#!/usr/bin/env bash

# This script signs the provided darwin binary with an Apple Developer
# certificate.
#
# Usage: ./sign_darwin.sh path/to/binary binary_identifier
#
# On success, the input file will be signed using the Apple Developer
# certificate.
#
# For the Coder CLI, the binary_identifier should be "com.coder.cli".
# For the CoderVPN `.dylib`, the binary_identifier should be "com.coder.Coder-Desktop.VPN.dylib".
#
# You can check if a binary is signed by running the following command on a Mac:
#   codesign -dvv path/to/binary
#
# You can also run the following command to verify the signature on other
# systems, but it may be less accurate:
#   rcodesign verify path/to/binary
#
# Depends on the rcodesign utility. Requires the following environment variables
# to be set:
#  - $AC_CERTIFICATE_FILE: The path to the Apple Developer P12 certificate file.
#  - $AC_CERTIFICATE_PASSWORD_FILE: The path to the file containing the password
#    for the Apple Developer certificate.

set -euo pipefail
# shellcheck source=scripts/lib.sh
source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"

if [[ "$#" -lt 2 ]]; then
	echo "Usage: $0 path/to/binary binary_identifier"
	exit 1
fi

BINARY_PATH="$1"
BINARY_IDENTIFIER="$2"

# Check dependencies
dependencies rcodesign
requiredenvs AC_CERTIFICATE_FILE AC_CERTIFICATE_PASSWORD_FILE

# -v is quite verbose, the default output is pretty good on it's own.
rcodesign sign \
	--binary-identifier "$BINARY_IDENTIFIER" \
	--p12-file "$AC_CERTIFICATE_FILE" \
	--p12-password-file "$AC_CERTIFICATE_PASSWORD_FILE" \
	--code-signature-flags runtime \
	"$BINARY_PATH" \
	1>&2