#!/usr/bin/env bash
# sign.sh — sign a single binary executable for local use or distribution
# Usage: ./sign.sh path/to/mybinary

set -euo pipefail

# ── CONFIG ────────────────────────────────────────────────────────────────────
BINARY_PATH="${1:?Usage: $0 path/to/mybinary}"
CERT_IDENTITY="Local Mac Developer"      # must match CN in create_cert.sh
                                          # for real Apple certs use:
                                          # "Developer ID Application: Your Name (TEAMID)"
KEYCHAIN_PATH="build.keychain-db"
KEYCHAIN_PASS="build_keychain_password"  # must match create_cert.sh

# For notarization (optional, set NOTARIZE=true to enable):
NOTARIZE=false
APPLE_ID="longnghia2.00@gmail.com"
APPLE_TEAM_ID="PaulCoding"
APPLE_APP_PASSWORD="some_password"  # app-specific password from appleid.apple.com
# ── END CONFIG ────────────────────────────────────────────────────────────────

if [ ! -f "$BINARY_PATH" ]; then
  echo "❌  File not found: $BINARY_PATH"
  exit 1
fi

BINARY_NAME="$(basename "$BINARY_PATH")"
ZIP_PATH="$(dirname "$BINARY_PATH")/${BINARY_NAME}.zip"

echo "==> Unlocking build keychain"
security unlock-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN_PATH"
security list-keychains -d user -s "$KEYCHAIN_PATH" \
  $(security list-keychains -d user | tr -d '"')

# ── Sign ──────────────────────────────────────────────────────────────────────
echo "==> Signing binary: $BINARY_NAME"
codesign --sign "$CERT_IDENTITY" \
         --keychain "$KEYCHAIN_PATH" \
         --timestamp \
         --options runtime \
         --force \
         "$BINARY_PATH"

# ── Verify ────────────────────────────────────────────────────────────────────
echo "==> Verifying signature"
codesign --verify --strict --verbose=4 "$BINARY_PATH"

echo "==> Signature details"
codesign --display --verbose=4 "$BINARY_PATH" 2>&1

echo "==> Gatekeeper assessment (self-signed certs will show 'rejected' — expected)"
spctl --assess --type execute --verbose "$BINARY_PATH" 2>&1 || true

# ── Optional: notarize ────────────────────────────────────────────────────────
if [ "$NOTARIZE" = "true" ]; then
  echo "==> Zipping binary for notarization submission"
  ditto -c -k --keepParent "$BINARY_PATH" "$ZIP_PATH"

  echo "==> Submitting to Apple notary service"
  xcrun notarytool submit "$ZIP_PATH" \
    --apple-id  "$APPLE_ID" \
    --team-id   "$APPLE_TEAM_ID" \
    --password  "$APPLE_APP_PASSWORD" \
    --wait

  echo "==> Stapling notarization ticket"
  xcrun stapler staple "$BINARY_PATH"
  xcrun stapler validate "$BINARY_PATH"

  rm -f "$ZIP_PATH"
fi

echo ""
echo "✅  Done: $BINARY_PATH"
codesign -dv "$BINARY_PATH" 2>&1 | grep -E "^(Authority|TeamIdentifier|Signature size|Hash|CDHash)"