#!/bin/sh
# bashsupport disable=BP5007
# shellcheck shell=sh

# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2006-2015 Daniel Baumann <mail@daniel-baumann.ch>
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: GPL-3.0-or-later
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

## Modified Version of the original file:

## live-build(7) - System Build Scripts
## Copyright (C) 2016-2020 The Debian Live team
## Copyright (C) 2006-2015 Daniel Baumann <mail@daniel-baumann.ch>
##
## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING.
## This is free software, and you are welcome to redistribute it
## under certain conditions; see COPYING for details.

set -e

printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/build/binary_checksums] ... \n\e[0m"

### Including common functions.
if [ -e "${LIVE_BUILD}/scripts/build.sh" ]; then
  . "${LIVE_BUILD}/scripts/build.sh"
else
  . /usr/lib/live/build.sh
fi

### Setting static variables.
# shellcheck disable=SC2034
DESCRIPTION="[CDLB] Create binary checksums and PGP signature files."
# shellcheck disable=SC2034
USAGE="${PROGRAM} [--force]"

### Processing arguments and configuration files.
Init_config_data "${@}"

if [ "${LB_CHECKSUMS}" = "none" ]; then
	exit 0
fi

if [ "${LB_INITRAMFS}" = "dracut-live" ]; then
	### The checksums will be generated by binary_iso.
	exit 0
fi

### Requiring stage file.
Require_stagefiles config bootstrap

### Checking stage file.
Check_stagefile

### Acquire a lock file.
Acquire_lockfile

CHECKSUM=""

for CHECKSUM in ${LB_CHECKSUMS}; do

	CHECKSUMS="${CHECKSUM}sum.txt"

	Echo_message "Creating binary ${CHECKSUMS} ..."

  ### Remove old checksums.
  # shellcheck disable=SC2292
	if [ -f "binary/${CHECKSUMS}" ]; then

		rm -f "binary/${CHECKSUMS}"

	fi

	### Calculating checksums.
	cd binary
  # shellcheck disable=SC2312
	find . -type f \
		\! -path './isolinux/isolinux.bin' \
		\! -path './boot/boot.bin' \
		\! -path './boot/grub/stage2_eltorito' \
		\! -path './*SUMS' \
		\! -path './*sum.txt' \
		\! -path './*sum.README' \
    \! -path './*asc' \
    \! -path './*gpg' \
    \! -path './*sig' \
		-print0 | LC_ALL=C sort -z | xargs -0 "${CHECKSUM}sum" >| "${CHECKSUMS}"
  Echo_message "Creating binary ${CHECKSUMS} done."

  Echo_message "Verifying binary ${CHECKSUMS} ..."
  "${CHECKSUM}sum" -c --strict --quiet "${CHECKSUMS}"
  Echo_message "Verifying binary ${CHECKSUMS} done."

  if [ "${VAR_SIGNER}" = "true" ]; then

    Echo_message "Creating GPG binary signature of ${CHECKSUMS} ..."
    gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
      --detach-sign --output "${CHECKSUMS}.sig" "${CHECKSUMS}"
    Echo_message "Creating GPG binary signature of ${CHECKSUMS} done."

    Echo_message "Verifying GPG binary signature of ${CHECKSUMS} ..."
    gpgv --keyring "${VAR_VERIFY_KEYRING}" "${CHECKSUMS}.sig" "${CHECKSUMS}"
    Echo_message "Verifying GPG binary signature of ${CHECKSUMS} done."

  fi

  Echo_message "Creating '${CHECKSUM}sum.README' ..."
	cat << EOF >| "${CHECKSUM}sum.README"
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

The file ${CHECKSUMS} contains the ${CHECKSUM} checksums of all files on this medium.

You can verify them automatically with the 'verify-checksums' boot parameter, or, manually with:
${CHECKSUM}sum -c ${CHECKSUMS}

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
EOF
  Echo_message "Creating '${CHECKSUM}sum.README' done."

	cd "${OLDPWD}"

done

### File list.
cd binary
# shellcheck disable=SC2312
find . | sed -e 's|^.||g' | grep "^/" | LC_ALL=C sort > ../"${LB_IMAGE_NAME}-${LB_ARCHITECTURE}.contents"
cd "${OLDPWD}"

### Creating a stage file.
Create_stagefile

printf "\e[92m[INFO] CDLB modified: [/usr/lib/live/build/binary_checksums] done. \n\e[0m"

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh