Implement signature verification in update-profile script.

home/bin/update-profile

@@ -6,10 +6,41 @@ if [ ! -d ~/.local/profile-git ]; then
 fi
 
 (
-cd ~/.local/profile-git
-git pull
-cd packages
-./packages.sh
-cd ..
-./install.sh
+
+	cd ~/.local/profile-git
+	echo "Fetching updates for profile..."
+	git fetch
+
+	# Synchronizing valid GPG keys
+	export GNUPGHOME="$HOME/.local/profile-data/gnupg"
+	mkdir -p "${GNUPGHOME}"
+	gpg --fingerprint
+	gpg --recv-keys \
+		B5108C5A158A6608AD3361DA1573F6D8EFE4D0CF \
+		04ADEF85EA6AEC6F75941E84468BBEEBB9EC6AEA
+
+	echo "Validating updates..."
+	git rev-list --format=oneline origin..HEAD | while IFS= read -r line; do
+		sha="$(echo "$line" | awk '{print $1}')"
+		title="$(echo "$line" | cut -f 1 -d ' ' --complement)"
+		printf "  … $title\r  "
+		if ! git verify-commit "$sha" >/dev/null 2>&1; then
+			echo  "✘"
+			echo "Found incorrectly signed commit, NOT applying. Contact the maintainer on the issue tracker."
+			exit 1
+		fi
+		echo "✔"
+	done
+
+	echo "All commits passed, now applying updates..."
+	git rebase master
+
+	echo "Running package installation..."
+	cd packages
+	./packages.sh
+
+	echo "Running profile installation..."
+	cd ..
+	./install.sh
+
 )