#!/bin/sh

gpg_set_ultimate_trust()
{
	  local keygrip
    keygrip=$(gpg  -K --with-colons --with-fingerprint --with-fingerprint|sed -ne '/^sec/{n;p;q}'|cut -d: -f10)
    printf '%s:6:\n' "$keygrip" | gpg2 --import-ownertrust
}

add()
{
    kiki merge \
        --flow=sync \
        --home${2:+="$2"} \
        --create=rsa:4096 \
        --flow=spill,match="$1" \
        --type=pem \
        --access=secret \
        nil
}

init()
{
    local root="$1"

    if [ "$root" ]; then
        mkdir -m0600 -p "$root"/root/.gnupg
    fi

    kiki init   ${root:+--chroot "$root"}
    add encrypt ${root:+"$root/root/.gnupg"}
    add sign    ${root:+"$root/root/.gnupg"}

    (
        [ "$root" ] && export GNUPGHOME="$root/root/.gnupg/"
        gpg_set_ultimate_trust
    )
}

sync()
{
    local home1="$1"/root/.gnupg home2="$2"/root/.gnupg
    kiki sync-public \
        --homedir "$home1" \
        --passphrase-fd=0 \
        --import-if-authentic \
        --autosign \
        --keyrings "$home2"/pubring.gpg
    kiki sync-secret \
        --homedir "$home1" \
        --autosign --import
}

doublecheck()
{
    local o='--ignore-time-conflict'
    gpg2 $o --clearsign </dev/null | gpg2 $o --homedir "$1"/root/.gnupg --verify
    gpg2 $o --clearsign --homedir "$1"/root/.gnupg </dev/null | gpg2 $o --verify
}

silent()
{
    case "$-" in
        *x*) return ;;
    esac
    SILENT=y
    exec 3>&1 4>&2
    exec >/dev/null 2>&1
}

noisy()
{
    if [ "$SILENT" ]; then
        exec >&3 2>&1
    fi
}

new_child()
{
    local root="$1"
    init "$root"

    sync "$root" ''
    sync '' "$root"

    gpg2 --check-trustdb
    gpg2 --check-trustdb --homedir "$root"/root/.gnupg

    doublecheck "$root"
}


child_dir=$1

set -e

[ "$(id -u)" = 0 ]
[ "$child_dir" ]
[ ! -d "$child_dir" ]

mkdir "$child_dir"
trap -- 'umount "$child_dir"; rmdir "$child_dir"' EXIT
mount -t tmpfs -o mode=0700 tmpfs "$child_dir"

silent
init
new_child "$child_dir"
noisy

trap EXIT

# gpg2 -k
# gpg2 -k --homedir "$child_dir"/root/.gnupg