antichris/secure-apt-keyring.sh

## secure-apt-keyring.sh
#!/bin/sh -e

## This Source Code Form is subject to the terms of the Mozilla Public
## License, v. 2.0. If a copy of the MPL was not distributed with this
## file, You can obtain one at https://mozilla.org/MPL/2.0/.

self=$(basename "$(readlink -f "$0")")
krDir=/etc/apt/keyrings

usage=$(cat) <<***
Usage:  ${self} KEYRING SOURCELIST

Move KEYRING to ${krDir} and add as the signing keyring for SOURCELIST.

  --help	display this help and exit

The KEYRING is moved from its current location to ${krDir} and all
repository entries in the SOURCELIST are updated to have the Signed-By option
point to the KEYRING at its new location in ${krDir}.

KEYRING is an OpenPGP certificate (also known as "GPG key public ring") file.
SOURCELIST is a ONE-LINE-STYLE format .list file (see sources.list(5) manpage).

Example:

    ${self} /etc/apt/trusted.gpg.d/google-chrome.gpg \\
        /etc/apt/sources.list.d/google-chrome.list
***

main() {
	for arg; do
		[ "$arg" = '--help' ] && dieWithUsage 0
	done

	krSrc=$(reqFile "$1" KEYRING) || dieWithUsage $? " "
	krDst=${krDir}/$(basename "$krSrc")

	sources=$(reqFile "$2" SOURCELIST) || dieWithUsage $? " "
	reqFileMIME "$sources" text/plain || dieWithUsage $? " "

	ss='signed-by='

	rxDeb='(^\s*(#+\s*)?deb(-src)?\s+)'
	sed -Ei "/${rxDeb}/{
		s%${rxDeb}(\\[[^]]+)?${ss}.*\\]%\0%;t;
		s%${rxDeb}(\\[[^]]+)(\\])%\1\4 ${ss}${krDst}\5%;t;
		s%${rxDeb}(https?://)%\1[${ss}${krDst}] \4%;t;
	}" "$sources"

	if [ -e "$krDst" ]; then
		printf 'not moving "%s": destination "%s" already exists\n' \
			"$krSrc" "$krDst"
	else
		mv "$krSrc" "$krDst"
	fi
}
dieWithUsage() { ## ([exit_value [error_message]])
	[ "$2" ] && printf %s\\n "$2" >&2
	printf '%s\n\n' "$usage"
	exit "${1:-0}"
}
reqFile() { ## (filename)
	if [ ! -f "$1" ]; then
		printf '%s filename required\n' "$2" >&2
		return 1
	fi
	readlink -f "$1"
}
reqFileMIME() { ## (filename MIME_type)
	t=$(file -b --mime-type "$1")
	if [ "$t" != "$2" ]; then
		printf 'bad MIME type of "%s": "%s", want "%s"\n' >&2 \
			"$1" "$t" "$2"
		return 2
	fi
}

main "$@"
	#!/bin/sh -e

	## This Source Code Form is subject to the terms of the Mozilla Public
	## License, v. 2.0. If a copy of the MPL was not distributed with this
	## file, You can obtain one at https://mozilla.org/MPL/2.0/.

	self=$(basename "$(readlink -f "$0")")
	krDir=/etc/apt/keyrings

	usage=$(cat) <<***
	Usage: ${self} KEYRING SOURCELIST

	Move KEYRING to ${krDir} and add as the signing keyring for SOURCELIST.

	--help display this help and exit

	The KEYRING is moved from its current location to ${krDir} and all
	repository entries in the SOURCELIST are updated to have the Signed-By option
	point to the KEYRING at its new location in ${krDir}.

	KEYRING is an OpenPGP certificate (also known as "GPG key public ring") file.
	SOURCELIST is a ONE-LINE-STYLE format .list file (see sources.list(5) manpage).

	Example:

	${self} /etc/apt/trusted.gpg.d/google-chrome.gpg \\
	/etc/apt/sources.list.d/google-chrome.list
	***

	main() {
	for arg; do
	[ "$arg" = '--help' ] && dieWithUsage 0
	done

	krSrc=$(reqFile "$1" KEYRING) \|\| dieWithUsage $? " "
	krDst=${krDir}/$(basename "$krSrc")

	sources=$(reqFile "$2" SOURCELIST) \|\| dieWithUsage $? " "
	reqFileMIME "$sources" text/plain \|\| dieWithUsage $? " "

	ss='signed-by='

	rxDeb='(^\s(#+\s)?deb(-src)?\s+)'
	sed -Ei "/${rxDeb}/{
	s%${rxDeb}(\\[[^]]+)?${ss}.*\\]%\0%;t;
	s%${rxDeb}(\\[[^]]+)(\\])%\1\4 ${ss}${krDst}\5%;t;
	s%${rxDeb}(https?://)%\1[${ss}${krDst}] \4%;t;
	}" "$sources"

	if [ -e "$krDst" ]; then
	printf 'not moving "%s": destination "%s" already exists\n' \
	"$krSrc" "$krDst"
	else
	mv "$krSrc" "$krDst"
	fi
	}
	dieWithUsage() { ## ([exit_value [error_message]])
	[ "$2" ] && printf %s\\n "$2" >&2
	printf '%s\n\n' "$usage"
	exit "${1:-0}"
	}
	reqFile() { ## (filename)
	if [ ! -f "$1" ]; then
	printf '%s filename required\n' "$2" >&2
	return 1
	fi
	readlink -f "$1"
	}
	reqFileMIME() { ## (filename MIME_type)
	t=$(file -b --mime-type "$1")
	if [ "$t" != "$2" ]; then
	printf 'bad MIME type of "%s": "%s", want "%s"\n' >&2 \
	"$1" "$t" "$2"
	return 2
	fi
	}

	main "$@"