EXPIRY_CHECK := $(shell date -d'9 months' +%s)

KEYSERVER := hkps://keyring.devuan.org

GPG_OPTIONS := --homedir ./keyrings/gnupg --no-options --no-default-keyring --no-auto-check-trustdb

INDIVIDUAL_KEYS := $(wildcard public_keys/individual/*.pgp)
ARCHIVE_KEYS := $(wildcard public_keys/archive/*.pgp)
REMOVED_KEYS := $(wildcard public_keys/removed/*.pgp)

all: keyrings/devuan-archive-keyring.pgp keyrings/devuan-keyring.pgp keyrings/devuan-removed-keys.pgp $(patsubst %.pgp,%.asc,$(ARCHIVE_KEYS))

.DELETE_ON_ERROR:

%.asc : %.pgp
	gpg --armor --export --no-default-keyring --keyring $< > $@

keyrings/gnupg:
	install -m700 -d $@

define import-keys =
	cat $^ | gpg --no-keyring --import-options import-export --import > $@
endef

define check-expiry =
	for k in $$(gpg --no-keyring --with-colons --fixed-list-mode --show-keys $@ | grep -e '^pub' -e '^sub'); do \
		expiry=$$(echo $$k | cut -d: -f7) ; \
		if [ -n "$${expiry}" ] && [ $${expiry} -lt $(EXPIRY_CHECK) ] ; then \
			echo ERROR: $$(echo $$k | cut -d: -f5) expires too soon: $$(date -d@$${expiry}) ; \
			exit 1 ; \
		fi ; \
	done
endef

keyrings/devuan-keyring.pgp: $(INDIVIDUAL_KEYS) | keyrings/gnupg
	$(import-keys)
	$(check-expiry)
	ln -s $(notdir $@) $(patsubst %.pgp,%.gpg,$@)

keyrings/devuan-archive-keyring.pgp: $(ARCHIVE_KEYS) | keyrings/gnupg
	$(import-keys)
	$(check-expiry)
	ln -s $(notdir $@) $(patsubst %.pgp,%.gpg,$@)

keyrings/devuan-removed-keys.pgp: $(REMOVED_KEYS) | keyrings/gnupg
	$(import-keys)
	ln -s $(notdir $@) $(patsubst %.pgp,%.gpg,$@)

refresh: | keyrings/gnupg
	for k in $(INDIVIDUAL_KEYS) $(ARCHIVE_KEYS); do \
		gpg $(GPG_OPTIONS) --keyserver $(KEYSERVER) --keyserver-options no-self-sigs-only --refresh-keys --keyring ./$$k ; \
	done

clean:
	rm -fr keyrings public_keys/archive/*.asc

.PHONY: clean refresh
