#!/usr/bin/env bash
set -euo pipefail
# Generates an offline-friendly code-signing certificate (self-signed) for NuGet package signing.

OUT_DIR=${OUT_DIR:-out/sdk-signing}
SUBJECT=${SUBJECT:-"/CN=StellaOps SDK Signing/O=StellaOps"}
DAYS=${DAYS:-3650}
PFX_NAME=${PFX_NAME:-sdk-signing.pfx}
PASSWORD=${PASSWORD:-""}

mkdir -p "$OUT_DIR"

PRIV="$OUT_DIR/sdk-signing.key"
CRT="$OUT_DIR/sdk-signing.crt"
PFX="$OUT_DIR/$PFX_NAME"

openssl req -x509 -newkey rsa:4096 -sha256 -days "$DAYS" \
  -nodes -subj "$SUBJECT" -keyout "$PRIV" -out "$CRT"

openssl pkcs12 -export -out "$PFX" -inkey "$PRIV" -in "$CRT" -passout pass:"$PASSWORD"

BASE64_PFX=$(base64 < "$PFX" | tr -d '\n')

cat > "$OUT_DIR/README.txt" <<EOF
PFX file: $PFX
Password: ${PASSWORD:-<empty>}
Base64:
$BASE64_PFX
Secrets to set:
  SDK_SIGNING_CERT_B64=$BASE64_PFX
  SDK_SIGNING_CERT_PASSWORD=$PASSWORD
EOF

printf "Generated signing cert -> %s (base64 in README)\n" "$PFX"