#!/usr/bin/env bash
set -Eeuo pipefail

suite='stretch'
timestamp='2017-01-01T00:00:00Z'

expectedEpoch='1483228800'

# https://people.debian.org/~tianon/debuerreotype/
declare -A expectedSha256s=(
	['amd64']='cff511450d3ddec4defc51be1850ca44e527e126aabfa1b6649354f2f2a568f4'
	['arm64']='81ad4f5e7c10b15fc8389c1386e1fe1b2d05bc61d404e10473f5f5a0acde464c'
	['armel']='596117e125f6e0828471564bd5d4f9bdd1ed654f7d84c21e7ab9d640e789763f'
	['armhf']='9e0f63a3d5442fcd1408d61a9c592355138334ddc5c3fb471d5f131511cf286c'
	['i386']='b4e574904703114291f1c42bd80744b1da333d95cf5c00e8e71ba09241ca66ae'
	['mips64el']='767982e9ca353058d9ca44f410e0367071ebf9938a4a996e3ed9139d57bc987f'
	['ppc64el']='99bc8a072448360be9ff741b98466835bc0f270041784cacbcb3803f8d3fbb6a'
	['riscv64']='ports'
	['s390x']='7ad6fa1abaf9d8cb3fd9d1257e24363bc842f0fe204e98d0a2aa995541b62b1c'
)
dpkgArch="$(dpkg --print-architecture)"
expectedSha256="${expectedSha256s["$dpkgArch"]:-}"

if [ "$expectedSha256" = 'ports' ]; then
	echo >&2 "aw, '$dpkgArch' is a ports arch -- bailing early!"
	exit 0
fi

expectedCompareUrl="https://people.debian.org/~tianon/debuerreotype/$suite--$timestamp--0.14--$dpkgArch--$expectedSha256.txz"

tempDir="$(mktemp -d)"
trap "rm -rf '$tempDir'" EXIT
rootfs="$tempDir/rootfs"

set -x

# make a new keyring that contains all archive keys so this still works in the future too
# (see also "debian.sh" in the debuerreotype examples, which this is a hyper-simplified version of)
keyring="$tempDir/keyring.gpg"
gpg --batch --no-default-keyring --keyring "$keyring" --import \
	/usr/share/keyrings/debian-archive-keyring.gpg \
	/usr/share/keyrings/debian-archive-removed-keys.gpg

debuerreotype-init --arch="$dpkgArch" --keyring="$keyring" "$rootfs" "$suite" "$timestamp"
[ "$(< "$rootfs/debuerreotype-epoch")" = "$expectedEpoch" ]

debuerreotype-chroot "$rootfs" true

debuerreotype-debian-sources-list "$rootfs" "$suite"
# remove effect of https://github.com/debuerreotype/debuerreotype/pull/56 (to avoid regenerating expected tarballs to compensate)
sed -i -e '/^#/d' "$rootfs/etc/apt/sources.list"
# remove effect of https://github.com/debuerreotype/debuerreotype/pull/135 (^^^)
sed -i -e 's!deb.debian.org/debian-security!security.debian.org/debian-security!g' "$rootfs/etc/apt/sources.list"

debuerreotype-tar "$rootfs" "$tempDir/actual.tar"
sha256="$(sha256sum "$tempDir/actual.tar" | cut -d' ' -f1)"

# see https://people.debian.org/~tianon/debuerreotype/

if [ "$sha256" != "$expectedSha256" ]; then
	if [ -z "$expectedSha256" ]; then
		(
			set +x
			echo >&2
			echo >&2 "WARNING: no expected SHA256 for '$dpkgArch' known -- please file a bug with this full build output against src:debuerreotype!"
			echo >&2
		)
		exit 0
	fi

	(
		set +x
		echo >&2
		echo >&2 'ERROR: expected SHA256 does not match actual -- downloading pristine source to compare (via diffoscope)'
		echo >&2 "  - $expectedCompareUrl"
		echo >&2
	)

	wget -qO "$tempDir/expected.txz" "$expectedCompareUrl"
	xz -d < "$tempDir/expected.txz" > "$tempDir/expected.tar"
	diffoscope >&2 "$tempDir/expected.tar" "$tempDir/actual.tar"
	exit 1
fi
