#!/bin/sh

verify_rpm() {
RPM=$1

if ! [ -f $RPM ]; then
    echo -n "No such file... "
    return
fi

if ! rpm --checksig $RPM > /dev/null; then
    echo "Wrong PGP signature on $RPM!"
    exit 1
fi

# Even if rpm returns success (ret = 0) that doesn't
# mean that the rpm has been signed! It might simply
# have no PGP signature at all. Yes, stupidity...

if ! rpm --checksig $RPM | grep ' pgp ' > /dev/null ; then
    if [ "$NO_SIGN" == "1" ] ; then
        # When signing is disabed in qubes-builder
        # This is used to build unsigned ISO
        # This should only be used for testing builds
        return 0
    fi

    echo "No PGP signature found!"

    exit 2
fi
}


if [ $# -lt 1 ]; then
    echo "Usage: $0 <rpm file>"
    exit 1
fi

if [ -w /var/lib/rpm ]; then
    # Make sure that the right Qubes release key is imported (in chroot)
    rpm --import `dirname $0`/qubes-release/RPM-GPG-KEY-qubes-*-primary
fi

for FILE in "$@"; do
        verify_rpm $FILE || exit 1
done