#!/bin/sh
##
# Import trusted keys used to sign updates

gpgopts="--homedir=/opt/xensource/gpg --batch"

set -e

import_required()
{
    if [ ! -e /etc/pki/rpm-gpg/$1 ]; then
       return 0 
    fi
    if cmp -s  /etc/pki/rpm-gpg/$1 $2; then
       return 1
    fi
    return 0
}


import_key() {
    keyfile=$1
    base=$(basename $keyfile)
    if import_required $base $keyfile; then
        echo "Importing $base from $keyfile"

        keyhash=$(gpg $gpgopts --with-fingerprint $keyfile | sed -ne 's#^pub  [^ ]\+/\([^ ]\+\).*#\1#p')
 	cp -p $keyfile /etc/pki/rpm-gpg
	gpg $gpgopts --import $keyfile
	echo -e "trust\n5\ny\n" | gpg $gpgopts --command-fd 0 --edit-key $keyhash
    fi
}

start() {
    [ -d /etc/firstboot.d/data/keys ] || return 0

    for keyfile in /etc/firstboot.d/data/keys/*; do
        import_key $keyfile
    done
}


case $1 in
    start)  start ;;
esac
