Safely update apt's yarn GPG key

update-yarn-key.sh

#!/bin/bash

STDOUT() { local e=$?; printf '%q' "$1"; [ 1 -lt $# ] && printf ' %q' "${@:2}"; printf '\n'; return $e; }
STDERR() { STDOUT "$@" >&2; }
OOPS() { STDERR OOPS: "$@"; exit 23; }
x() { "$@"; }
o() { x "$@" || OOPS fail $?: "$@"; }

ID=72ECF46A56B4AD39C907BBB71646B01B86E50310
RING=/etc/apt/trusted.gpg.d/yarnpkg.gpg
URL=https://dl.yarnpkg.com/debian/pubkey.gpg
FILE=yarnpkg.gpg.pub

# Safety precausions.
# If GPG prints something to stderr, this must be fatal
FailOnStderr()
{
local v

{ v="$(o "$@" 2>&1 1>&3)"; } 3>&1 || return
[ -z "$v" ] || OOPS "$@": stderr "$v";
}

fingerprint()
{
local -n v="$1";

v="$(FailOnStderr "${@:2}")" &&
v="$(sed -n 's/^[[:space:]][[:space:]]*//p' <<<"$v")" &&
[ -n "$v" ]
}

TMP="$(mktemp -d)" || OOPS mktemp

o cd "$TMP";
o fingerprint orig gpg -q --keyring "$RING" --list-keys
[ ".$ID" = ".$orig" ] || OOPS "$RING:" fingerprint expected "$ID" but got "$orig"

o curl -o "$FILE" "$URL"
# This is not what 'gpg "$FILE"' does.
# I was unable to find out the proper command for this.
o fingerprint new gpg -q --no-keyring --import --dry-run --import-options import-show "$FILE"
[ ".$orig" = ".$new" ] || OOPS "$FILE:" masterkey mismatch: "orig=$orig" "new=$new"

o apt-key del "$orig"
o apt-key --keyring "$RING" add "$FILE"
o etckeeper commit "updated key from $URL

verified master fingerprint $ID unchanged"

o cd
o rm -rf "$TMP"

Automated solution to yarnpkg/yarn#4453 "GPG error: https://dl.yarnpkg.com/debian stable InRelease NO_PUBKEY E074D16EB6FF4DE3"