From 45ac4c39606dd53594a46a6700527b017e2475eb Mon Sep 17 00:00:00 2001
From: vv01f <vv01f@users.noreply.github.com>
Date: Thu, 29 Sep 2022 13:59:04 +0200
Subject: [PATCH] check gpg sig and add README

---
 README.markdown | 6 ++++++
 get.sh          | 8 +++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 README.markdown

diff --git a/README.markdown b/README.markdown
new file mode 100644
index 0000000..72d6151
--- /dev/null
+++ b/README.markdown
@@ -0,0 +1,6 @@
+# gopass download and install script
+
+As I cherish the tool but my distro does not provide a recent version,
+this script shall download and install the latest release of gopass.
+
+simply run `./get.sh` or maybe go through it step by step to verify.
diff --git a/get.sh b/get.sh
index ba05b66..706bc24 100755
--- a/get.sh
+++ b/get.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env sh
+dependencies="gpg cut test curl grep"
 #~ if ! "$1" = "run"; then
 #~ printf "stilly buggy!\n" ; exit 0;
 #~ fi
@@ -6,6 +7,10 @@
 #~ wget -q -O- https://api.bintray.com/orgs/gopasspw/keys/gpg/public.key | sudo apt-key add -
 #~ echo "deb https://dl.bintray.com/gopasspw/gopass buster main" | sudo tee /etc/apt/sources.list.d/gopass.list
 
+gopass_fpr="79713E81C71FB7967B5185D02F752B2CA00248FC"
+echo "check for PGP key based on fingerprint "${gopass_fpr}
+gpg -q --recv-keys ${gopass_fpr} || { echo "error retreiving pgp public key"; exit 1; }
+
 echo "collecting system information"
 arch=$(uname --machine)
 if test "${arch}" = "x86_64"; then
@@ -17,7 +22,7 @@ echo $uname|grep -i "debian" >/dev/null && { fn_suffix="linux_${arch}.deb"; }
 echo $uname|grep -i "openbsd" >/dev/null && { fn_suffix="openbsd_${arch}.tar.gz"; }
 echo $uname|grep -i "freebsd" >/dev/null && { fn_suffix="freebsd_${arch}.tar.gz"; }
 test -z $fn_suffix && { echo "operating system not supported."; exit 1; }
-echo "fn_suffix: "${fn_suffix}
+#~ echo "fn_suffix: "${fn_suffix}
 
 echo "check online resources"
 url_effective=$(curl -sLI -o /dev/null -w %{url_effective} https://github.com/gopasspw/gopass/releases/latest)
@@ -36,6 +41,7 @@ curl -s --progress-bar -L $url$fn_SHA256 -o $fn_SHA256 || { echo "download faile
 curl -s --progress-bar -L $url$fn_SHA256".sig" -o $fn_SHA256".sig" || { echo "download failed"; exit 1; }
 
 test $(du $fn_package|cut -f1) -gt 1024 || { echo "manually check small file before installation."; exit 1; }
+gpg -q --verify "${fn_SHA256}.sig" || { echo "verification for signature failed."; exit 2; } 
 
 
 # test checksums