3 files changed, 132 insertions, 12 deletions

diff --git a/build-aux/getswdb.sh b/build-aux/getswdb.sh
index 7d4b31eef..0b97f0de5 100755
--- a/build-aux/getswdb.sh
+++ b/build-aux/getswdb.sh
@@ -28,15 +28,24 @@ cvtver () {
 usage()
 {
     cat <<EOF
-Usage: $(basename $0) [OPTIONS]
+Usage: $(basename $0) [OPTIONS] [packages]
 Get the online version of the GnuPG software version database
+and optionally download packages and verify their signatures.
+
 Options:
+    --info             Print only infos about packages
     --skip-download    Assume download has already been done.
     --skip-verify      Do not check signatures
     --skip-selfcheck   Do not check GnuPG version
+                       (default if not used in the GnuPG tree)
     --find-sha1sum     Print the name of the sha1sum utility
     --find-sha256sum   Print the name of the sha256sum utility
     --help             Print this help.
+
+Example:
+
+  getswdb.sh gnupg24 gpgme libksba libassuan
+
 EOF
     exit $1
 }
@@ -49,6 +58,9 @@ skip_verify=no
 skip_selfcheck=no
 find_sha1sum=no
 find_sha256sum=no
+info_mode=no
+packages=
+die=no
 while test $# -gt 0; do
     case "$1" in
 	# Set up `optarg'.
@@ -79,13 +91,20 @@ while test $# -gt 0; do
         --find-sha256sum)
             find_sha256sum=yes
             ;;
-	*)
+        --info)
+            info_mode=yes
+            ;;
+	--*)
 	    usage 1 1>&2
 	    ;;
+        *)
+            packages="$packages $1"
+            ;;
     esac
     shift
 done
 
+
 # Mac OSX has only a shasum and not sha1sum
 if [ ${find_sha1sum} = yes ]; then
     for i in sha1sum shasum ; do
@@ -114,16 +133,37 @@ if [ ${find_sha256sum} = yes ]; then
 fi
 
 
+if [ $skip_verify = no ]; then
+  if [ ! -f "$distsigkey" ]; then
+     distsigkey="/usr/local/share/gnupg/distsigkey.gpg"
+     if [ ! -f "$distsigkey" ]; then
+       distsigkey="/usr/share/gnupg/distsigkey.gpg"
+       if [ ! -f "$distsigkey" ]; then
+         echo "no keyring with release keys found!" >&2
+         exit 1
+       fi
+     fi
+     echo "using release keys from $distsigkey" >&2
+     skip_selfcheck=yes
+  fi
+fi
+
+
 # Get GnuPG version from VERSION file.  For a GIT checkout this means
 # that ./autogen.sh must have been run first.  For a regular tarball
 # VERSION is always available.
-if [ ! -f "$srcdir/../VERSION" ]; then
+if [ $skip_selfcheck = no ]; then
+  if [ ! -f "$srcdir/../VERSION" ]; then
     echo "VERSION file missing - run autogen.sh first." >&2
     exit 1
+   fi
+  version=$(cat "$srcdir/../VERSION")
+else
+  version="0.0.0"
 fi
-version=$(cat "$srcdir/../VERSION")
 version_num=$(echo "$version" | cvtver)
 
+
 if [ $skip_verify = no ]; then
   if ! $GPGV --version >/dev/null 2>/dev/null ; then
     echo "command \"gpgv\" is not installed" >&2
@@ -164,10 +204,10 @@ else
   fi
 fi
 if [ $skip_verify = no ]; then
-  if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst; then
+  if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst 2>/dev/null; then
     echo "list of software versions is not valid!" >&2
     exit 1
- fi
+  fi
 fi
 
