1 files changed, 31 insertions, 4 deletions

diff --git a/source.mk b/source.mk
index ce2f407..baa0c14 100644
--- a/source.mk
+++ b/source.mk
@@ -1,10 +1,37 @@
-upstream_sf_base = http://downloads.sourceforge.net/project/$(OPK_SOURCE)
+z = gz
+keys = \
+	'847A F8F7 2DF4 C7B4 9238  2C94 BF0B 339C 64BC AA8B'
+
+upstream_sf_base = https://downloads.sourceforge.net/project/$(OPK_SOURCE)
 upstream_path = $(OPK_SOURCE)/$(OPK_SOURCE_VERSION_UPSTREAM)
 upstream_archive = $(OPK_SOURCE)-$(OPK_SOURCE_VERSION_UPSTREAM).tar.gz
 upstream_url = $(upstream_sf_base)/$(upstream_path)/$(upstream_archive)
 source_archive = ../$(OPK_SOURCE)-$(OPK_SOURCE_VERSION_UPSTREAM).orig.tar.gz
 
-$(source_archive):
-	wget -O '$@' '$(upstream_url)'
+GNUPGHOME = gnupghome
+# TODO: When GnuPG is built with TLS support, delete the second "keyserver" line
+# to switch to a non-SKS keyserver.  We can't switch yet, because the Web server
+# at keys.openpgp.org redirects (HTTP 301) to HTTPS (and enforces it with HSTS).
+keyserver = hkps://keys.openpgp.org
+keyserver = hkp://pool.sks-keyservers.net
+keyring = ../keyring.gpg
+cleanup = gpgconf --kill all; rm -Rf '$(GNUPGHOME)'; sleep 5
+
+$(keyring):
+	gpg --recv-keys $(keys) || { rm -Rf '$@'; exit 1; }
+	rm -f '$@~'
+
+$(source_archive): $(keyring)
+	wget -c '$(upstream_url)' '$(upstream_url).asc'
+	gpg --verify '$(upstream_archive).asc'
+	mv '$(upstream_archive)' '$(source_archive)'
 
-source: $(source_archive)
+source:
+	install -m 0700 -d '$(GNUPGHOME)'
+	umask 0177; printf 'keyserver $(keyserver)\n' \
+		1>'$(GNUPGHOME)/dirmngr.conf'
+	umask 0177; printf 'no-default-keyring\nkeyring $(keyring)\nverbose\n' \
+		1>'$(GNUPGHOME)/gpg.conf'
+	GNUPGHOME='$(GNUPGHOME)' $(MAKE) -f ../source.mk '$(source_archive)' \
+		|| { $(cleanup); exit 1; }
+	$(cleanup)