source.mk: Verify downloaded source archive

2 files changed, 26 insertions, 3 deletions

diff --git a/control b/control
index 01373e1..201fa74 100644
--- a/control
+++ b/control
@@ -1,3 +1,3 @@
 Maintainer: "P. J. McDermott" <pj@pehjota.net>
-Build-Depends: opkbuild (>= 4.0.0), opkhelper-3.0
+Build-Depends: gpg, dirmngr, opkbuild (>= 4.0.0), opkhelper-3.0
 Homepage: http://anonscm.debian.org/gitweb/?p=users/clint/fakeroot.git;a=summary
diff --git a/source.mk b/source.mk
index ea7d0b2..e0cc16c 100644
--- a/source.mk
+++ b/source.mk
@@ -1,10 +1,33 @@
+upstream_debrev = 1
+
 upstream_archive = fakeroot_$(OPK_SOURCE_VERSION_UPSTREAM).orig.tar.xz
+upstream_dsc = fakeroot_$(OPK_SOURCE_VERSION_UPSTREAM)-$(upstream_debrev).dsc
 upstream_mirror = http://ftp.debian.org/debian
-upstream_url = $(upstream_mirror)/pool/main/f/fakeroot/$(upstream_archive)
+upstream_tar_url = $(upstream_mirror)/pool/main/f/fakeroot/$(upstream_archive)
+upstream_dsc_url = $(upstream_mirror)/pool/main/f/fakeroot/$(upstream_dsc)
 source_archive = ../fakeroot-$(OPK_SOURCE_VERSION_UPSTREAM).orig.tar.xz
 
+gpg = GNUPGHOME=gnupghome/ gpg --no-default-keyring --keyring ../keyring.gpg
+keys = \
+	'7581 EC87 4053 E6C8 0779  1B9B 5592 331E 199D 38A8'
+sha256sum_re = \
+	................................................................
+
 $(source_archive):
-	wget -c '$(upstream_url)'
+	wget -c '$(upstream_dsc_url)' '$(upstream_tar_url)'
+	install -m 0700 -d gnupghome/
+	[ -e ../keyring.gpg ] || \
+		$(gpg) --keyserver hkp://pool.sks-keyservers.net \
+			--recv-keys $(keys); \
+	rm -f ../keyring.gpg~; \
+	if ! $(gpg) --verify '$(upstream_dsc)'; then \
+		rm -Rf gnupghome/; \
+		exit 1; \
+	fi
+	rm -Rf gnupghome/
+	sed -n 's/^ \($(sha256sum_re)\) .* \($(upstream_archive)\)$$/\1  \2/p' \
+		'$(upstream_dsc)' >sha256sums
+	sha256sum -c sha256sums
 	mv '$(upstream_archive)' '$(source_archive)'
 
 source: $(source_archive)