cdist/cdist/conf/type/__apt_key/manifest

#!/bin/sh -e

__package gnupg

state_should="$(cat "${__object}/parameter/state")"

incompatible_args()
{
	cat >> /dev/stderr <<-EOF
	This type does not support --${1} and --${method} simultaneously.
	EOF
	exit 1
}

if [ -f "${__object}/parameter/source" ]; then
	method="source"
	src="$(cat "${__object}/parameter/source")"
	if [ "${src}" = "-" ]; then
		src="${__object}/stdin"
	fi
fi
if [ -f "${__object}/parameter/uri" ]; then
	if [ -n "${method}" ]; then
		incompatible_args uri
	fi
	method="uri"
	src="$(cat "${__object}/parameter/uri")"
fi
if [ -f "${__object}/parameter/keyid" ]; then
	if [ -n "${method}" ]; then
		incompatible_args keyid
	fi
	method="keyid"
fi
# Keep old default
if [ -z "${method}" ]; then
	method="keyid"
fi
# Save this for later in gencode-remote
echo "${method}" > "${__object}/key_method"

# Required remotely (most likely already installed)
__package dirmngr
# We need this in case a key has to be dearmor'd
__package gnupg
export require="__package/gnupg"

if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
	# This is required if apt-key(8) is to be used
	if [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
		incompatible_args use-deprecated-apt-key
	fi
else
	if [ "${state_should}" = "absent" ] && \
			[ -f "${__object}/parameter/keyid" ]; then
		cat >> /dev/stderr <<EOF
You can't reliably remove by keyid without --use-deprecated-apt-key.
This would very likely do something you do not intend.
EOF
		exit 1
	fi
fi

keydir="$(cat "${__object}/parameter/keydir")"
keyfile="${keydir}/${__object_id}.gpg"
keyfilecdist="${keyfile}.cdist"
if [ "${state_should}" != "absent" ]; then
	# Ensure keydir exists
	__directory "${keydir}" --state exists --mode 0755
fi

if [ "${state_should}" = "absent" ]; then
	__file "${keyfile}" --state "absent"
	__file "${keyfilecdist}" --state "absent"
elif [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
	dearmor="$(cat <<-EOF
	if [ '${state_should}' = 'present' ]; then
		# Dearmor if necessary
		if grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK' '${keyfilecdist}'; then
			gpg --dearmor < '${keyfilecdist}' > '${keyfile}'
		else
			cp '${keyfilecdist}' '${keyfile}'
		fi
		# Ensure permissions
		chown root '${keyfile}'
		chmod 0444 '${keyfile}'
	fi
	EOF
	)"

	if [ "${method}" = "uri" ]; then
		__download "${keyfilecdist}" \
			--url "${src}" \
			--onchange "${dearmor}"
		require="__download${keyfilecdist}" \
			__file "${keyfile}" \
				--owner root \
				--mode 0444 \
				--state pre-exists
	else
		__file "${keyfilecdist}" --state "${state_should}" \
			--mode 0444 \
			--source "${src}" \
			--onchange "${dearmor}"
	fi
fi