#!/bin/bash
#
# Download and verify a public source tarball of Varnish Cache.
#
# Author: Lasse Karstensen <lkarsten@varnish-software.com>, April 2016.
TMPDIR=$(mktemp -d)
#TMPDIR="`pwd`/w"

set -o errexit

dl() {
	wget --no-verbose --no-clobber -4 --directory-prefix=$TMPDIR $1
}

RELEASEVERSION=$1
OUTPUTDIR=$2

if [ $# -ne 2 ]; then
	echo "Usage: $0 release outputdir"
	exit 1
fi

if [ ! -d $OUTPUTDIR ]; then
	echo "ERROR: No such directory $OUTPUTDIR"
	exit 2
fi

echo -e "Downloading and verifying Varnish Cache $RELEASEVERSION.\n"

dl https://repo.varnish-cache.org/source/SHA256SUM
dl https://repo.varnish-cache.org/source/SHA256SUM.gpg
dl https://repo.varnish-cache.org/source/varnish-${RELEASEVERSION}.tar.gz

if ! gpg --list-key C4DEFFEB 1>/dev/null; then
	gpg --recv-key C4DEFFEB
fi

# Do file verification.
(cd $TMPDIR && gpg --verify SHA256SUM.gpg SHA256SUM)

# Release must be a part of the signed signature file to be valid.
(cd $TMPDIR && grep "varnish-$RELEASEVERSION.tar.gz" SHA256SUM | sha256sum -c - )

mv $TMPDIR/*gz $OUTPUTDIR
