#!/bin/bash

## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

set -x
set -e

true "INFO: Currently running script: $BASH_SOURCE $@"

MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
cd "$MYDIR"

dist_build_internal_run="true"

source ~/derivative-maker/help-steps/pre
source ~/derivative-maker/help-steps/colors
source ~/derivative-maker/help-steps/variables

if [ "$(id -u)" = "0" ]; then
   true "ERROR: Do not run this as root!"
   exit 1
fi

sanity_tests() {
   command -v signify-openbsd >/dev/null
   test -f "$signify_public_key"
   test -f "$signify_private_key"

   command -v rsstail

   "$dist_source_help_steps_folder/signing-key-test" "$@"
}

sign_cmd() {
   test -f "$full_path_to_canary_txt"

   ## GPG signatures do not authenticate filenames by default, therefore add
   ## the name of the file as a OpenPGP notation so at least users that look
   ## at OpenPGP notations have a chance to detect if file names have been
   ## tampered with.
   $gpg_bin "$@" --armor --yes --set-notation "file@name"="$(basename "$full_path_to_canary_txt")" --output "$full_path_to_gpg_output_file" "$full_path_to_canary_txt"
}

sign_cmd_signify() {
   ## To create a key for signify-openbsd:
   ## as user "user"
   ## mkdir -p ~/.signify
   ## cd ~/.signify
   ## signify-openbsd -n -G -p keyname.pub -s keyname.sec -c "Firstname Lastname e-mail@address.org signify"

   ## https://forums.whonix.org/t/signify-openbsd/7842
   signify-openbsd -S -s "$signify_private_key" -m "$1" -x "${1}${2}" ${3}
   ## Sanity test.
   test -f "${1}${2}"
}

verify_cmd() {
   $gpg_bin --verify-options show-notations --verify "$@"
}

verify_cmd_signinfy() {
   signify-openbsd -V -p "$signify_public_key" -m "$1" -x "${1}${2}" ${3}
}

sanity_tests

if test -d "$binary_build_folder_dist/canary" ; then
    rm --recursive "$binary_build_folder_dist/canary"
fi

mkdir --parents "$binary_build_folder_dist/canary"

full_path_to_canary_txt="$binary_build_folder_dist/canary/canary.txt"

cp "$dist_developer_meta_files_folder/misc/canary-template.txt" "$full_path_to_canary_txt"

proof_of_freshness_output="$(dm-proof-of-freshness-generator 2>&1)"
echo "$proof_of_freshness_output" | tee -a "$full_path_to_canary_txt"

cat "$full_path_to_canary_txt"

full_path_to_gpg_output_file="$binary_build_folder_dist/canary/canary.txt.asc"
sign_cmd --detach-sign
verify_cmd "$full_path_to_gpg_output_file" "$full_path_to_canary_txt"

full_path_to_gpg_output_file="$binary_build_folder_dist/canary/canary.txt.clearsign.asc"
sign_cmd --clearsign
verify_cmd "$binary_build_folder_dist/canary/canary.txt.clearsign.asc"

sign_cmd_signify "$full_path_to_canary_txt" ".sig"
verify_cmd_signinfy "$full_path_to_canary_txt" ".sig"

sign_cmd_signify "$full_path_to_canary_txt" ".embed.sig" -e

signify-openbsd -V -e -p "$signify_public_key" -x "$binary_build_folder_dist/canary/canary.txt.embed.sig" -m "$binary_build_folder_dist/canary/canary-unembed.txt"

diff "$full_path_to_canary_txt" "$binary_build_folder_dist/canary/canary-unembed.txt"

cat "$binary_build_folder_dist/canary/canary.txt"

cp "$binary_build_folder_dist/canary/canary.txt.asc" ~/sourcesown/canary/
cp "$binary_build_folder_dist/canary/canary.txt" ~/sourcesown/canary/
cp "$binary_build_folder_dist/canary/canary.txt.clearsign.asc" ~/sourcesown/canary/
cp "$binary_build_folder_dist/canary/canary.txt.sig" ~/sourcesown/canary/
cp "$binary_build_folder_dist/canary/canary.txt.embed.sig" ~/sourcesown/canary/

pushd ~/sourcesown/canary/
git add -A
git commit -a -m "update canary"
popd
