#!/usr/bin/env bash
set -euo pipefail
# Generates a new cosign keypair for policy signing.
# Outputs PEMs in out/policy-sign/keys and base64 ready for CI secrets.

OUT_DIR=${OUT_DIR:-out/policy-sign/keys}
PREFIX=${PREFIX:-policy-cosign}
PASSWORD=${COSIGN_PASSWORD:-}

mkdir -p "$OUT_DIR"
KEY_PREFIX="$OUT_DIR/$PREFIX"

if ! command -v cosign >/dev/null 2>&1; then
  echo "cosign is required on PATH" >&2
  exit 1
fi

export COSIGN_PASSWORD="$PASSWORD"
cosign version >/dev/null
cosign generate-key-pair --output-key-prefix "$KEY_PREFIX" >/dev/null

BASE64_PRIV=$(base64 < "${KEY_PREFIX}.key" | tr -d '\n')
BASE64_PUB=$(base64 < "${KEY_PREFIX}.pub" | tr -d '\n')

cat > "$OUT_DIR/README.txt" <<EOF
Key prefix: $KEY_PREFIX
Private key (base64): $BASE64_PRIV
Public key (base64): $BASE64_PUB
Set secrets:
  POLICY_COSIGN_KEY_B64=$BASE64_PRIV
  POLICY_COSIGN_PUB_B64=$BASE64_PUB
EOF

printf "Generated keys under %s\n" "$OUT_DIR"