#!/usr/bin/env bash
set -euo pipefail

if [ "$#" -lt 1 ]; then
  echo "Usage: Sign-MrTrustProjectLinux.sh <artifact> [artifact...]" >&2
  exit 2
fi

if [ -z "${MRTRUST_CODESIGN_PFX_BASE64:-}" ]; then
  echo "MRTRUST_CODESIGN_PFX_BASE64 is required." >&2
  exit 2
fi

if [ -z "${MRTRUST_CODESIGN_PFX_PASSWORD:-}" ]; then
  echo "MRTRUST_CODESIGN_PFX_PASSWORD is required." >&2
  exit 2
fi

if ! command -v osslsigncode >/dev/null 2>&1; then
  if command -v apt-get >/dev/null 2>&1; then
    export DEBIAN_FRONTEND=noninteractive
    apt-get update
    apt-get install -y osslsigncode
  else
    echo "osslsigncode is not installed and apt-get is unavailable." >&2
    exit 2
  fi
fi

work_dir="$(mktemp -d)"
trap 'rm -rf "$work_dir"' EXIT

pfx_path="$work_dir/mrtrust-codesign.pfx"
printf '%s' "$MRTRUST_CODESIGN_PFX_BASE64" | base64 -d > "$pfx_path"

timestamp_url="${MRTRUST_TIMESTAMP_URL:-http://timestamp.digicert.com}"

for artifact in "$@"; do
  if [ ! -f "$artifact" ]; then
    echo "Artifact not found: $artifact" >&2
    exit 2
  fi

  case "${artifact##*.}" in
    exe|EXE|msi|MSI|dll|DLL|cat|CAT)
      ;;
    *)
      echo "Unsupported artifact for osslsigncode: $artifact" >&2
      exit 2
      ;;
  esac

  signed_path="$work_dir/$(basename "$artifact").signed"
  args=(
    sign
    -pkcs12 "$pfx_path"
    -pass "$MRTRUST_CODESIGN_PFX_PASSWORD"
    -n "MrSphay"
    -i "https://git.wilkensxl.de/MrSphay"
    -in "$artifact"
    -out "$signed_path"
  )

  if [ -n "$timestamp_url" ]; then
    args+=( -t "$timestamp_url" )
  fi

  osslsigncode "${args[@]}"
  mv "$signed_path" "$artifact"
  echo "Signed $artifact"
done