 #
@@ -188,3 +228,73 @@ if [ $skip_selfcheck = no ]; then
       exit 1
   fi
 fi
+
+
+# Download a package and check its signature.
+download_pkg () {
+    local url="$1"
+    local file="${url##*/}"
+
+    if ! $WGET -q -O -  "$url" >"${file}.tmp" ; then
+      echo "download of $file failed." >&2
+      [ -f "${file}.tmp" ] && rm "${file}.tmp"
+      return 1
+    fi
+    if [ $skip_verify = no ]; then
+        if ! $WGET -q -O - "${url}.sig" >"${file}.tmpsig" ; then
+            echo "download of $file.sig failed." >&2
+            [ -f "${file}.tmpsig" ] && rm "${file}.tmpsig"
+            return 1
+        fi
+        if ! $GPGV -q --keyring "$distsigkey" \
+             "${file}.tmpsig" "${file}.tmp" 2>/dev/null;  then
+           echo "signature of $file is not valid!" >&2
+           return 1
+        fi
+        mv "${file}.tmpsig" "${file}.sig"
+    else
+        [ -f "${file}.sig" ] && rm "${file}.sig"
+    fi
+    mv "${file}.tmp" "${file}"
+    return 0
+}
+
+
+
+baseurl=$(awk '$1=="gpgorg_base" {print $2; exit 0}' swdb.lst)
+for p in $packages; do
+    pver=$(awk '$1=="'"$p"'_ver" {print $2}' swdb.lst)
+    if [ -z "$pver" ]; then
+        echo "package '$p' not found" >&2
+        die=yes
+    else
+        pdir=$(awk '$1=="'"$p"'_dir" {print $2":"$3":"$4}' swdb.lst)
+        if [ -n "$pdir" ]; then
+            psuf=$(echo "$pdir" | cut -d: -f3)
+            pname=$(echo "$pdir" | cut -d: -f2)
+            pdir=$(echo "$pdir" | cut -d: -f1)
+        else
+            psuf=
+            pdir="$p"
+            pname="$p"
+        fi
+        if [ -z "$psuf" ]; then
+            psuf=$(awk 'BEGIN {suf="bz2"};
+                    $1=="'"$p"'_sha1_gz" {suf="gz"; exit 0};
+                    $1=="'"$p"'_sha1_xz" {suf"xz"; exit 0};
+                    END {print suf}' swdb.lst)
+        fi
+        pfullname="$pname-$pver.tar.$psuf"
+        if [ $info_mode = yes ]; then
+            echo "$baseurl/$pdir/$pfullname"
+        else
+            echo "downloading $pfullname"
+            download_pkg "$baseurl/$pdir/$pfullname" || die=yes
+        fi
+    fi
+done
+if [ $die = yes ]; then
+    echo "errors found!" >&2
+    exit 1
+fi
+exit 0
diff --git a/build-aux/speedo.mk b/build-aux/speedo.mk
index 477873f60..8946c764c 100644
--- a/build-aux/speedo.mk
+++ b/build-aux/speedo.mk
@@ -51,10 +51,13 @@
 # # This is greped by the Makefile.
 # RELEASE_ARCHIVE=foo@somehost:tarball-archive
 #
-# # The key used to sign the released sources.
+# # The key used to sign the GnuPG sources.
 # # This is greped by the Makefile.
 # RELEASE_SIGNKEY=6DAA6E64A76D2840571B4902528897B826403ADA
 #
+# # The key used to sign the VERSION files of some MSI installers.
+# VERSION_SIGNKEY=02F38DFF731FF97CB039A1DA549E695E905BA208
+#
 # # For signing Windows binaries we need to employ a Windows machine.
 # # We connect to this machine via ssh and take the connection
 # # parameters via .ssh/config. For example a VM could be specified
@@ -74,6 +77,9 @@
 # # This is greped by the Makefile.
 # AUTHENTICODE_TOOL="C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe"
 #
+# # The URL for the timestamping service
+# AUTHENTICODE_TSURL=http://rfc3161timestamp.globalsign.com/advanced
+#
 # # To use osslsigncode the follwing entries are required and
 # # an empty string must be given for AUTHENTICODE_SIGNHOST.
 # # They are greped by the Makefile.
@@ -238,10 +244,11 @@ PATCHELF := $(shell patchelf --version 2>/dev/null >/dev/null || echo "echo plea
 
