#!/usr/bin/env bash
set -euo pipefail
# Signs a policy file with cosign and verifies it. Intended for CI and offline use.
# Requires COSIGN_KEY_B64 (private key PEM base64) or KMS envs; optional COSIGN_PASSWORD.

usage() {
  cat <<'USAGE'
Usage: sign-policy.sh --file <path> [--out-dir out/policy-sign]
Env:
  COSIGN_KEY_B64   base64-encoded PEM private key (if not using KMS)
  COSIGN_PASSWORD  passphrase for the key (can be empty for test keys)
  COSIGN_PUBLIC_KEY_PATH optional path to write public key for verify step
USAGE
}

FILE=""
OUT_DIR="out/policy-sign"

while [[ $# -gt 0 ]]; do
  case "$1" in
    --file) FILE="$2"; shift 2;;
    --out-dir) OUT_DIR="$2"; shift 2;;
    -h|--help) usage; exit 0;;
    *) echo "Unknown arg: $1" >&2; usage; exit 1;;
  esac
done

if [[ -z "$FILE" ]]; then echo "--file is required" >&2; exit 1; fi
if [[ ! -f "$FILE" ]]; then echo "file not found: $FILE" >&2; exit 1; fi

mkdir -p "$OUT_DIR"
BASENAME=$(basename "$FILE")
SIG="$OUT_DIR/${BASENAME}.sig"
PUB_OUT="${COSIGN_PUBLIC_KEY_PATH:-$OUT_DIR/cosign.pub}"

if [[ -n "${COSIGN_KEY_B64:-}" ]]; then
  KEYFILE="$OUT_DIR/cosign.key"
  printf "%s" "$COSIGN_KEY_B64" | base64 -d > "$KEYFILE"
  chmod 600 "$KEYFILE"
  export COSIGN_KEY="$KEYFILE"
fi

export COSIGN_PASSWORD=${COSIGN_PASSWORD:-}
cosign version >/dev/null

cosign sign-blob "$FILE" --output-signature "$SIG"
cosign public-key --key "$COSIGN_KEY" > "$PUB_OUT"
cosign verify-blob --key "$PUB_OUT" --signature "$SIG" "$FILE"

printf "Signed %s -> %s\nPublic key -> %s\n" "$FILE" "$SIG" "$PUB_OUT"