#!/usr/bin/env bash
set -euo pipefail

# Minimal verifier sample for AIRGAP-VERIFY-510-014. Adjust paths to your kit.

KIT_ROOT=${1:-./offline-kit}
MANIFEST="$KIT_ROOT/manifest.json"
SIG="$KIT_ROOT/manifest.dsse"

echo "[*] Verifying manifest signature..."
cosign verify-blob --key trust-roots/manifest.pub --signature "$SIG" "$MANIFEST"

echo "[*] Checking chunk hashes..."
python - <<'PY'
import json, hashlib, sys, os
manifest_path=os.environ.get('MANIFEST') or sys.argv[1]
with open(manifest_path) as f:
    data=json.load(f)
ok=True
for entry in data.get('chunks', []):
    path=os.path.join(os.path.dirname(manifest_path), entry['path'])
    h=hashlib.sha256()
    with open(path,'rb') as fh:
        h.update(fh.read())
    if h.hexdigest()!=entry['sha256']:
        ok=False
        print(f"HASH MISMATCH {entry['path']}")
if not ok:
    sys.exit(4)
PY

echo "[*] Done."