From e561ca7706d0c94b34da218f440ac06bbc139d79 Mon Sep 17 00:00:00 2001
From: Paul Brossier <piem@piem.org>
Date: Tue, 18 Sep 2018 01:41:51 +0200
Subject: [PATCH] scripts/get_waf.sh: verify signature if gpg available

---
 scripts/get_waf.sh | 37 +++++++++++++++++++++++++++----------
 1 file changed, 27 insertions(+), 10 deletions(-)

diff --git a/scripts/get_waf.sh b/scripts/get_waf.sh
index e24ad248..f137d7a8 100755
--- a/scripts/get_waf.sh
+++ b/scripts/get_waf.sh
@@ -1,11 +1,12 @@
 #! /bin/bash
 
 set -e
-set -x
+#set -x
 
 WAFVERSION=2.0.11
 WAFTARBALL=waf-$WAFVERSION.tar.bz2
 WAFURL=https://waf.io/$WAFTARBALL
+WAFUPSTREAMKEY=https://gitlab.com/ita1024/waf/raw/master/utils/pubkey.asc
 
 WAFBUILDDIR=`mktemp -d`
 
@@ -15,23 +16,39 @@ function cleanup () {
 
 trap cleanup SIGINT SIGTERM
 
-function buildwaf () {
-  pushd $WAFBUILDDIR
+function download () {
+  ( [[ -n `which wget` ]] && wget -qO $1 $2 ) || ( [[ -n `which curl` ]] && curl -so $1 $2 )
+}
+
+function checkwaf () {
+  download $WAFTARBALL.asc $WAFURL.asc
+  if [[ -z `which gpg` ]]
+  then
+    echo "Warning: gpg not found, not verifying signature for $WAFTARBALL"
+  else
+    download - $WAFUPSTREAMKEY | gpg --import
+    gpg --verify $WAFTARBALL.asc || exit 1
+  fi
+}
 
-  ( which wget > /dev/null && wget -qO $WAFTARBALL $WAFURL ) || ( which curl > /dev/null && curl $WAFURL > $WAFTARBALL )
+function fetchwaf () {
+  download $WAFTARBALL $WAFURL
+  checkwaf
+}
 
+function buildwaf () {
   tar xf $WAFTARBALL
   pushd waf-$WAFVERSION
   NOCLIMB=1 python waf-light --tools=c_emscripten $*
-
-  popd
   popd
-
-  cp -prv $WAFBUILDDIR/waf-$WAFVERSION/waf $PWD
-
-  chmod +x waf
 }
 
+pushd $WAFBUILDDIR
+fetchwaf
 buildwaf
+popd
+
+cp -prv $WAFBUILDDIR/waf-$WAFVERSION/waf $PWD
+chmod +x waf
 
 cleanup
-- 
2.11.0