#!/bin/bash
set -e
# we need to set lastpipe so we can read the signers into the signers array below
shopt -s lastpipe

exit=0

quiet=""
if [ "$1" = "-q" ]; then
	quiet=true
	shift
fi

for signed_binary in "$@"; do
	if [ ! -e "$signed_binary" ]; then
		echo "E: $signed_binary: file not found">&2
		exit=1
		continue
	fi

	sbverify --list "$signed_binary" | grep subject: | grep -E -o "CN=([^/]|\\/)*" | readarray -t signers
	if [ -z "$signers" ]; then
		echo "E: $signed_binary: Could not finder signing subject, sbverify output follows:">&2
		sbverify --list "$signed_binary" >&2
		exit=1
		continue
	fi

	for signer in "${signers[@]}"; do
		revoked=$(grep -xF "$signer" << EOF
CN=Canonical Ltd. Secure Boot Signing
CN=Canonical Ltd. Secure Boot Signing (2017)
CN=Canonical Ltd. Secure Boot Signing (ESM 2018)
CN=Canonical Ltd. Secure Boot Signing (2019)
CN=Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
CN=Canonical Ltd. Secure Boot Signing (2021 v1)
CN=Canonical Ltd. Secure Boot Signing (2021 v2)
CN=Canonical Ltd. Secure Boot Signing (2021 v3)
EOF
	) || true

		if [ "$revoked" ]; then
			if [ -z "$quiet" ]; then
				echo "E: $signed_binary: revoked key $revoked used">&2
			fi
			exit=1
		fi
    done
done
exit $exit
