bash: Use nix-shell in update script

The script assumed that `wget` was available in the environment
along with common CA certificates.
Replaced the detection of GPG, which is not necessary anymore.
Added pulling the public key bash releases and patches are signed with,
without which we cannot verify signatures.

1 files changed, 9 insertions, 4 deletions

diff --git a/pkgs/shells/bash/update-patch-set.sh b/pkgs/shells/bash/update-patch-set.sh
index 003c7a26d20..cb4f372f543 100755
--- a/pkgs/shells/bash/update-patch-set.sh
+++ b/pkgs/shells/bash/update-patch-set.sh
@@ -1,4 +1,5 @@
-#!/bin/sh
+#!/usr/bin/env nix-shell
+#!nix-shell --pure -i bash -p wget -p gnupg -p cacert
 
 # Update patch set for GNU Bash or Readline.
 
@@ -14,8 +15,6 @@ fi
 PROJECT="$1"
 VERSION="$2"
 VERSION_CONDENSED="$(echo $VERSION | sed -es/\\.//g)"
-
-GPG="$(if $(type -P gpg2 > /dev/null); then echo gpg2; else echo gpg; fi)"
 PATCH_LIST="$PROJECT-$VERSION-patches.nix"
 
 set -e
@@ -25,6 +24,12 @@ end=100 # must be > 99 for correct padding
 
 rm -vf "$PATCH_LIST"
 
+wget "https://tiswww.case.edu/php/chet/gpgkey.asc"
+echo "4ef5051ce7200241e65d29c11eb57df8  gpgkey.asc" > gpgkey.asc.md5
+md5sum -c gpgkey.asc.md5
+gpg --import ./gpgkey.asc
+rm gpgkey.asc{,.md5}
+
 ( echo "# Automatically generated by \`$(basename $0)'; do not edit." ;	\
   echo "" ;								\
   echo "patch: [" )							\
@@ -34,7 +39,7 @@ for i in `seq -w $start $end`
 do
     wget ftp.gnu.org/gnu/$PROJECT/$PROJECT-$VERSION-patches/$PROJECT$VERSION_CONDENSED-$i || break
     wget ftp.gnu.org/gnu/$PROJECT/$PROJECT-$VERSION-patches/$PROJECT$VERSION_CONDENSED-$i.sig
-    "$GPG" --verify $PROJECT$VERSION_CONDENSED-$i.sig
+    gpg --verify $PROJECT$VERSION_CONDENSED-$i.sig
     echo "(patch \"$i\" \"$(nix-hash --flat --type sha256 --base32 $PROJECT$VERSION_CONDENSED-$i)\")"	\
     >> "$PATCH_LIST"