ../gradle/verification-metadata.xml > "$TEMP_GRADLE_PROJECT_CACHE_DIR/old.head"
+grep -A 10000 "</trusted-keys>" ../gradle/verification-metadata.xml > "$TEMP_GRADLE_PROJECT_CACHE_DIR/old.tail"
+
+# update verification metadata file
+cat "$TEMP_GRADLE_PROJECT_CACHE_DIR/old.head" "$TEMP_GRADLE_PROJECT_CACHE_DIR/new.middle" "$TEMP_GRADLE_PROJECT_CACHE_DIR/old.tail" > ../gradle/verification-metadata.xml
+
+echo "sorting keyring and removing duplicates"
+  # sort and unique the keyring
+  # https://github.com/gradle/gradle/issues/20140
+  # `sed 's/$/NEWLINE/g'` adds the word NEWLINE at the end of each line
+  # `tr -d '\n'` deletes the actual newlines
+  # `sed` again adds a newline at the end of each key, so each key is one line
+  # `sort` orders the keys deterministically
+  # `uniq` removes identical keys
+  # `sed 's/NEWLINE/\n/g'` puts the newlines back
+cat ../gradle/verification-keyring.dryrun.keys \
+    | sed 's/$/NEWLINE/g' \
+    | tr -d '\n' \
+    | sed 's/\(-----END PGP PUBLIC KEY BLOCK-----\)/\1\n/g' \
+    | grep "END PGP PUBLIC KEY BLOCK" \
+    | sort \
+    | uniq \
+    | sed 's/NEWLINE/\n/g' \
+    > ../gradle/verification-keyring.keys
+
+echo "Disable key servers again"
+sed -Ei 's,key-servers enabled="[^"]+",key-servers enabled="false",' ../gradle/verification-metadata.xml