From 65528f0c50d02d1e3b4ce29e4b77f9257a57207d Mon Sep 17 00:00:00 2001
From: Vitaliy Zaytsev <vitaliy@stashaway.com>
Date: Wed, 10 Apr 2024 20:28:17 +0300
Subject: [PATCH] add MISE_YARN_SKIP_GPG to be able to skip gpg verification

- needed to split tar and gpg deps to allow to skip gpg
- got  [ -z ${MISE_YARN_SKIP_GPG+false} ]  idea from https://stackoverflow.com/a/13864829/832965
---
 README.md   | 12 +++++++++++-
 bin/install | 22 +++++++++++++++-------
 2 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 3fd5643..95200fb 100644
--- a/README.md
+++ b/README.md
@@ -20,10 +20,20 @@ mise plugin i yarn
 mise plugin up yarn
 ```
 
-# Development
+## Development
 
 This repo has github workflows which check linting and formatting of code in `bin` folder.
 
 To lint code run `make lint` (note: requires `shellcheck` to be installed)
 
 To check formatting run `make format-check` (requires `shfmt` to be installed) and to format code run `make fmt`
+
+## yarn v1 missing signatures
+
+[Latest v1 releases](https://github.com/yarnpkg/yarn/releases/) (`1.22.22`, `1.22.21`, `1.22.20`) don't have signature files (`.asc`) which makes it impossible to install these versions (gpg signature verification doesn't pass). They say "we're working on fixing this" but issue persists since Nov 14, 2023 (release of 1.22.20)
+
+To be able to install those you can use `MISE_YARN_SKIP_GPG` env var
+
+```shell
+MISE_YARN_SKIP_GPG=true mise install yarn@1.22.22
+```
diff --git a/bin/install b/bin/install
index 8e6a642..e90bae2 100755
--- a/bin/install
+++ b/bin/install
@@ -23,15 +23,21 @@ asdf_yarn_v1_download() {
   # Download archive
   curl -sSL -o "yarn-v${ASDF_INSTALL_VERSION}.tar.gz" "https://classic.yarnpkg.com/downloads/${ASDF_INSTALL_VERSION}/yarn-v${ASDF_INSTALL_VERSION}.tar.gz"
 
-  # Download archive signature
-  curl -sSL -o "yarn-v${ASDF_INSTALL_VERSION}.tar.gz.asc" "https://classic.yarnpkg.com/downloads/${ASDF_INSTALL_VERSION}/yarn-v${ASDF_INSTALL_VERSION}.tar.gz.asc"
+  if [ -z ${MISE_YARN_SKIP_GPG+false} ]; then
+    # Download archive signature
+    curl -sSL -o "yarn-v${ASDF_INSTALL_VERSION}.tar.gz.asc" "https://classic.yarnpkg.com/downloads/${ASDF_INSTALL_VERSION}/yarn-v${ASDF_INSTALL_VERSION}.tar.gz.asc"
 
-  # Download and import signing key
-  curl -sSL "https://dl.yarnpkg.com/debian/pubkey.gpg" | GNUPGHOME="$(asdf_yarn_v1_keyring)" gpg --import
+    #Download and import signing key
+    curl -sSL "https://dl.yarnpkg.com/debian/pubkey.gpg" | GNUPGHOME="$(asdf_yarn_v1_keyring)" gpg --import
+  fi
 }
 
 asdf_yarn_v1_install() {
-  { [ -x "$(which tar)" ] && [ -x "$(which gpg)" ]; } || asdf_yarn_fail "Missing one or more of the following dependencies: tar, gpg"
+  [ -x "$(which tar)" ] || asdf_yarn_fail "Missing following dependency: tar"
+
+  if [ -z ${MISE_YARN_SKIP_GPG+false} ]; then
+    [ -x "$(which gpg)" ] || asdf_yarn_fail "Missing following dependency: gpg"
+  fi
 
   local ASDF_YARN_DIR
   ASDF_YARN_DIR="$(mktemp -d -t asdf-yarn-XXXXXXX)"
@@ -41,8 +47,10 @@ asdf_yarn_v1_install() {
 
     asdf_yarn_v1_download
 
-    # Verify archive signature
-    GNUPGHOME="$(asdf_yarn_v1_keyring)" gpg --verify "yarn-v${ASDF_INSTALL_VERSION}.tar.gz.asc" "yarn-v${ASDF_INSTALL_VERSION}.tar.gz"
+    if [ -z ${MISE_YARN_SKIP_GPG+false} ]; then
+      # Verify archive signature
+      GNUPGHOME="$(asdf_yarn_v1_keyring)" gpg --verify "yarn-v${ASDF_INSTALL_VERSION}.tar.gz.asc" "yarn-v${ASDF_INSTALL_VERSION}.tar.gz"
+    fi
 
     # Extract archive
     tar xzf "yarn-v${ASDF_INSTALL_VERSION}.tar.gz" --strip-components=1 --no-same-owner