#!/usr/bin/env bash
# create_cert.sh — creates a local self-signed Mac code-signing certificate
# Run once. Requires no Apple Developer account.

set -euo pipefail

CERT_NAME="${1:-"Local Mac Developer"}"
KEYCHAIN_NAME="build.keychain"
KEYCHAIN_PASS="keychain_pass" # change this
P12_PASS="p12_pass"           # change this

echo "==> Creating build keychain: $KEYCHAIN_NAME"

security delete-keychain "$KEYCHAIN_NAME" 2>/dev/null || true
security create-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN_NAME" 2>/dev/null || true
security set-keychain-settings -lut 21600 "$KEYCHAIN_NAME" # lock after 6 h
security unlock-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN_NAME"

# Add to keychain search list so tools can find it
security list-keychains -d user -s "$KEYCHAIN_NAME" $(security list-keychains -d user | tr -d '"')

echo "==> Generating self-signed certificate: '$CERT_NAME'"
# Use Keychain Access UI approach (most reliable for self-signed)
cat >/tmp/cert_req.cfg <<EOF
[ req ]
default_bits       = 2048
prompt             = no
default_md         = sha256
distinguished_name = dn
x509_extensions    = v3_req

[ dn ]
CN = $CERT_NAME

[ v3_req ]
keyUsage         = digitalSignature
extendedKeyUsage = codeSigning
EOF

# Generate key + cert via openssl, then import
openssl req -x509 -newkey rsa:2048 -days 3650 -nodes \
  -keyout /tmp/codesign.key \
  -out /tmp/codesign.crt \
  -config /tmp/cert_req.cfg

# Bundle into PKCS#12
openssl pkcs12 -export \
  -inkey /tmp/codesign.key \
  -in /tmp/codesign.crt \
  -out /tmp/codesign.p12 \
  -passout pass:"$P12_PASS" \
  -legacy \
  -keypbe PBE-SHA1-3DES \
  -certpbe PBE-SHA1-3DES \
  -macalg sha1

# Import into build keychain (trust for code signing)
security import /tmp/codesign.p12 \
  -k "$KEYCHAIN_NAME" \
  -P "$P12_PASS" \
  -T /usr/bin/codesign \
  -T /usr/bin/security

# Grant codesign permission without UI prompt
security set-key-partition-list \
  -S apple-tool:,apple:,codesign: \
  -s -k "$KEYCHAIN_PASS" "$KEYCHAIN_NAME"

# Clean up temp files
rm -f /tmp/codesign.key /tmp/codesign.crt /tmp/codesign.p12 /tmp/cert_req.cfg

echo ""
echo "✅  Certificate '$CERT_NAME' created in '$KEYCHAIN_NAME'."
echo "    Use this identity string in sign.sh:"
security find-identity -v -p codesigning "$KEYCHAIN_NAME" | grep "$CERT_NAME" | head -1