From c5b091e3b395d649d11d3b7ccfd86b53ab48305e Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Sat, 20 Jul 2024 12:54:04 +0200
Subject: [PATCH] Added signature verification (untested). See AI chat:
 https://chatgpt.com/share/b521328b-7d7e-4b51-ae1a-9efec2f307c6

---
 scripts/image/setup.sh | 42 +++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 41 insertions(+), 1 deletion(-)

diff --git a/scripts/image/setup.sh b/scripts/image/setup.sh
index f286355..e251eae 100644
--- a/scripts/image/setup.sh
+++ b/scripts/image/setup.sh
@@ -172,6 +172,8 @@ case "$operation_system" in
   ;;
 esac
 
+info "Verifying image..."
+info "Verifying checksum..."
 if [ -z "$image_checksum" ]; then
     for ext in sha1 sha512 md5; do
         sha_download_url="$download_url.$ext"
@@ -186,7 +188,6 @@ if [ -z "$image_checksum" ]; then
     done
 fi
 
-info "Verifying image..."
 if [[ -v image_checksum ]]
   then
     (info "Checking md5 checksum..." && echo "$image_checksum $image_path"| md5sum -c -) ||
@@ -197,6 +198,45 @@ if [[ -v image_checksum ]]
     warning "Verification is not possible. No checksum is defined."
 fi
 
+info "Verifying signature..."
+signature_download_url="$download_url.sig"
+info "Try to download image signature from $signature_download_url."
+
+if wget -q --method=HEAD "$signature_download_url"; then
+    signature_name="${image_name}.sig"
+    signature_path="${image_folder}${signature_name}"
+
+    info "Download the signature file"
+    if wget -q -O "$signature_path" "$signature_download_url"; then
+        info "Extract the key ID from the signature file"
+        key_id=$(gpg --status-fd 1 --verify "$signature_path" "$image_path" 2>&1 | grep 'NO_PUBKEY' | awk '{print $NF}')
+        
+        if [ -n "$key_id" ]; then
+            info "Check if the key is already in the keyring"
+            if gpg --list-keys "$key_id" > /dev/null 2>&1; then
+                info "Key $key_id already in keyring."
+            else
+                info "Import the public key"
+                gpg --keyserver keyserver.ubuntu.com --recv-keys "$key_id"
+            fi
+
+            info "Verify the signature again after importing the key"
+            if gpg --verify "$signature_path" "$image_path"; then
+                info "Signature verification succeeded."
+            else
+                warning "Signature verification failed."
+            fi
+        else
+            warning "No public key found in the signature file."
+        fi
+    else
+        warning "Failed to download the signature file."
+    fi
+else
+    warning "No signature found under $signature_download_url."
+fi
+
+
 make_mount_folders
 
 set_partition_paths