#! /bin/bash

set -e

FILETOSIGN=$1
[ -z $2 ] && SIGFILE="$FILETOSIGN.asc" || SIGFILE="$2"
[ ! -z "$3" ] && CLRSIGNEDFILE="$3"

if [ -z "$FILETOSIGN" -o ! -r "$FILETOSIGN" ]; then
    echo "No file to sign provided" >&2
    exit 1
fi

if [ ! -r /etc/rhn/signing.conf ]; then
    echo "No config file found: /etc/rhn/signing.conf" >&2
    exit 1
fi

source /etc/rhn/signing.conf

if [ -z "$KEYID" ]; then
    echo "Unable to find GPG KEYID in config" >&2
    exit 1
fi

if [ -z "$GPGPASS" ]; then
    echo "Unable to find GPG PASSWORD in config" >&2
    exit 1
fi

KEYFILE="$FILETOSIGN.key"

# Debian systems require the hashing algorithm to be at least SHA256
if [ ! -z "$DIGESTPREF" ]; then
  DIGESTOPT="--personal-digest-preferences $DIGESTPREF"
else
  DIGESTOPT="--personal-digest-preferences SHA256"
fi

rm -f $SIGFILE
echo "$GPGPASS" | gpg -sab --batch -u $KEYID --passphrase-fd 0 --pinentry-mode loopback $DIGESTOPT -o $SIGFILE $FILETOSIGN

rm -f $KEYFILE
gpg --batch --export -a -o $KEYFILE $KEYID

if [ ! -z "$CLRSIGNEDFILE" ]; then
  rm -f $CLRSIGNEDFILE
  echo "$GPGPASS" | gpg --batch -u $KEYID --passphrase-fd 0 --pinentry-mode loopback $DIGESTOPT --clearsign -o $CLRSIGNEDFILE $FILETOSIGN
fi

exit 0
