key-init: If time resets, tell user to set it, but allow skipping

The 'warn' message was not very effective, because change-time.sh
clears the screen right after.  Prompt with whiptail instead, which
also lets the user know what's happening before we drop them into a
series of prompts.

Let the user skip changing time if they really want to.  While they
usually should set the time, it's rather frustrating if Heads forces
them to go through these prompts when they don't want to.

Signed-off-by: Jonathon Hall <[email protected]>
Signed-off-by: Thierry Laurion <[email protected]>

Author: JonathonHall-Purism

initrd/bin/key-init

@@ -1,19 +1,35 @@
 #!/bin/bash
 set -e -o pipefail
 . /etc/functions
+. /etc/gui_functions
 
 TRACE_FUNC
 
 # Post processing of keys
 
-# Import user's keys
-gpg --import /.gnupg/keys/*.key  /.gnupg/keys/*.asc 2>/dev/null || true
+# Good system clock is required for GPG to work properly.
+# if system year is less then 2024, prompt user to set correct time
+if [ "$(date +%Y)" -lt 2024 ]; then
+    if whiptail_warning --title "System Time Incorrect" \
+        --yesno "The system time is incorrect. Please set the correct time." \
+        0 80 --yes-button Continue --no-button Skip --clear; then
+        change-time.sh
+    fi
+fi
+
+# Import user's keys if they exist
+if [ -d /.gnupg/keys ]; then
+    # This is legacy location for user's keys. cbfs-init takes for granted that keyring and trustdb are in /.gnupg
+    #  oem-factory-reset generates keyring and trustdb which cbfs-init dumps to /.gnupg
+    # TODO: Remove individual key imports. This is still valid for distro keys only below.
+    gpg --import /.gnupg/keys/*.key  /.gnupg/keys/*.asc 2>/dev/null || warn "Importing user's keys failed"
+fi
 
 # Import trusted distro keys allowed for ISO signing
-gpg --homedir=/etc/distro/ --import /etc/distro/keys/* 2>/dev/null || true
+gpg --homedir=/etc/distro/ --import /etc/distro/keys/* 2>/dev/null || warn "Importing distro keys failed"
 #Set distro keys trust level to ultimate (trust anything that was signed with these keys)
-gpg --homedir=/etc/distro/ --list-keys --fingerprint --with-colons|sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --homedir=/etc/distro/ --import-ownertrust 2>/dev/null || true
-gpg --homedir=/etc/distro/ --update-trust 2>/dev/null || true
+gpg --homedir=/etc/distro/ --list-keys --fingerprint --with-colons|sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --homedir=/etc/distro/ --import-ownertrust 2>/dev/null || warn "Setting distro keys ultimate trust failed"
+gpg --homedir=/etc/distro/ --update-trust 2>/dev/null || warn "Updating distro keys trust failed"
 
 # Add user's keys to the list of trusted keys for ISO signing
-gpg --export | gpg --homedir=/etc/distro/ --import 2>/dev/null || true
+gpg --export | gpg --homedir=/etc/distro/ --import 2>/dev/null || warn "Adding user's keys to distro keys failed"