#!/bin/bash
# Copyright 2023 Gentoo Authors; Distributed under the GPL v2
# might be earlier copyright, no history available

# NOTE 1: This script is SLOW. It should run at most once per day.
# NOTE 2: This script requires that the signing key has its ownertrust
#         set to ultimate. Which makes sense anyway, since we have the
#         secret key.
# NOTE 3: This script has to run as gmirror user.

# for testing
ARCHES="sparc"

# Keep this variable in sync
_ARCHES="alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86"
        #alpha amd64 arm64 arm hppa ia64 loong m68k mips ppc riscv s390 sh sparc x86
ARCHES=${ARCHES:-${_ARCHES}}


INTREE=/release/weekly/binpackages
SIGTREE=/release/binpackages

export BINPKG_GPG_SIGNING_GPG_HOME=/home/gmirror/.gnupg-releng
export BINPKG_GPG_SIGNING_KEY=13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
export BINPKG_GPG_VERIFY_GPG_HOME=${BINPKG_GPG_SIGNING_GPG_HOME}

[[ $(whoami) == "gmirror" ]] || exit 111

gpgconf --kill all

# step 1: rsync from the dirs where the arches copy in
# make sure to *not* overwrite existing newer files (obviously
# the signature changed them)...

for a in $ARCHES ; do
  rsync --archive --delete --delete-after --update --mkpath ${INTREE}/${a}/* ${SIGTREE}/${a}/
done

# step 2: iterate over all binary package trees, sign
# all unsigned files
# we assume the directory structure to be
#   .../binpackages/amd64/17.1/x86-64
#   .../binpackages/amd64/17.1/x86-64_musl
#   .../binpackages/mips/17.0/mipsel3_n32
#   .../binpackages/x86/17.0/x86_musl_hardened

for t in ${SIGTREE}/*/*/* ; do
  find "${t}" -name '*.gpkg.tar' -exec gpkg-sign --skip-signed \{\} \; > /dev/null
  PKGDIR=${t} emaint -f binhost > /dev/null
done
# unfortunately these commands make much noise... let's hope we notice errors