#!/bin/bash

set -e

GCLOUD="gcloud --project=mendel-linux-cloud-infra"
PRIVKEY_NAME="mendel-linux-signing-key"
PASSPHRASE_NAME="mendel-linux-signing-key-passphrase"

export TMPARCHIVE="$(mktemp /tmp/XXXXXXXX.tar.gz)"
export GNUPGHOME="$(mktemp -d /tmp/XXXXXXXX)"
chmod 700 $GNUPGHOME

cleanup() {
    find $GNUPGHOME -type f |xargs shred -u
    rm -rf $GNUPGHOME
    shred -u $TMPARCHIVE
    trap
}

trap cleanup KILL INT EXIT RETURN

echo Fetching passphrase
PASSPHRASE="$(${GCLOUD} secrets versions access latest \
                        --secret=${PASSPHRASE_NAME})"

gpg --batch --generate-key - <<EOF
%echo Generating signing key
Key-Type: RSA
Key-Length: 4096
Key-Usage: encrypt sign auth cert
Subkey-Type: RSA
Subkey-Length: 4096
Subkey-Usage: encrypt sign auth cert
Name-Real: Mendel Linux Release Masters
Name-Email: coral-support@google.com
Expire-Date: 0
Passphrase: ${PASSPHRASE}
%commit
%echo Key generation done
EOF

echo Archiving GPG homedir
chmod 600 "${TMPARCHIVE}"
tar -C "${GNUPGHOME}" -zcf- . | base64 > "${TMPARCHIVE}"

echo Uploading archive to cloud storage
${GCLOUD} secrets versions add "${PRIVKEY_NAME}" \
          --data-file="${TMPARCHIVE}"