#!/usr/bin/env bash
set -euo pipefail
# Signs NuGet packages using a PKCS#12 (PFX) certificate.

PACKAGES_GLOB=${PACKAGES_GLOB:-"out/sdk/*.nupkg"}
OUT_DIR=${OUT_DIR:-out/sdk}
TIMESTAMP_URL=${TIMESTAMP_URL:-""} # optional; keep empty for offline

PFX_PATH=${PFX_PATH:-""}
PFX_B64=${SDK_SIGNING_CERT_B64:-}
PFX_PASSWORD=${SDK_SIGNING_CERT_PASSWORD:-}

mkdir -p "$OUT_DIR"

if [[ -z "$PFX_PATH" ]]; then
  if [[ -z "$PFX_B64" ]]; then
    echo "No signing cert provided (SDK_SIGNING_CERT_B64/PFX_PATH); skipping signing."
    exit 0
  fi
  PFX_PATH="$OUT_DIR/sdk-signing.pfx"
  printf "%s" "$PFX_B64" | base64 -d > "$PFX_PATH"
fi

mapfile -t packages < <(ls $PACKAGES_GLOB 2>/dev/null || true)
if [[ ${#packages[@]} -eq 0 ]]; then
  echo "No packages found under glob '$PACKAGES_GLOB'; nothing to sign."
  exit 0
fi

for pkg in "${packages[@]}"; do
  echo "Signing $pkg"
  ts_args=()
  if [[ -n "$TIMESTAMP_URL" ]]; then
    ts_args=(--timestamp-url "$TIMESTAMP_URL")
  fi
  dotnet nuget sign "$pkg" \
    --certificate-path "$PFX_PATH" \
    --certificate-password "$PFX_PASSWORD" \
    --hash-algorithm sha256 \
    "${ts_args[@]}"
done

echo "Signed ${#packages[@]} package(s)."