#!/usr/bin/env bash
set -euo pipefail

artifact_path="${1:-}"
if [ -z "${artifact_path}" ]; then
	echo "No artifact path was provided for signing." >&2
	exit 1
fi

if [ -z "${JSIGN_JAR:-}" ] || [ ! -f "${JSIGN_JAR}" ]; then
	echo "JSIGN_JAR must point to the downloaded jsign jar." >&2
	exit 1
fi

if [ -z "${MRTRUST_PFX_PATH:-}" ] || [ ! -f "${MRTRUST_PFX_PATH}" ]; then
	echo "MRTRUST_PFX_PATH must point to the MrTrust code-signing PFX." >&2
	exit 1
fi

if [ -z "${MRTRUST_PFX_PASSWORD:-}" ]; then
	echo "MRTRUST_PFX_PASSWORD must be set." >&2
	exit 1
fi

java -jar "${JSIGN_JAR}" sign \
	--verbose \
	--storetype PKCS12 \
	--keystore "${MRTRUST_PFX_PATH}" \
	--storepass env:MRTRUST_PFX_PASSWORD \
	--tsaurl "https://timestamp.sectigo.com,http://timestamp.digicert.com" \
	"${artifact_path}"