From 6dd35cefc5fcaf0662708b5952038bce528979ff Mon Sep 17 00:00:00 2001
From: "Robin H. Johnson" <robbat2@gentoo.org>
Date: Thu, 29 Jun 2023 22:18:58 -0700
Subject: keyrings.inc.bash: ensure there is a checksum to verify the download
 for corruption (integrity only, not authenticity)

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
---
 keyrings.inc.bash | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/keyrings.inc.bash b/keyrings.inc.bash
index cc89de0..32fc03f 100644
--- a/keyrings.inc.bash
+++ b/keyrings.inc.bash
@@ -96,7 +96,8 @@ export_keys() {
 	DST="$1"
 	shift
 	setup_tmp
-	TMP="${GPG_TMPDIR}"/$(basename "${DST}")
+	BASENAME=$(basename "${DST}")
+	TMP="${GPG_TMPDIR}/${BASENAME}"
 	# Must not exist, otherwise GPG will give error
 	[[ -f "${TMP}" ]] && rm -f "${TMP}"
 	# 'gpg --export' returns zero if there was no error with the command itself
@@ -116,12 +117,17 @@ export_keys() {
 		echo "Unable to export keys to $DST: GPG failed to list packets"
 		exit 1
 	fi
+
+	# Ensure we have a checksum to verify the file.
+	rhash --bsd --sha256 --sha512 --blake2b "${TMP}" |sed "s,${TMP},${BASENAME},g" >"${TMP}.DIGESTS"
+
 	# Check if the textual format has changed at all, and emit the new version
 	# if there are ANY changes at all.
 	if ! cmp -s "${DST}.packets.txt" "${TMP}.packets.txt"; then
 		chmod a+r "${TMP}"
 		mv -f "${TMP}" "${DST}"
 		mv -f "${TMP}.packets.txt" "${DST}.packets.txt"
+		mv -f "${TMP}.DIGESTS" "${DST}.DIGESTS"
 	fi
 	# Cleanup anyway
 	rm -f "${TMP}.packets.txt" "${TMP}"
-- 
cgit v1.2.3-65-gdbad