#
# Handle signing and verifying of release artefacts.
#
# make
#  - equivalent of make verify
#
# make verify
#  - verify all signatures in the directory
#
# make sign
#  - sign all release artefacts. 
#
# Use
#       GPG2FLAGS='-u uid@redwax.eu' gmake sign
# to force a specific UID to be used for signing.
#
KEYS=../keys/KEYS

all: verify

verify:
	find . -name '*.asc' -exec bash -c "basename {}; gpg2 ${GPG2FLAGS} --armor --verify '{}'" \;

${KEYS}.gpg:${KEYS}
	gpg2  --no-default-keyring --keyring "${KEYS}.gpg" --import --trust-model always < "${KEYS}"

verify-local: ${KEYS}.gpg
	find . -name '*.asc' -exec bash -c "basename {}; gpg2 ${GPG2FLAGS} --armor --verify  --no-default-keyring --keyring "${KEYS}.gpg"  '{}'" \;

#	test -s "$?" && gpg2 --armor --verify $? || true

sign: sign-tar.gz sign-tar.bz2 sign-zip

sign-%:
	find . -name '*.$*' -exec bash -c "gpg2 ${GPG2FLAGS} --armor --output - --detach-sign {} >> {}.asc" \;

hash: hash-tar.gz hash-tar.bz2 hash-zip

hash-%:
	find * -name '*.$*' -exec bash -c "(command -v sha256sum > /dev/null && sha256sum --tag {} ) || (command -v gsha256sum > /dev/null && gsha256sum --tag {} ) || (command -v shasum > /dev/null && shasum -a 256 --tag {} ) > {}.sha256" \;