#!/usr/bin/env bash
# fetch-arch-iso.sh
# Downloads the latest Arch ISO + signature, checks GPG key, verifies the download.

set -u
set -o pipefail

# CONFIGURATION
BASE_DIR="${HOME}/downloads/isos"
ISO_NAME="archlinux-x86_64.iso"
SIG_NAME="${ISO_NAME}.sig"
ISO_URL="https://geo.mirror.pkgbuild.com/iso/latest/${ISO_NAME}"
SIG_URL="https://geo.mirror.pkgbuild.com/iso/latest/${SIG_NAME}"
# The “Arch Linux Master Key” is what signs the ISO. We look for its name in your keyring.
ARCH_KEY_SEARCH="Arch Linux Master Key"

# 1) Build target directory, e.g. ~/downloads/isos/archlinux.2025.08.22
today=$(date +%Y.%m.%d)
TARGET_DIR="${BASE_DIR}/archlinux.${today}"

mkdir -p "${TARGET_DIR}" || {
  echo "Error: could not create ${TARGET_DIR}" >&2
  exit 1
}

# 2) A small helper to download with one retry
download_with_retry() {
  local url=$1 out=$2
  echo " -> Downloading ${url} to ${out}"
  if ! wget -q --show-progress -O "${out}" "${url}"; then
    echo "   First attempt failed; retrying once..."
    if ! wget -q --show-progress -O "${out}" "${url}"; then
      echo "Error: failed to download ${url} after 2 tries."
      echo "       Please check your network connectivity."
      exit 1
    fi
  fi
}

# 3) Make sure GPG is installed (we assume gpg binary exists)
if ! command -v gpg >/dev/null; then
  echo "Error: gpg is not installed. Please install it and re-run."
  exit 1
fi

# 4) Check for the Arch Linux signing key
if ! gpg --list-keys "${ARCH_KEY_SEARCH}" >/dev/null 2>&1; then
  echo "Warning: Arch Linux signing key not found in your keyring."
  read -p "Install archlinux-keyring package now? [y/N] " ans
  ans=${ans,,}  # tolower
  if [[ "${ans}" == "y" || "${ans}" == "yes" ]]; then
    sudo pacman -Sy --needed archlinux-keyring || {
      echo "Error: could not install archlinux-keyring." >&2
      exit 1
    }
  else
    echo "Cannot verify ISO without the Arch key. Aborting."
    exit 1
  fi
fi

# 5) Download the ISO and its .sig
download_with_retry "${ISO_URL}" "${TARGET_DIR}/${ISO_NAME}"
download_with_retry "${SIG_URL}" "${TARGET_DIR}/${SIG_NAME}"

# 6) Verify the ISO against the signature
echo " -> Verifying the ISO with GPG..."
if gpg --verify "${TARGET_DIR}/${SIG_NAME}" "${TARGET_DIR}/${ISO_NAME}"; then
  echo
  echo "SUCCESS: The ISO signature is valid."
  echo "You can now burn or mount ${TARGET_DIR}/${ISO_NAME} with confidence."
  exit 0
else
  echo
  echo "ERROR: GPG signature verification failed!"
  echo "       The downloaded ISO may be corrupted or tampered with."
  exit 1
fi