ansible/roles/common/files/gpg_import_url_key.sh

#!/usr/bin/env sh

# Usage: <url> <fpr> <keyring>

set -euf;

return_code=0;
readonly keyfile="$(mktemp --dry-run)";

mkdir --parents ~/.gnupg;
chmod "u=rwx,g=,o=" ~/.gnupg;

/usr/bin/wget --quiet --output-document="$keyfile" -- "$1";
/usr/bin/gpg2 --dry-run --quiet --debug-level 0 --import-options import-show --with-colons --import "$keyfile" | awk -F: '$1 == "fpr" { print $10 }' | head --lines=1 | grep --fixed-strings "$2" > /dev/null;
readonly return_text="$(/usr/bin/gpg2 --no-default-keyring --keyring "$3" --import "$keyfile" 2>&1)";
if echo "$return_text" | grep --basic-regexp ' not changed$' > /dev/null; then
  return_code=2;
fi
rm "$keyfile";
exit $return_code;