#!/usr/bin/perl 

=head1 NAME

tails-iuk-check-upgrade-description-file - check correctness of upgrade-description files

=cut

use strict;
use warnings;
use 5.10.1;

use FindBin;
use lib "$FindBin::Bin/../lib";

use Carp;
use Carp::Assert;
use Carp::Assert::More;
use Data::Dumper::Concise;
use File::Temp qw{tempdir};
use IPC::Run qw{run};
use IPC::Run::SafeHandles;
use Path::Class qw{file};
use Tails::IUK::UpgradeDescriptionFile;
use Tails::IUK::Utils;

my @input_filenames = @ARGV;
assert_nonempty(\@input_filenames);

assert_exists(
    \%ENV, 'TAILS_SIGNATURE_KEY', q{TAILS_SIGNATURE_KEY is in the environment}
);
assert_nonblank(
    $ENV{TAILS_SIGNATURE_KEY}, q{TAILS_SIGNATURE_KEY variable is not empty}
);
my $trusted_gnupg_homedir = tempdir;
run [qw{gpg --batch --quiet --export}, $ENV{TAILS_SIGNATURE_KEY}],
    '|', [qw{gpg --batch --quiet --homedir}, $trusted_gnupg_homedir, '--import'];

my @failed;
for my $input_filename (@input_filenames) {
    say STDERR "Checking '$input_filename'...";

    my $upgrade_description = Tails::IUK::UpgradeDescriptionFile->new_from_file(
        $input_filename
    );
    assert_isa($upgrade_description, 'Tails::IUK::UpgradeDescriptionFile');

    my $signature_file = file($input_filename . '.pgp');
    assert(-e $signature_file, "Signature for '$input_filename' exists.");
    my $description_txt = file($input_filename)->slurp;
    my $signature_txt   = $signature_file->slurp;
    if (! verify_signature($description_txt, $signature_txt, $trusted_gnupg_homedir)) {
        push @failed, "$signature_file";
    }
}

if (@failed) {
    croak "\nThe following signatures were invalid!:\n"
          . Dumper(@failed) . "\nFAIL!";
}
else {
    say STDERR "All input files are well-formed upgrade-description files.";
}
