update-keys

#!/bin/bash

export LANG=C

TMPDIR=$(mktemp -d)
trap "rm -rf '${TMPDIR}'" EXIT

KEYSERVER='hkp://pgp.mit.edu'
GPG="gpg --quiet --batch --no-tty --no-permission-warning --keyserver "${KEYSERVER}" --homedir ${TMPDIR}"

pushd "$(dirname "$0")" >/dev/null

$GPG --gen-key <<EOF
%echo Generating Arch Linux Keyring keychain master key...
Key-Type: RSA
Key-Length: 2048
Key-Usage: sign
Name-Real: Arch Linux Keyring Keychain Master Key
Name-Email: archlinux-keyring@localhost
Expire-Date: 0
%commit
%echo Done
EOF

rm -rf master packager archlinux-trusted
mkdir master packager

while read -ra data; do
	keyid="${data[0]}"
	username="${data[@]:1}"
	${GPG} --recv-keys ${keyid} &>/dev/null
	printf 'y\ny\n' | \
		${GPG} --command-fd 0 --lsign-key ${keyid} &>/dev/null
	${GPG} --armor --output master/${username}.asc --export ${keyid}
	echo "${keyid}:4:" >> archlinux-trusted
done < master-keyids
${GPG} --import-ownertrust < archlinux-trusted

while read -ra data; do
	keyid="${data[0]}"
	username="${data[@]:1}"
	${GPG} --recv-keys ${keyid} &>/dev/null
	printf 'clean\nquit\ny\n' | \
		${GPG} --command-fd 0 --edit-key ${keyid}
	FD=$(mktemp)
	exec 4>"${FD}"
	if ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then
		echo "key is not fully trusted: ${keyid} ${username}"
	else
		${GPG} --armor --output packager/${username}.asc --export ${keyid}
	fi
done < packager-keyids

cat master/*.asc packager/*.asc > archlinux.gpg

for s in archlinux{.gpg,-trusted,-revoked}; do
	rm -f ${s}.sig
	gpg --detach-sign --use-agent ${s}
done

popd >/dev/null