source.mk: Verify downloaded source archive

1 files changed, 25 insertions, 2 deletions

diff --git a/source.mk b/source.mk
index ea7d0b2..e0cc16c 100644
--- a/source.mk
+++ b/source.mk
@@ -1,10 +1,33 @@
+upstream_debrev = 1
+
 upstream_archive = fakeroot_$(OPK_SOURCE_VERSION_UPSTREAM).orig.tar.xz
+upstream_dsc = fakeroot_$(OPK_SOURCE_VERSION_UPSTREAM)-$(upstream_debrev).dsc
 upstream_mirror = http://ftp.debian.org/debian
-upstream_url = $(upstream_mirror)/pool/main/f/fakeroot/$(upstream_archive)
+upstream_tar_url = $(upstream_mirror)/pool/main/f/fakeroot/$(upstream_archive)
+upstream_dsc_url = $(upstream_mirror)/pool/main/f/fakeroot/$(upstream_dsc)
 source_archive = ../fakeroot-$(OPK_SOURCE_VERSION_UPSTREAM).orig.tar.xz
 
+gpg = GNUPGHOME=gnupghome/ gpg --no-default-keyring --keyring ../keyring.gpg
+keys = \
+	'7581 EC87 4053 E6C8 0779  1B9B 5592 331E 199D 38A8'
+sha256sum_re = \
+	................................................................
+
 $(source_archive):
-	wget -c '$(upstream_url)'
+	wget -c '$(upstream_dsc_url)' '$(upstream_tar_url)'
+	install -m 0700 -d gnupghome/
+	[ -e ../keyring.gpg ] || \
+		$(gpg) --keyserver hkp://pool.sks-keyservers.net \
+			--recv-keys $(keys); \
+	rm -f ../keyring.gpg~; \
+	if ! $(gpg) --verify '$(upstream_dsc)'; then \
+		rm -Rf gnupghome/; \
+		exit 1; \
+	fi
+	rm -Rf gnupghome/
+	sed -n 's/^ \($(sha256sum_re)\) .* \($(upstream_archive)\)$$/\1  \2/p' \
+		'$(upstream_dsc)' >sha256sums
+	sha256sum -c sha256sums
 	mv '$(upstream_archive)' '$(source_archive)'
 
 source: $(source_archive)