#!/bin/bash
set -e
script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
source "$script_dir/functions"
source "$script_dir/set-config.update-responses"

NON_INTERACTIVE=1
steps_dir="$signed_version_dir.steps"
test -d "$steps_dir" || mkdir -p "$steps_dir"

test -f "$steps_dir/linux-signer-rcodesign-sign.done" ||
  read -sp "Enter rcodesign passphrase for key-1: " RCODESIGN_PW
echo
is_project torbrowser && nssdb=torbrowser-nssdb7
is_project mullvadbrowser && nssdb=mullvadbrowser-nssdb-1
test -f "$steps_dir/linux-signer-signmars.done" ||
  read -sp "Enter $nssdb (mar signing) passphrase: " NSSPASS
echo

if is_project torbrowser; then
  test -f "$steps_dir/linux-signer-sign-android-apks.done" ||
    read -sp "Enter android apk signing password ($tbb_version_type): " KSPASS
  echo
fi
test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
  read -sp "Enter windows authenticode passphrase: " YUBIPASS
echo
test -f "$steps_dir/linux-signer-gpg-sign.done" ||
  read -sp "Enter gpg passphrase: " GPG_PASS
echo

function set-time-on-signing-machine {
  local current_time=$(date -u)
  ssh "$ssh_host_linux_signer" sudo /usr/bin/date -s "'$current_time'"
}

function wait-for-finished-build {
  "$script_dir/wait-for-finished-build"
}

function sync-builder-unsigned-to-local-signed {
  "$script_dir/sync-builder-unsigned-to-local-signed"
}

function sync-before-linux-signer-rcodesign-sign {
  "$script_dir/sync-local-to-linux-signer"
}

function linux-signer-rcodesign-sign {
  ssh -R 8080:timestamp.apple.com:80 "$ssh_host_linux_signer" 'bash -s' << EOF
  export RCODESIGN_PW=$RCODESIGN_PW
  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-rcodesign-sign.$SIGNING_PROJECTNAME
EOF
  unset RCODESIGN_PW
}

function sync-linux-signer-macos-signed-tar-to-local {
  "$script_dir/sync-linux-signer-macos-signed-tar-to-local"
}

function rcodesign-notary-submit {
  "$script_dir/rcodesign-notary-submit"
}

function gatekeeper-bundling {
  "$script_dir/gatekeeper-bundling.sh"
}

function dmg2mar {
  "$script_dir/dmg2mar"
}

function sync-scripts-to-linux-signer {
  "$script_dir/sync-scripts-to-linux-signer"
}

function sync-before-linux-signer-signmars {
  "$script_dir/sync-local-to-linux-signer"
}

function linux-signer-signmars {
  ssh "$ssh_host_linux_signer" 'bash -s' << EOF
  export NSSPASS=$NSSPASS
  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-signmars.$SIGNING_PROJECTNAME
EOF
  unset NSSPASS
}

function sync-after-signmars {
  "$script_dir/sync-linux-signer-to-local"
}

function linux-signer-sign-android-apks {
  ssh "$ssh_host_linux_signer" 'bash -s' << EOF
  export KSPASS=$KSPASS
  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-sign-android-apks.$SIGNING_PROJECTNAME
EOF
  unset KSPASS
}

function sync-after-sign-android-apks {
  "$script_dir/sync-linux-signer-to-local"
}

function download-unsigned-sha256sums-gpg-signatures-from-people-tpo {
  "$script_dir/download-unsigned-sha256sums-gpg-signatures-from-people-tpo"
}

function linux-signer-authenticode-signing {
  ssh "$ssh_host_linux_signer" 'bash -s' << EOF
  export YUBIPASS='$YUBIPASS'
  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-authenticode-signing.$SIGNING_PROJECTNAME
EOF
  unset YUBIPASS
}

function sync-after-authenticode-signing {
  "$script_dir/sync-linux-signer-to-local"
}

function authenticode-timestamping {
  "$script_dir/authenticode-timestamping.sh"
}

function sync-after-authenticode-timestamping {
  "$script_dir/sync-local-to-linux-signer"
}

function hash_signed_bundles {
  "$script_dir/hash_signed_bundles.sh"
}

function sync-after-hash {
  "$script_dir/sync-local-to-linux-signer"
}

function linux-signer-gpg-sign {
  ssh "$ssh_host_linux_signer" 'bash -s' << EOF
  export GPG_PASS=$GPG_PASS
  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-gpg-sign.$SIGNING_PROJECTNAME
EOF
}

function sync-after-gpg-sign {
  "$script_dir/sync-linux-signer-to-local"
}

function sync-local-to-staticiforme {
  "$script_dir/sync-local-to-staticiforme"
}

function sync-scripts-to-staticiforme {
  "$script_dir/sync-scripts-to-staticiforme"
}

function staticiforme-prepare-cdn-dist-upload {
  ssh "$ssh_host_staticiforme" "signing-$SIGNING_PROJECTNAME-$tbb_version_type/staticiforme-prepare-cdn-dist-upload.$SIGNING_PROJECTNAME"
}

function upload-update_responses-to-staticiforme {
  "$script_dir/upload-update_responses-to-staticiforme"
}

function finished-signing-clean-linux-signer {
  "$script_dir/finished-signing-clean-linux-signer"
}

function do_step {
  test -f "$steps_dir/$1.done" && return 0
  echo "$(date -Iseconds) - Starting step: $1"
  $1 2>&1 | tee "$steps_dir/$1.log"
  test ${PIPESTATUS[0]} -eq 0
  touch "$steps_dir/$1.done"
  echo "$(date -Iseconds) - Finished step: $1"
}

export SIGNING_PROJECTNAME

do_step set-time-on-signing-machine
do_step wait-for-finished-build
do_step sync-builder-unsigned-to-local-signed
do_step sync-scripts-to-linux-signer
do_step sync-before-linux-signer-rcodesign-sign
do_step linux-signer-rcodesign-sign
do_step sync-linux-signer-macos-signed-tar-to-local
do_step rcodesign-notary-submit
do_step gatekeeper-bundling
do_step dmg2mar
do_step sync-scripts-to-linux-signer
do_step sync-before-linux-signer-signmars
do_step linux-signer-signmars
do_step sync-after-signmars
is_project torbrowser && \
  do_step linux-signer-sign-android-apks
is_project torbrowser && \
  do_step sync-after-sign-android-apks
do_step linux-signer-authenticode-signing
do_step sync-after-authenticode-signing
do_step authenticode-timestamping
do_step sync-after-authenticode-timestamping
do_step hash_signed_bundles
do_step sync-after-hash
do_step linux-signer-gpg-sign
do_step sync-after-gpg-sign
do_step download-unsigned-sha256sums-gpg-signatures-from-people-tpo
do_step sync-local-to-staticiforme
do_step sync-scripts-to-staticiforme
do_step staticiforme-prepare-cdn-dist-upload
do_step upload-update_responses-to-staticiforme
do_step finished-signing-clean-linux-signer
