From c775f4ec77b3fa58a93849fc7c7c802da99ee748 Mon Sep 17 00:00:00 2001
From: Patrick McDermott <patrick.mcdermott@libiquity.com>
Date: Mon, 29 Apr 2019 12:04:14 -0400
Subject: source.mk: Verify OpenPGP signature

---
diff --git a/source.mk b/source.mk
index bb26c3a..82a5ce0 100644
--- a/source.mk
+++ b/source.mk
@@ -3,9 +3,25 @@ upstream_ver = $$(printf '%s\n' '$(OPK_SOURCE_VERSION_UPSTREAM)' | \
 upstream_archive = zlib-$(upstream_ver).tar.gz
 upstream_url = http://zlib.net/$(upstream_archive)
 source_archive = ../zlib-$(OPK_SOURCE_VERSION_UPSTREAM).orig.tar.gz
+keys = \
+	'E3EC F4DF 7EDB E724 A3EC  FBC2 D9A2 7D25 0196 71A7' \
+	'5ED4 6A67 21D3 6558 7791  E2AA 783F CD8E 58BC AFBA'
 
 $(source_archive):
-	wget -O - "$(upstream_url)" | tar -xz
+	wget -c "$(upstream_url)"
+	set -e; if gpg --version >/dev/null 2>&1; then \
+		wget -c "$(upstream_url).asc"; \
+		if ! [ -e ../keyring.gpg ]; then \
+			gpg --no-default-keyring --keyring ../keyring.gpg \
+				--keyserver hkp://pool.sks-keyservers.net \
+				--recv-keys $(keys); \
+		fi; \
+		rm -f ../keyring.gpg~; \
+		gpg --no-default-keyring --keyring ../keyring.gpg \
+			--verify "$(upstream_archive).asc"; \
+	fi
+	tar -xzf "$(upstream_archive)"
+	rm -f "$(upstream_archive)"
 	rm -f "zlib-$(upstream_ver)"/doc/rfc*.txt
 	tar -czf '$(source_archive)' "zlib-$(upstream_ver)"
 	rm -Rf src
--
cgit v0.9.1