#!/bin/bash
SHOULD_RUN_ON=kaufmann.debian.org

if [ -z "$RUNANYWAY" -a $(hostname -f) != "$SHOULD_RUN_ON" ] ; then
    echo This script is meant to be run in $SHOULD_RUN_ON
    echo You can still run it if you are sure by setting
    echo \$RUNANYWAY to a nonempty value.
    exit 1
fi

SRCKEYRINGDIR=/srv/keyring.debian.org/master-keyring/output
OUTPUTDIR=/srv/keyring.debian.org/pub
HKPDIR=/srv/keyring.debian.org/keyrings-new
PENDINGDIR=/srv/keyring.debian.org/pending-updates

if ! gpg --batch --quiet --verify ${SRCKEYRINGDIR}/sha512sums.txt 2> /dev/null; \
		then
	echo sha512sums for update is not signed.
	exit 1
fi

cd ${SRCKEYRINGDIR}
if ! sha512sum -c sha512sums.txt; then
	echo sha512sums for update does not match files.
	exit 1
fi

if [ -e ${PENDINGDIR}/debian-keyring.pgp -o \
		-e ${PENDINGDIR}/debian-keyring.gpg -o \
		-e ${PENDINGDIR}/debian-maintainers.gpg ]; then
	echo Unhandled pending updates.
	exit 1
fi

cp ${HKPDIR}/debian-keyring.pgp ${PENDINGDIR}
cp ${HKPDIR}/debian-keyring.gpg ${PENDINGDIR}
cp ${HKPDIR}/debian-maintainers.gpg ${PENDINGDIR}

echo Updating active keyrings.
cp -r ${SRCKEYRINGDIR}/* ${OUTPUTDIR}/
echo Updating HKP keyrings.
cp -r ${SRCKEYRINGDIR}/keyrings/debian-keyring.{gpg,pgp} \
	${SRCKEYRINGDIR}/keyrings/debian-maintainers.gpg \
	${HKPDIR}/
