From 88087f04a8c8185b47b317cfbd36c2f2ca0c9b8f Mon Sep 17 00:00:00 2001
From: Jeffery To <jeffery.to@gmail.com>
Date: Thu, 18 Jul 2019 00:52:27 +0800
Subject: [PATCH] added support for usign signatures

---
 Changelog.md          |  8 +++++++-
 builder/Dockerfile    |  2 +-
 builder/docker-run.sh | 24 ++++++++++++++++++++++--
 3 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index de70d40..f457097 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,4 +1,10 @@
 # Changelog
 
-## 0.1.0 (2019-06-05)
+## [0.1.1] - 2019-07-18
+* Added support for usign signatures
+
+## 0.1.0 - 2019-06-05
 * Initial release
+
+
+[0.1.1]: https://github.com/jefferyto/openwrt-vivarium/compare/0.1.0...0.1.1
diff --git a/builder/Dockerfile b/builder/Dockerfile
index ed49a0f..2dc7bd8 100644
--- a/builder/Dockerfile
+++ b/builder/Dockerfile
@@ -18,7 +18,7 @@
 # along with Vivarium.  If not, see <https://www.gnu.org/licenses/>.
 #
 
-FROM docker.io/openwrtorg/packages-cci:v1.0.2
+FROM docker.io/openwrtorg/packages-cci:v1.0.3
 
 ARG SDK_HOST
 ARG SDK_PATH
diff --git a/builder/docker-run.sh b/builder/docker-run.sh
index 03af374..06f3a9a 100644
--- a/builder/docker-run.sh
+++ b/builder/docker-run.sh
@@ -34,8 +34,28 @@ if [ -z "$(find / -mindepth 1 -maxdepth 1 -name "$SDK_FILE" -print -quit)" ]; th
 
 	# From https://github.com/openwrt/packages/blob/master/.circleci/config.yml
 	curl "https://$SDK_HOST/$SDK_PATH/sha256sums" -sS -o sha256sums
-	curl "https://$SDK_HOST/$SDK_PATH/sha256sums.asc" -sS -o sha256sums.asc
-	gpg --with-fingerprint --verify sha256sums.asc sha256sums
+	curl "https://$SDK_HOST/$SDK_PATH/sha256sums.asc" -fs -o sha256sums.asc || true
+	curl "https://$SDK_HOST/$SDK_PATH/sha256sums.sig" -fs -o sha256sums.sig || true
+	if [ ! -f sha256sums.asc ] && [ ! -f sha256sums.sig ]; then
+		echo "Missing sha256sums signature files"
+		exit 1
+	fi
+	[ ! -f sha256sums.asc ] || gpg --with-fingerprint --verify sha256sums.asc sha256sums
+	if [ -f sha256sums.sig ]; then
+		VERIFIED=
+		for KEY in ../usign/*; do
+			echo "Trying $KEY..."
+			if signify-openbsd -V -q -p "$KEY" -x sha256sums.sig -m sha256sums; then
+				echo "...verified"
+				VERIFIED=1
+				break
+			fi
+		done
+		if [ -z "$VERIFIED" ]; then
+			echo "Could not verify usign signature"
+			exit 1
+		fi
+	fi
 	rsync -av "$SDK_HOST::downloads/$SDK_PATH/$SDK_FILE" .
 	sha256sum -c --ignore-missing sha256sums