#!/usr/bin/env bash
set -euo pipefail

TAR_PATH=${1:-evidence-locker/signals/2025-12-05/signals-evidence.tar}
EXPECTED_SHA=${EXPECTED_SHA:-a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d}

if [[ ! -f "$TAR_PATH" ]]; then
  echo "missing tar: $TAR_PATH" >&2
  exit 1
fi

sha=$(sha256sum "$TAR_PATH" | awk '{print $1}')
if [[ -n "$EXPECTED_SHA" && "$sha" != "$EXPECTED_SHA" ]]; then
  echo "sha mismatch: got $sha expected $EXPECTED_SHA" >&2
  exit 2
fi

tmpdir=$(mktemp -d)
trap 'rm -rf "$tmpdir"' EXIT

tar -xf "$TAR_PATH" -C "$tmpdir"
(cd "$tmpdir/evidence-locker/signals/2025-12-05" && sha256sum --check SHA256SUMS)

echo "OK: tar hash=${sha} (expected=${EXPECTED_SHA:-<not set>}); inner SHA256SUMS verified"