#!/usr/bin/env bash
set -euo pipefail

if [ "$#" -lt 1 ]; then
	echo "Usage: sign-windows-artifact.sh <artifact> [artifact...]" >&2
	exit 2
fi

if [ -z "${MRTRUST_CODESIGN_PFX_BASE64:-}" ]; then
	echo "MRTRUST_CODESIGN_PFX_BASE64 is required." >&2
	exit 2
fi

if [ -z "${MRTRUST_CODESIGN_PFX_PASSWORD:-}" ]; then
	echo "MRTRUST_CODESIGN_PFX_PASSWORD is required." >&2
	exit 2
fi

if ! command -v osslsigncode >/dev/null 2>&1; then
	echo "osslsigncode is required for MrTrust Ubuntu runner signing." >&2
	exit 2
fi

work_dir="$(mktemp -d)"
trap 'rm -rf "$work_dir"' EXIT

pfx_path="$work_dir/mrtrust-codesign.pfx"
printf '%s' "$MRTRUST_CODESIGN_PFX_BASE64" | base64 -d > "$pfx_path"

timestamp_url="${MRTRUST_TIMESTAMP_URL:-http://timestamp.digicert.com}"

for artifact in "$@"; do
	if [ ! -f "$artifact" ]; then
		echo "Artifact not found: $artifact" >&2
		exit 2
	fi

	case "${artifact##*.}" in
		exe | EXE | msi | MSI | dll | DLL | cat | CAT)
			;;
		*)
			echo "Unsupported artifact for osslsigncode: $artifact" >&2
			exit 2
			;;
	esac

	signed_path="$work_dir/$(basename "$artifact").signed"
	args=(
		sign
		-pkcs12 "$pfx_path"
		-pass "$MRTRUST_CODESIGN_PFX_PASSWORD"
		-n "MrSphay"
		-i "https://git.wilkensxl.de/MrSphay"
		-in "$artifact"
		-out "$signed_path"
	)

	if [ -n "$timestamp_url" ]; then
		args+=(-t "$timestamp_url")
	fi

	osslsigncode "${args[@]}"
	mv "$signed_path" "$artifact"
	echo "Signed $artifact"
done