#!/usr/bin/perl

# Some source packages come unsigned. This wouldnt be a problem if it wouldnt
# cause reprepro to spit messages like: 'Data seems not to be signed trying to
# use directly...' which may be confusing when you think that it is related to
# a changes file
# play with -d option of dpkg-buildpackage to either show unmet build deps and
# fail or to hide and try to ignore them
use strict;

die 'dont use me, use sign-unsigned-dsc-and-changes instead';

use IO::File;
use File::Basename;
use Symbol qw(gensym);

my $build_dir = "/home/apt/build";
my $sign_with = 'me@debrep.vbox.hurz.is.schlittermann.de';
my @unsigned = qw(

  /home/apt/incoming/nagios-client-check_1.4.5-1_i386.changes
  /home/apt/incoming/freeradius_1.0.0+cvs20040609-0.hs_i386.changes

);

my $vc = "gpg --verify";
my $cc = "gpg --clearsign";

-d $build_dir or mkdir $build_dir or die "Can't mkdir [$build_dir]: $!";
chdir $build_dir or die "Can't chdir [$build_dir]: $!";

for my $cf (@unsigned) {

  (my $sf = $cf) =~ s/_[0-9a-z]+\.changes$/.dsc/;

  # we assume that the dsc has been successfully rebuilt when its signature can
  # be verified
  my $r = qx/$vc $sf 2>&1/;
  next unless $?;

  print "Attempting to rebuild unsigned [$sf] ... ";

  $cf =~ /^(.+\/)?(.+)_([^-]+)(-(.+))?_(.+).changes$/;
  my ($p, $v, $r, $a) = ($2, $3, $5, $6);

  my $ra = qx/dpkg --print-architecture/;
  chomp $ra;
  unless ($a eq $ra) {
    warn "skipping foreign arch [$a]\n";
    next;
  }

  system("dpkg-source -x $sf") == 0 or warn "[dpkg-source -x $sf] failed: $?\n";
  chdir "$p-$v" or warn "Can't chdir [$p-$v]: $!\n";
  
  apply_patches($sf);

  my $cmd = "dpkg-buildpackage -d -k$sign_with -rfakeroot";
  system($cmd) == 0 or warn "[$cmd] failed: $?\n";
  chdir ".." or warn "Can't chdir [..]: $!\n";
  (my $uf = basename($cf)) =~ s/.changes$/.upload/;
  -e $uf and { unlink $uf or warn "Can't unlink [$uf]: $!\n" };
  system("dupload " . basename($cf)) == 0 or warn "[dupload $cf] failed: $?\n";

  print "finished\n";
}

sub apply_patches($) {

  my ($f) = @_;

  if ($f eq "/home/apt/incoming/freeradius_1.0.0+cvs20040609-0.hs.dsc") {
    my $ch = gensym;
    my $cmd = "|patch -p0";
    open $ch, $cmd or warn "Can't run [$cmd]: $!\n";
    print $ch <<EOP;
--- src/modules/rlm_x99_token/x99_rlm.c.orig	2004-02-26 20:04:37.000000000 +0100
+++ src/modules/rlm_x99_token/x99_rlm.c	2009-06-15 11:12:48.000000000 +0200
@@ -516,9 +516,7 @@
 		return RLM_MODULE_INVALID;
 	    }
 
-	    /* Fast path if we didn't protect the state. */
-	    if (!(user_info.card_id & X99_CF_AM))
-		goto good_state;
+	    if (user_info.card_id & X99_CF_AM) {
 
 	    /* Verify the state. */
 	    (void) memset(challenge, 0, sizeof(challenge));
@@ -544,8 +542,8 @@
 			"auth: bad state for [%s]: expired", username);
 		return RLM_MODULE_REJECT;
 	    }
-good_state:
-	    /* State is good! */
+
+      }
 
 	} else {
 	    /* This should only happen if the authorize code didn't run. */
EOP
    close $ch or warn "Can't close [$ch]: $!\n";
  }

}
