1 files changed, 75 insertions, 0 deletions

diff --git a/src/export-pkgbuild-keys.in b/src/export-pkgbuild-keys.in
new file mode 100644
index 0000000..8697b3d
--- /dev/null
+++ b/src/export-pkgbuild-keys.in
@@ -0,0 +1,75 @@
+#!/bin/bash
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+m4_include(lib/common.sh)
+
+usage() {
+	cat <<- _EOF_
+		Usage: ${BASH_SOURCE[0]##*/}
+
+		Export the PGP keys from a PKGBUILDs validpgpkeys array into the keys/pgp/
+		subdirectory. Useful for distributing packager validated source signing
+		keys alongside PKGBUILDs.
+
+		OPTIONS
+		    -h, --help      Show this help text
+_EOF_
+}
+
+# option checking
+while (( $# )); do
+	case $1 in
+		-h|--help)
+			usage
+			exit 0
+			;;
+		*)
+			die "invalid argument: %s" "$1"
+			;;
+	esac
+done
+
+if [[ ! -f PKGBUILD ]]; then
+	die "This must be run a directory containing a PKGBUILD."
+fi
+
+mapfile -t validpgpkeys < <(
+	# shellcheck source=PKGBUILD.proto
+	. ./PKGBUILD
+	if (( ${#validpgpkeys[@]} )); then
+		printf "%s\n" "${validpgpkeys[@]}"
+	fi
+)
+
+msg "Exporting ${#validpgpkeys[@]} PGP keys..."
+if (( ${#validpgpkeys[@]} == 0 )); then
+	exit 0
+fi
+
+trap 'rm -rf $TEMPDIR' EXIT INT TERM QUIT
+TEMPDIR=$(mktemp -d --tmpdir export-pkgbuild-keys.XXXXXXXXXX)
+
+mkdir -p keys/pgp
+error=0
+
+for key in "${validpgpkeys[@]}"; do
+	gpg --output "$TEMPDIR/$key.asc" --armor --export --export-options export-minimal "$key" 2>/dev/null
+
+	# gpg does not give a non-zero return value if it fails to export...
+	if [[ -f $TEMPDIR/$key.asc ]]; then
+		msg2 "Exported $key"
+		mv "$TEMPDIR/$key.asc" "keys/pgp/$key.asc"
+	else
+		if [[ -f keys/pgp/$key.asc ]]; then
+			warning "Failed to update key: $key"
+		else
+			error "Key unavailable: $key"
+			error=1
+		fi
+	fi
+done
+
+if (( error )); then
+	die "Failed to export all \'validpgpkeys\' entries."
+fi