check_gpg.sh

#!/bin/bash

keyserver=${KEYSERVER:-"hkp://sks.ustclug.org"}
gpghome=/home/mirrors-web-trustdb

if [ -d .git/ ]; then
  commit=$(git cat-file commit HEAD  | sed '/^gpgsig/,/-----END PGP SIGNATURE-----$/ D')
  sig=$(git cat-file commit HEAD  | sed -n '/^gpgsig/,/-----END PGP SIGNATURE-----$/ P' | sed 's/^gpgsig//; s/^ //')

  if [ -e "$gpghome/trustdb.gpg" ]; then
    gpg --homedir="$gpghome" --keyserver="$keyserver" --refresh-keys
    gpg_out=$(echo "$commit" | gpg --homedir="$gpghome" --verify --status-fd 1 --trust-model direct <(echo "$sig") -)
    gpg_status=$?
    echo "$gpg_out" 
    if [ "$gpg_status" -ne 0 ]; then
      echo "gpg --verify exited with code $gpg_status"
      exit 1
    fi
    if echo "$gpg_out" | grep -qs "^\[GNUPG:\] VALIDSIG" &&
       echo "$gpg_out" | grep -qs "^\[GNUPG:\] TRUST_FULLY\$"; then
      echo "Sig check succeed"
    else
      echo "Sig check failed"
      exit 1
    fi

  else
    echo "No trustdb found, skipping sig check" 
  fi

else
  echo "No git repo found, skipping sig check"
fi