From 233bf39323ef48b362488175bb655c4020ce2d39 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 29 Feb 2024 15:35:27 +0100
Subject: [PATCH] build: Extend getswdb.sh to allow a verified download

--
---
 build-aux/getswdb.sh | 96 ++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 92 insertions(+), 4 deletions(-)

diff --git a/build-aux/getswdb.sh b/build-aux/getswdb.sh
index 6ec931c25..0b97f0de5 100755
--- a/build-aux/getswdb.sh
+++ b/build-aux/getswdb.sh
@@ -28,9 +28,12 @@ cvtver () {
 usage()
 {
     cat <<EOF
-Usage: $(basename $0) [OPTIONS]
+Usage: $(basename $0) [OPTIONS] [packages]
 Get the online version of the GnuPG software version database
+and optionally download packages and verify their signatures.
+
 Options:
+    --info             Print only infos about packages
     --skip-download    Assume download has already been done.
     --skip-verify      Do not check signatures
     --skip-selfcheck   Do not check GnuPG version
@@ -38,6 +41,11 @@ Options:
     --find-sha1sum     Print the name of the sha1sum utility
     --find-sha256sum   Print the name of the sha256sum utility
     --help             Print this help.
+
+Example:
+
+  getswdb.sh gnupg24 gpgme libksba libassuan
+
 EOF
     exit $1
 }
@@ -50,6 +58,9 @@ skip_verify=no
 skip_selfcheck=no
 find_sha1sum=no
 find_sha256sum=no
+info_mode=no
+packages=
+die=no
 while test $# -gt 0; do
     case "$1" in
 	# Set up `optarg'.
@@ -80,13 +91,20 @@ while test $# -gt 0; do
         --find-sha256sum)
             find_sha256sum=yes
             ;;
-	*)
+        --info)
+            info_mode=yes
+            ;;
+	--*)
 	    usage 1 1>&2
 	    ;;
+        *)
+            packages="$packages $1"
+            ;;
     esac
     shift
 done
 
+
 # Mac OSX has only a shasum and not sha1sum
 if [ ${find_sha1sum} = yes ]; then
     for i in sha1sum shasum ; do
@@ -186,10 +204,10 @@ else
   fi
 fi
 if [ $skip_verify = no ]; then
-  if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst; then
+  if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst 2>/dev/null; then
     echo "list of software versions is not valid!" >&2
     exit 1
- fi
+  fi
 fi
 
 #
@@ -210,3 +228,73 @@ if [ $skip_selfcheck = no ]; then
       exit 1
   fi
 fi
+
+
+# Download a package and check its signature.
+download_pkg () {
+    local url="$1"
+    local file="${url##*/}"
+
+    if ! $WGET -q -O -  "$url" >"${file}.tmp" ; then
+      echo "download of $file failed." >&2
+      [ -f "${file}.tmp" ] && rm "${file}.tmp"
+      return 1
+    fi
+    if [ $skip_verify = no ]; then
+        if ! $WGET -q -O - "${url}.sig" >"${file}.tmpsig" ; then
+            echo "download of $file.sig failed." >&2
+            [ -f "${file}.tmpsig" ] && rm "${file}.tmpsig"
+            return 1
+        fi
+        if ! $GPGV -q --keyring "$distsigkey" \
+             "${file}.tmpsig" "${file}.tmp" 2>/dev/null;  then
+           echo "signature of $file is not valid!" >&2
+           return 1
+        fi
+        mv "${file}.tmpsig" "${file}.sig"
+    else
+        [ -f "${file}.sig" ] && rm "${file}.sig"
+    fi
+    mv "${file}.tmp" "${file}"
+    return 0
+}
+
+
+
+baseurl=$(awk '$1=="gpgorg_base" {print $2; exit 0}' swdb.lst)
+for p in $packages; do
+    pver=$(awk '$1=="'"$p"'_ver" {print $2}' swdb.lst)
+    if [ -z "$pver" ]; then
+        echo "package '$p' not found" >&2
+        die=yes
+    else
+        pdir=$(awk '$1=="'"$p"'_dir" {print $2":"$3":"$4}' swdb.lst)
+        if [ -n "$pdir" ]; then
+            psuf=$(echo "$pdir" | cut -d: -f3)
+            pname=$(echo "$pdir" | cut -d: -f2)
+            pdir=$(echo "$pdir" | cut -d: -f1)
+        else
+            psuf=
+            pdir="$p"
+            pname="$p"
+        fi
+        if [ -z "$psuf" ]; then
+            psuf=$(awk 'BEGIN {suf="bz2"};
+                    $1=="'"$p"'_sha1_gz" {suf="gz"; exit 0};
+                    $1=="'"$p"'_sha1_xz" {suf"xz"; exit 0};
+                    END {print suf}' swdb.lst)
+        fi
+        pfullname="$pname-$pver.tar.$psuf"
+        if [ $info_mode = yes ]; then
+            echo "$baseurl/$pdir/$pfullname"
+        else
+            echo "downloading $pfullname"
+            download_pkg "$baseurl/$pdir/$pfullname" || die=yes
+        fi
+    fi
+done
+if [ $die = yes ]; then
+    echo "errors found!" >&2
+    exit 1
+fi
+exit 0