1 files changed, 43 insertions, 0 deletions

diff --git a/source.mk b/source.mk
new file mode 100644
index 0000000..65e6334
--- /dev/null
+++ b/source.mk
@@ -0,0 +1,43 @@
+z = gz
+keys = \
+	'357D CB0E EC95 A01A EBA1  F0D2 DE63 B9C7 04EB E9EF'
+
+debrev = 4
+pool = https://ftp.debian.org/debian/pool/main/s/stress/
+deb_tar = $(OPK_SOURCE)_$(OPK_SOURCE_VERSION_UPSTREAM).orig.tar.$(z)
+deb_dsc = $(OPK_SOURCE)_$(OPK_SOURCE_VERSION_UPSTREAM)-$(debrev).dsc
+source_archive = ../$(OPK_SOURCE)-$(OPK_SOURCE_VERSION_UPSTREAM).orig.tar.$(z)
+
+GNUPGHOME = gnupghome
+# TODO: When GnuPG is built with TLS support, delete the second "keyserver" line
+# to switch to a non-SKS keyserver.  We can't switch yet, because the Web server
+# at keys.openpgp.org redirects (HTTP 301) to HTTPS (and enforces it with HSTS).
+keyserver = hkps://keys.openpgp.org
+keyserver = hkp://pool.sks-keyservers.net
+keyring = ../keyring.gpg
+cleanup = gpgconf --kill all; rm -Rf '$(GNUPGHOME)'; sleep 5
+
+dsc_sed = \
+	/^Checksums-Sha256:$$/,/^[^ ]/{ \
+		s/ \([0-9a-f][0-9a-f]*\) [0-9][0-9]* \($(deb_tar)\)$$/\1  \2/p;\
+	};
+
+$(keyring):
+	gpg --recv-keys $(keys) || { rm -Rf '$@'; exit 1; }
+	rm -f '$@~'
+
+$(source_archive): $(keyring)
+	wget -c '$(pool)/$(deb_dsc)' '$(pool)/$(deb_tar)'
+	gpg --verify '$(deb_dsc)'
+	sed -n '$(dsc_sed)' '$(deb_dsc)' | sha256sum -c -
+	mv '$(deb_tar)' '$(source_archive)'
+
+source:
+	install -m 0700 -d '$(GNUPGHOME)'
+	umask 0177; printf 'keyserver $(keyserver)\n' \
+		1>'$(GNUPGHOME)/dirmngr.conf'
+	umask 0177; printf 'no-default-keyring\nkeyring $(keyring)\nverbose\n' \
+		1>'$(GNUPGHOME)/gpg.conf'
+	GNUPGHOME='$(GNUPGHOME)' $(MAKE) -f ../source.mk "$(source_archive)" \
+		|| { $(cleanup); exit 1; }
+	$(cleanup)