Feat: adds gpg-download-key

diff --git a/gpg-download-key b/gpg-download-key
new file mode 100755 (executable)
index 0000000..6f4e093
--- /dev/null
+++ b/gpg-download-key
@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+#
+# Helper script to properly download an OpenPGP key from a remote location.
+# Inspired by https://gitlab.torproject.org/tpo/onion-services/onionprobe/-/blob/main/scripts/get-tor-debian-key
+#
+
+# Parameters
+BASENAME="`basename $0`"
+URL="$1"
+FINGERPRINT="$2"
+DEST="$3"
+CANDIDATE="`mktemp`"
+
+# Ensure the candidate file is remove upon exit
+trap "rm -rf $CANDIDATE" INT TERM EXIT
+
+# Check syntax
+if [ -z "$3" ]; then
+  echo "usage: $BASENAME <url> <fingerprint> <dest-file>"
+  exit 1
+fi
+
+# Download the OpenPGP directly from a remote location.
+#
+# Advantage: handles any upstram updates in the key, like renewed expiration.
+wget -qO- "$URL" | gpg --dearmor | tee "$CANDIDATE" > /dev/null || exit 1
+
+# Get the actual fingerprint after downloading, since we cannot assume that the
+# remote file has the correct fingerprint.
+#
+# Then we need to check the actual key fingerprint.
+KEY_FPR="`cat $CANDIDATE | gpg --with-fingerprint --with-colons 2> /dev/null | grep '^fpr' | cut -d : -f 10 | head -1`"
+
+# Compare the actual fingerprint with the one we're looking for
+if [ "$KEY_FPR" == "$FINGERPRINT" ]; then
+  echo "$BASENAME: downloaded $URL key matches the expected fingerprint $FINGERPRINT"
+
+  if [ ! -z "$DEST" ]; then
+    echo "$BASENAME: saving key $FINGERPRINT on $DEST..."
+    touch "$DEST"              || exit 1
+    chmod 644 "$DEST"          || exit 1
+    cat "$CANDIDATE" > "$DEST" || exit 1
+  else
+    echo "$BASENAME: saving key $FINGERPRINT on $FINGERPRINT.asc..."
+    cp "$CANDIDATE" "$FINGERPRINT.asc"
+  fi
+else
+  echo "$BASENAME: error: downloaded $URL key does not matche the expected fingerprint $FINGERPRINT (got $KEY_FPR instead)"
+  exit 1
+fi