clearsigned

#!/usr/bin/env bash
set -euo pipefail

# A clearsigned text "editor".
# Easily edit and re-sign the body of an embedded PGP clearsigned document.
#
# Usage:
# clearsigned [-b] [-s] [-e editor] file ...

SHORTOPT=be:
LONGOPTS=backup,editor:,skip-verify

! PARSED=$(getopt --options=${SHORTOPT} --longoptions=${LONGOPTS} --name "$0" -- "$@")
[[ ${PIPESTATUS[0]} -ne 0 ]] && exit 2
eval set -- "$PARSED"

skip_verify=
while true; do
    case $1 in
        -b|--backup)
            backup=1
            shift
            ;;
        -e|--editor)
            editor=$2
            shift 2
            ;;
        --skip-verify)
            skip_verify="--skip-verify"
            shift
            ;;
        --)
            shift
            break
            ;;
        *)
            echo "Error while parsing arguments" >&2
            exit 2
    esac
done

if [[ $# -lt 1 ]]; then
    echo "Expected at least one file to process" >&2
    exit 3
fi

myhead='^-----BEGIN PGP SIGNED MESSAGE-----$'
mytail='^-----END PGP SIGNATURE-----$'

for file in "$@"; do
    printf "%s: " "$file"

    if [ -v backup ]; then
        cp "${file}" "${file}.bak"
        printf "backed up. "
    fi

    tmpfile=$(mktemp --dry-run).${file##*.}
    [ -z ${skip_verify} ] || printf "skipping verification! "
    if [ -f $file ] && ! output=$(gpg -o "$tmpfile" --decrypt ${skip_verify} "$file" 2>&1 >/dev/null); then
        echo "$output" >&2
        rm "$tmpfile" 2>/dev/null
        exit 1
    fi
    printf "extracted. "

    ${editor:-${EDITOR}} "$tmpfile"
    printf "edited. "

    tmpfile2=$(mktemp --dry-run)
    gpg -o "$tmpfile2" --clearsign "$tmpfile"
    printf "signed. "
    rm "$tmpfile"

    if [ -f $file ]; then
        sed -i '1,1d; $d' "${tmpfile2}"
        sed -ne "/${myhead}/ {p; r ${tmpfile2}" \
            -e ":a; n; /${mytail}/ {p; b}; ba}; p" -i "$file"
        rm "$tmpfile2"
    else
        mv "$tmpfile2" "$file"
    fi
    printf "done.\\n"
done