File check-apt-key-if-less-than-x-days-to-expiry of Package kimi-utils-ubuntu

#!/usr/bin/env bash
# Exit non-zero if the given APT key (or keys in directory) has < N days until expiry.
set -euo pipefail
IFS=$'\n\t'

export LANG=C
export LC_ALL=C

KEYRING_DIR="/etc/apt/trusted.gpg.d"
DEFAULT_THRESH_DAYS=180

key_arg=${1:-}
thresh_days=${2:-$DEFAULT_THRESH_DAYS}

if [[ -z "$key_arg" ]]; then
  # no key argument: operate on directory
  if [[ ! -d "$KEYRING_DIR" ]]; then
    printf 'Keyring directory %s does not exist.\n' "$KEYRING_DIR" >&2
    exit 2
  fi
  key_files=( "$KEYRING_DIR"/*.gpg )
  # if no files match, nullglob leaves literal pattern; handle empty
  if [[ ${#key_files[@]} -eq 0 ]]; then
    printf 'No .gpg files found in %s\n' "$KEYRING_DIR" >&2
    exit 2
  fi
else
  # key argument supplied: use that path (allow file or directory)
  if [[ -d "$key_arg" ]]; then
    key_files=( "$key_arg"/*.gpg )
    if [[ ${#key_files[@]} -eq 0 ]]; then
      printf 'No .gpg files found in %s\n' "$key_arg" >&2
      exit 2
    fi
  elif [[ -f "$key_arg" ]]; then
    key_files=( "$key_arg" )
  else
    printf 'Key file or directory %s does not exist.\n' "$key_arg" >&2
    exit 2
  fi
fi

if ! [[ "$thresh_days" =~ ^[0-9]+$ ]]; then
  printf 'Threshold days must be an integer: %s\n' "$thresh_days" >&2
  exit 2
fi

shopt -s nullglob
current_sec=$(date +%s)
threshold_sec=$(( thresh_days * 86400 ))
found_alert=false

for key_file in "${key_files[@]}"; do
  while IFS= read -r line; do
    if [[ $line == pub* ]]; then
      expiry_date=''
      if [[ $line =~ ([Ee]xpires|[Ee]xpired)[[:space:]]*:[[:space:]]*([0-9]{4}-[0-9]{2}-[0-9]{2}) ]]; then
        expiry_date="${BASH_REMATCH[2]}"
      elif [[ $line =~ [0-9]{4}-[0-9]{2}-[0-9]{2} ]] && [[ $line =~ ([Ee]xpires|[Ee]xpired|expire) ]]; then
        expiry_date=$(grep -oE '[0-9]{4}-[0-9]{2}-[0-9]{2}' <<< "$line" | tail -n1)
      fi

      if [[ -z $expiry_date ]]; then
        continue
      fi

      target_sec=$(date -d "$expiry_date" +%s 2>/dev/null || true)
      if [[ -z $target_sec ]]; then
        normalized=$(sed 's/[^0-9]//g' <<< "$expiry_date")
        if [[ $normalized =~ ^([0-9]{4})([0-9]{2})([0-9]{2})$ ]]; then
          normalized="${BASH_REMATCH[1]}-${BASH_REMATCH[2]}-${BASH_REMATCH[3]}"
          target_sec=$(date -d "$normalized" +%s 2>/dev/null || true)
        fi
      fi

      if [[ -z $target_sec ]]; then
        printf 'Could not parse expiry date for %s: %s\n' "$key_file" "$expiry_date" >&2
        continue
      fi

      diff_sec=$(( target_sec - current_sec ))
      if (( diff_sec >= 0 && diff_sec < threshold_sec )); then
        days_left=$(( (diff_sec + 86399) / 86400 ))
        printf '%s: expires %s (%d day(s) left)\n' "$key_file" "$expiry_date" "$days_left"
        found_alert=true
      elif (( diff_sec < 0 )); then
        days_overdue=$(( (-diff_sec + 86399) / 86400 ))
        printf '%s: expired %s (%d day(s) overdue)\n' "$key_file" "$expiry_date" "$days_overdue"
        found_alert=true
      fi
    fi
  done < <(LANG=C gpg --show-key "$key_file" 2>/dev/null || true)
done

if $found_alert; then
  exit 1
else
  exit 0
fi