 # Read signing information from ~/.gnupg-autogen.rc
 define READ_AUTOGEN_template
-$(1) = $$(shell grep '^$(1)=' $$$$HOME/.gnupg-autogen.rc|cut -d= -f2)
+$(1) = $$(shell grep '^[[:blank:]]*$(1)[[:blank:]]*=' $$$$HOME/.gnupg-autogen.rc|cut -d= -f2|xargs)
 endef
 $(eval $(call READ_AUTOGEN_template,AUTHENTICODE_SIGNHOST))
 $(eval $(call READ_AUTOGEN_template,AUTHENTICODE_TOOL))
+$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_TSURL))
 $(eval $(call READ_AUTOGEN_template,AUTHENTICODE_KEY))
 $(eval $(call READ_AUTOGEN_template,AUTHENTICODE_CERTS))
 $(eval $(call READ_AUTOGEN_template,OSSLSIGNCODE))
@@ -1350,7 +1357,7 @@ define AUTHENTICODE_sign
      scp $(1) "$(AUTHENTICODE_SIGNHOST):a.exe" ;\
      ssh "$(AUTHENTICODE_SIGNHOST)" '$(AUTHENTICODE_TOOL)' sign \
         /a /n '"g10 Code GmbH"' \
-        /tr 'http://rfc3161timestamp.globalsign.com/advanced' /td sha256 \
+        /tr '$(AUTHENTICODE_TSURL)' /td sha256 \
         /fd sha256 /du https://gnupg.org a.exe ;\
      scp "$(AUTHENTICODE_SIGNHOST):a.exe" $(2);\
      echo "speedo: signed file is '$(2)'" ;\
@@ -1361,13 +1368,13 @@ define AUTHENTICODE_sign
        -pkcs11module $(SCUTEMODULE) \
        -certs $(AUTHENTICODE_CERTS) \
        -h sha256 -n GnuPG -i https://gnupg.org \
-       -ts http://rfc3161timestamp.globalsign.com/advanced \
+       -ts $(AUTHENTICODE_TSURL) \
        -in $(1) -out $(2).tmp ; mv $(2).tmp $(2) ; \
    elif [ -e "$(AUTHENTICODE_KEY)" ]; then \
      echo "speedo: Signing using key $(AUTHENTICODE_KEY)";\
      osslsigncode sign -certs $(AUTHENTICODE_CERTS) \
        -pkcs12 $(AUTHENTICODE_KEY) -askpass \
-       -ts "http://timestamp.globalsign.com/scripts/timstamp.dll" \
+       -ts "$(AUTHENTICODE_TSURL)" \
        -h sha256 -n GnuPG -i https://gnupg.org \
        -in $(1) -out $(2) ;\
    else \
diff --git a/build-aux/speedo/w32/wixlib.wxs b/build-aux/speedo/w32/wixlib.wxs
index 02568fe2f..e11455813 100644
--- a/build-aux/speedo/w32/wixlib.wxs
+++ b/build-aux/speedo/w32/wixlib.wxs
@@ -61,9 +61,12 @@ and then manually edited:
       <Component Id="cmp74961776CCC7B203F500FE261DC12F92" Directory="dirAA72FFDDFA224FB221D53750596B0142" Guid="FBA2569C-554D-4C06-88FC-0FD6541B5B4B">
         <File Id="filB82A767EB9971018C006215A9FDE77EF" KeyPath="yes" Source="$(var.SourceDir)\bin\gpg-connect-agent.exe"/>
       </Component>
-      <Component Id="cmp74961776CCC7B203F500FE261DC12F94" Directory="dirAA72FFDDFA224FB221D53750596B0144" Guid="FBA2569C-554D-4C06-88FC-0FD6541B5B4C">
+      <Component Id="cmp74961776CCC7B203F500FE261DC12F94" Directory="dirAA72FFDDFA224FB221D53750596B0142" Guid="FBA2569C-554D-4C06-88FC-0FD6541B5B4C">
         <File Id="filB82A767EB9971018C006215A9FDE77F1" KeyPath="yes" Source="$(var.SourceDir)\bin\gpg-card.exe"/>
       </Component>
+      <Component Id="cmp74961776CCC7B203F500FE261DC12F95" Directory="dirAA72FFDDFA224FB221D53750596B0142" Guid="3134BF55-46AF-4B76-A535-DC1EDDB0DBFD">
+        <File Id="filB82A767EB9971018C006215A9FDE77F2" KeyPath="yes" Source="$(var.SourceDir)\libexec\keyboxd.exe"/>
+      </Component>
       <Component Id="cmp6C1FB70721B208E33DB24296B93AB93F" Directory="dirAA72FFDDFA224FB221D53750596B0142" Guid="FE29D2AA-3151-4421-B8C0-355F69F267A1">
         <File Id="fil563D2C0464DCE7ECADE6E15C0FC65821" KeyPath="yes" Source="$(var.SourceDir)\libexec\gpg-preset-passphrase.exe"/>
       </Component>