z = gz
tar_z = z
keys = \
	'F40A DB90 2B24 264A A42E  50BF 92ED B04B FF32 5CF3'
non_free_files = \
	gdb/doc/gdb.texinfo \
	gdb/doc/gdb.info*
non_free_dirs = \
	zlib/

upstream_version = $$(printf '%s\n' '$(OPK_SOURCE_VERSION_UPSTREAM)' | \
	sed 's/+sip[1-9][0-9]*.*$$//')
upstream_name = $(OPK_SOURCE)-$(upstream_version)
upstream_archive = $(upstream_name).tar.$(z)
upstream_url = http://ftp.gnu.org/pub/gnu/$(OPK_SOURCE)/$(upstream_archive)
source_archive = ../$(OPK_SOURCE)-$(OPK_SOURCE_VERSION_UPSTREAM).orig.tar.$(z)

GNUPGHOME = gnupghome
# TODO: When GnuPG is built with TLS support, delete the second "keyserver" line
# to switch to a non-SKS keyserver.  We can't switch yet, because the Web server
# at keys.openpgp.org redirects (HTTP 301) to HTTPS (and enforces it with HSTS).
keyserver = hkps://keys.openpgp.org
keyserver = hkp://pool.sks-keyservers.net
keyring = ../keyring.gpg
cleanup = gpgconf --kill all; rm -Rf '$(GNUPGHOME)'; sleep 5

$(keyring):
	gpg --recv-keys $(keys) || { rm -Rf '$@'; exit 1; }
	rm -f '$@~'

$(source_archive): $(keyring)
	wget -c "$(upstream_url)" "$(upstream_url).sig"
	gpg --verify "$(upstream_archive).sig"
	tar -x$(tar_z)f "$(upstream_archive)"
	rm -f "$(upstream_archive)"
	cd "$(upstream_name)"; for file in $(non_free_files); do \
		mv "$${file}" "$${file}.orig"; \
		touch -r "$${file}.orig" "$${file}"; \
		rm "$${file}.orig"; \
	done; cd ..
	cd "$(upstream_name)"; for dir in $(non_free_dirs); do \
		rm -R "$${dir}"; \
	done; cd ..
	tar -c$(tar_z)f "$(source_archive)" "$(upstream_name)"
	rm -Rf "$(upstream_name)"

source:
	install -m 0700 -d '$(GNUPGHOME)'
	umask 0177; printf 'keyserver $(keyserver)\n' \
		1>'$(GNUPGHOME)/dirmngr.conf'
	umask 0177; printf 'no-default-keyring\nkeyring $(keyring)\nverbose\n' \
		1>'$(GNUPGHOME)/gpg.conf'
	GNUPGHOME='$(GNUPGHOME)' $(MAKE) -f ../source.mk "$(source_archive)" \
		|| { $(cleanup); exit 1; }
	$(cleanup)