verify

#!/usr/bin/env bash
# Copyright (c) Berk D. Demir and the runitor contributors.
# SPDX-License-Identifier: 0BSD
set -euo pipefail

ALLOWED_SIGNERS_URL="https://bdd.fi/x/runitor.pub"
SIGNER_IDENTITY="runitor"
SIGNATURE_NAMESPACE="bdd.fi/x/runitor release"

SHA256SUM=$(type -p sha256sum shasum | head -1 || true)
if [[ -z ${SHA256SUM} ]]; then
  echo "couldn't find sha256sum or shasum in the PATH." >&2
  exit 69 # EX_UNAVAILABLE
fi

if ! hash ssh-keygen; then
  echo "need ssh-keygen to verify release signature." >&2
  exit 69 # EX_UNAVAILABLE
fi

if (($# > 1)); then
  echo "usage: $0 [releasedir]" >&2
  exit 64 # EX_USAGE
fi

releasedir="${1-${PWD}}"

(
  cd "${releasedir}"

  ssh-keygen -Y verify \
    -I "${SIGNER_IDENTITY}" \
    -n "${SIGNATURE_NAMESPACE}" \
    -f <(curl --proto '=https' --tlsv1.2 -LSsf "${ALLOWED_SIGNERS_URL}") \
    -s SHA256.sig < SHA256

  "${SHA256SUM}" --ignore-missing -c SHA256
)