From 10a42484daf468efcb6ab850c9522c03c6aff6ad Mon Sep 17 00:00:00 2001
From: Tim Cuthbertson <tim@gfxmonk.net>
Date: Fri, 26 Apr 2013 20:46:20 +1000
Subject: [PATCH] 0install: check gpg signature when publishing new version

---
 packager/0install/update | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/packager/0install/update b/packager/0install/update
index d4ee3ec9..5cfc1031 100755
--- a/packager/0install/update
+++ b/packager/0install/update
@@ -6,12 +6,27 @@ if [ -z "${version}" ]; then
 	echo "usage: update <version>"
 	exit 1
 fi
-set -ex
-url="http://ftp.gnu.org/gnu/parallel/parallel-${version}.tar.bz2"
+set -eux
+url="http://ftpmirror.gnu.org/parallel/parallel-${version}.tar.bz2"
 file="/tmp/parallel-${version}.tgz"
 wget "$url" -O "${file}"
+wget "$url.sig" -O "${file}.sig"
+
+# verify published signature comes from expected GPG key
+gpg -n --verify "${file}.sig" "${file}" 2>&1 | tee "${file}.gpglog"
+set +x
+KEYID="$(grep '^Primary key fingerprint:' "${file}.gpglog" | tr -d ' ' | cut -f 2 -d : )"
+fingerprint="BE9CB49381DE3166A3BC66C12C6229E2FFFFFFF1"
+if [ "$KEYID" != "$fingerprint" ]; then
+	echo "Signature verification FAILED:"
+	cat "${file}.gpglog"
+	exit 1
+fi
+
+set -x
+
 ( cd "$(dirname "$0")" && \
-	0publish \
+	0install run http://0install.net/2006/interfaces/0publish \
 		--add-version ${version} \
 		--archive-url="${url}" \
 		--archive-file="${file}" \