From 0dd813c3bc50c3fd76e5a0e23ae5e76a1f3a24c3 Mon Sep 17 00:00:00 2001
From: Julian Ospald <hasufell@posteo.de>
Date: Sat, 26 Aug 2023 14:03:29 +0800
Subject: [PATCH] Test keys

---
 .github/workflows/bindists.yaml      | 14 ++++++++++++++
 .github/workflows/install-bindist.sh |  4 ++--
 .github/workflows/test-sigs.sh       | 22 ++++++++++++++++++++++
 3 files changed, 38 insertions(+), 2 deletions(-)
 create mode 100755 .github/workflows/test-sigs.sh

diff --git a/.github/workflows/bindists.yaml b/.github/workflows/bindists.yaml
index ba6d3d2..b72eaf3 100644
--- a/.github/workflows/bindists.yaml
+++ b/.github/workflows/bindists.yaml
@@ -142,3 +142,17 @@ jobs:
         name: Run build (aarch64 linux)
         with:
           args: sh -c '.github/workflows/install-bindist.sh'
+
+  signature-test:
+    name: Test signatures
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install requirements
+        shell: sh
+        run: |
+          sudo apt-get update && sudo apt-get install -y curl bash git gnupg
+
+      - uses: actions/checkout@v3
+
+      - name: Test signatures
+        run: .github/workflows/test-sigs.sh
diff --git a/.github/workflows/install-bindist.sh b/.github/workflows/install-bindist.sh
index 1d1fd6f..515b530 100755
--- a/.github/workflows/install-bindist.sh
+++ b/.github/workflows/install-bindist.sh
@@ -14,14 +14,14 @@ ghcup --version
 which ghcup | grep foobarbaz
 
 ghcup_fun() {
-	ghcup -v --url-source=file:$METADATA_FILE "$@"
+	ghcup -v --url-source="file:$METADATA_FILE" "$@"
 }
 
 case $TOOL in
 	ghcup)
 		ghcup_fun upgrade --force
 		;;
-	*) ghcup_fun install $TOOL --set $VERSION
+	*) ghcup_fun install "$TOOL" --set "$VERSION"
 		;;
 esac
 
diff --git a/.github/workflows/test-sigs.sh b/.github/workflows/test-sigs.sh
new file mode 100755
index 0000000..8e0a1bc
--- /dev/null
+++ b/.github/workflows/test-sigs.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+set -x
+set -eo pipefail
+
+. .github/workflows/common.sh
+
+get_key() {
+	local key=$1
+	local server=$2
+	gpg --batch --keyserver "${server}" --recv-keys "${key}"
+	echo -e "${key}:6:" | gpg --import-ownertrust
+}
+
+# verify signature
+keys=( 7D1E8AFD1D4A16D71FADA2F2CCC85C0E40C06A8C )
+for key in "${keys[@]}" ; do
+	get_key "${key}" keys.openpgp.org || get_key "${key}" keyserver.ubuntu.com
+done
+unset key
+gpg --verify "${METADATA_FILE}.sig"
+