#!/bin/bash

## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

set -x
set -e

true "INFO: Currently running script: $BASH_SOURCE $@"

MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

cd "$MYDIR"
cd ..
cd help-steps

dist_build_internal_run="true"

source pre
source colors
source variables

main() {
   sanity_tests "$@"
   gpg_key_create "$@"
   gpg_key_debugging "$@"
   gpgv_key_import "$@"
   gpgv_key_debugging "$@"
   signify_key_create "$@"
   true "INFO: END of $FUNCNAME"
}

sanity_tests() {
   command -v signify-openbsd >/dev/null
}

gpg_key_create() {
   true "gpg_bin: $gpg_bin"
   ## Debugging.
   pwd

   ## Set up a separate GPG keystore.
   #export GNUPGHOME="$dist_local_signing_key_folder"

   mkdir --parents "$dist_local_signing_key_folder"
   ## chmod 700, so gpg will not complain about folder permissions
   chmod --recursive og-rwx "$dist_local_signing_key_folder"

   ## Initialize.
   $gpg_bin --fingerprint --keyid-format 0xlong &>/dev/null

   ## http://www.gnupg.org/documentation/manuals/gnupg-devel/Unattended-GPG-key-generation.html
   ## https://github.com/ioerror/torbirdy/blob/master/gpg.conf

   if $gpg_bin --fingerprint --keyid-format 0xlong "$DEBEMAIL" &>/dev/null ; then
      true "INFO: gpg key with uid DEBEMAIL $DEBEMAIL already exists. Skipping."
      return 0
   fi

   true "INFO: gpg key with uid DEBEMAIL $DEBEMAIL does not exist yet. Generating..."

   ## https://unix.stackexchange.com/questions/318385/no-such-file-or-directory-when-generating-a-gpg-key
   ## gpg: agent_genkey failed: No such file or directory
   ## Key generation failed: No such file or directory
   #gpgconf --kill gpg-agent

   ## Not idempotent. (Would generate different key.)
   $gpg_bin \
      --no-emit-version \
      --no-comments \
      --display-charset utf-8 \
      --personal-digest-preferences SHA512 \
      --cert-digest-algo SHA512 \
      --default-preference-list "SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed" \
      --default-new-key-algo "ed25519/cert,sign,auth+cv25519/encr" \
      --keyserver-options no-honor-keyserver-url \
      --fixed-list-mode \
      --keyid-format 0xlong \
      --list-options show-uid-validity \
      --sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g \
      --batch \
      --pinentry-mode loopback \
      --passphrase '' \
      --quick-generate-key "$DEBEMAIL" default default 0

   true "INFO: END of $FUNCNAME"
}

gpg_key_debugging() {
   true "INFO: show gpg secret key fingerprint for uid DEBEMAIL"
   ## Just output list of secret keys in that very folder in case that ever breaks and someone ever sends
   ## a build log, this will help with debugging.
   ## Idempotent.
   $gpg_bin \
      --keyid-format 0xlong \
      --fingerprint \
      --list-secret-keys \
      "$DEBEMAIL"
}

gpgv_key_import() {
   ## gpgv supports ~/.gnupg/trustedkeys.kbx but dpkg-source only supports ~/.gnupg/trustedkeys.gpg
   touch ~/.gnupg/trustedkeys.gpg

   true "INFO: Create ~/.gnupg/trustedkeys.gpg for dpkg-source."
   ## `dpkg-source` uses `gpgv` which uses file '~/.gnupg/trustedkeys.gpg'
   ## '--trust-model always' is required otherwise gpg exists non-zero.
   ## Idempotent.
   $gpg_bin \
      --keyid-format 0xlong \
      --armor \
      --export \
      "$DEBEMAIL" | \
         $gpg_bin \
            --no-default-keyring \
            --keyring ~/.gnupg/trustedkeys.gpg \
            --trust-model always \
            --import

   ## sets: signing_gpg_key_fingerprint
   signing_gpg_key_fingerprint_function

   true "INFO: Set signing key uid DEBEMAIL to ultimately trusted in keyring ~/.gnupg/trustedkeys.gpg. Otherwise dpkg-source would refuse it."
   ## Idempotent.
   echo -e "5\ny\n" | \
      $gpg_bin \
         --no-default-keyring \
         --keyring ~/.gnupg/trustedkeys.gpg \
         --command-fd 0 \
         --edit-key "$signing_gpg_key_fingerprint" \
         trust
}

gpgv_key_debugging() {
   true "INFO: show signing key uid DEBEMAIL using for keyring ~/.gnupg/trustedkeys.gpg (for gpgv / dpkg-source))"
   ## Idempotent.
   $gpg_bin \
      --no-default-keyring \
      --keyring ~/.gnupg/trustedkeys.gpg \
      --keyid-format 0xlong \
      --fingerprint \
      --list-secret-keys \
      "$DEBEMAIL"
}

signify_key_create() {
   mkdir --parents "$signify_folder"
   chmod --recursive og-rwx "$signify_folder"

   if test -f "$signify_private_key" ; then
      true "INFO: signify_private_key $signify_private_key already exists. Skipping."
      return 0
   fi

   pushd "$signify_folder" >/dev/null
   ## Not idempotent. (Would generate different key.)
   signify-openbsd -n -G -p "$signify_public_key" -s "$signify_private_key" -c "derivative-maker"
   popd >/dev/null

   true "INFO: END of $FUNCNAME"
}

main "$@"
