profile/home/bin/update-profile

#!/bin/sh -e

file_changed() {
	oldfilehash="$(sha1sum "$1" | awk '{print $1}')"
	newfilehash="$(sha1sum "$2" | awk '{print $1}')"
	[ "${oldfilehash}" != "${newfilehash}" ]
}

if [ ! -d ~/.local/profile-git ]; then
	mkdir -p ~/.local/profile-git
	git clone --recursive https://git.icedream.tech/icedream/profile.git ~/.local/profile-git
fi

(

	cd ~/.local/profile-git
	
	if [ "${_CHECKOUT_DONE:-0}" -lt 1 ]; then
		echo "Fetching updates for profile..."
		git fetch -p 

		# Synchronizing valid GPG keys
		echo "Preparing for update verification..."
		export GNUPGHOME="$HOME/.local/profile-data/gnupg"
		mkdir -p "${GNUPGHOME}"
		chmod 700 "${GNUPGHOME}"
		gpg --fingerprint
		gpg --recv-keys \
			B5108C5A158A6608AD3361DA1573F6D8EFE4D0CF \
			04ADEF85EA6AEC6F75941E84468BBEEBB9EC6AEA

		echo "Verifying updates..."
		git rev-list --format=oneline HEAD..origin | while IFS= read -r line; do
			sha="$(echo "$line" | awk '{print $1}')"
			title="$(echo "$line" | cut -f 1 -d ' ' --complement)"
			printf "  … $title\r  "
			if ! git verify-commit "$sha" >/dev/null 2>&1; then
				echo  "✘"
				echo "Found incorrectly signed commit, NOT applying. Contact the maintainer on the issue tracker."
				exit 1
			fi
			echo "✔"
		done
		
		if file_changed "${HOME}/bin/update-profile" "home/bin/update-profile"; then
			# Use new profile update script instead
			# Putting exit 0 on same line here for security since the old script
			# will be deleted.
			echo "Using newer profile update script."
			export _CHECKOUT_DONE=1
			exec home/bin/update-profile
		fi
	fi

	echo "All commits passed, now applying updates..."
	git rebase origin

	echo "Running package installation..."
	cd packages
	./packages.sh

	echo "Running profile installation..."
	cd ..
	if [ -f "${HOME}/bin/update-profile" ]; then
		mv "${HOME}/bin/update-profile" "${HOME}/bin/update-profile.old"
	fi
	./install.sh

)

rm -f "${HOME}/bin/update-profile.old"