#!/bin/bash
set -e
script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
source "$script_dir/functions"
source "$script_dir/set-config.update-responses"
NON_INTERACTIVE=1
steps_dir="$signed_version_dir.steps"
test -d "$steps_dir" || mkdir -p "$steps_dir"

function get_sekrit {
  echo "$SEKRITS" | grep -A1 "$1:" | tail -n1
}

[ -f "$script_dir/set-config.passwords" ] && . "$script_dir/set-config.passwords" 2>/dev/null

if [[ $1 = "-p" ]]; then
  shift
  passwords_gpg_file="$1"
  shift
fi

is_project torbrowser && nssdb=torbrowser-nssdb7
is_project mullvadbrowser && nssdb=mullvadbrowser-nssdb1

if [ -f "$passwords_gpg_file" ]; then
  echo "Reading passwords from $passwords_gpg_file"
  SEKRITS=$(gpg --decrypt "$passwords_gpg_file")
  RCODESIGN_PW=$(get_sekrit 'rcodesign')
  NSSPASS=$(get_sekrit "$nssdb (mar signing)")
  KSPASS=$(get_sekrit "android apk ($tbb_version_type)")
  YUBIPASS=$(get_sekrit "windows authenticode")
  GPG_PASS=$(get_sekrit "gpg")
else
  echo "Rather than entering all the password manually, you may want to provide a gpg-encrypted file either on the command line (-p <filepath>) or in set-config.passwords."
fi

test -f "$steps_dir/linux-signer-rcodesign-sign.done" || [ -n "$RCODESIGN_PW" ] ||
  read -sp "Enter rcodesign passphrase for key-1: " RCODESIGN_PW
echo

test -f "$steps_dir/linux-signer-signmars.done" || [ -n "$NSSPASS" ] ||
  read -sp "Enter $nssdb (mar signing) passphrase: " NSSPASS
echo

if is_project torbrowser; then
  test -f "$steps_dir/linux-signer-sign-android-apks.done" || [ -n "$KSPASS" ] ||
    read -sp "Enter android apk signing password ($tbb_version_type): " KSPASS
  echo
fi
test -f "$steps_dir/linux-signer-authenticode-signing.done" || [ -n "$YUBIPASS" ] ||
  read -sp "Enter windows authenticode passphrase: " YUBIPASS
echo
test -f "$steps_dir/linux-signer-gpg-sign.done" || [ -n "$GPG_PASS" ] ||
  read -sp "Enter gpg passphrase: " GPG_PASS
echo

function set-time-on-signing-machine {
  local current_time=$(date -u -Iseconds)
  ssh "$ssh_host_linux_signer" sudo /usr/bin/date -s "'$current_time'"
}

function wait-for-finished-build {
  "$script_dir/wait-for-finished-build"
}

function sync-builder-unsigned-to-local-signed {
  "$script_dir/sync-builder-unsigned-to-local-signed"
}

function clean-build-artifacts {
  "$script_dir/clean-build-artifacts"
}

function sync-before-linux-signer-rcodesign-sign {
  "$script_dir/sync-local-to-linux-signer"
}

function linux-signer-rcodesign-sign {
  ssh -R 8080:timestamp.apple.com:80 "$ssh_host_linux_signer" 'bash -s' << EOF
  export RCODESIGN_PW=$RCODESIGN_PW
  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-rcodesign-sign.$SIGNING_PROJECTNAME
EOF
  unset RCODESIGN_PW
}

function sync-linux-signer-macos-signed-tar-to-local {
  "$script_dir/sync-linux-signer-macos-signed-tar-to-local"
}

function rcodesign-notary-submit {
  "$script_dir/rcodesign-notary-submit"
}

function gatekeeper-bundling {
  "$script_dir/gatekeeper-bundling.sh"
}

function dmg2mar {
  "$script_dir/dmg2mar"
}

function sync-scripts-to-linux-signer {
  "$script_dir/sync-scripts-to-linux-signer"
}

function sync-before-linux-signer-signmars {
  "$script_dir/sync-local-to-linux-signer"
}

function linux-signer-signmars {
  ssh "$ssh_host_linux_signer" 'bash -s' << EOF
  export NSSPASS=$NSSPASS
  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-signmars.$SIGNING_PROJECTNAME
EOF
  unset NSSPASS
}

function sync-after-signmars {
  "$script_dir/sync-linux-signer-to-local"
}

function linux-signer-sign-android-apks {
  ssh "$ssh_host_linux_signer" 'bash -s' << EOF
  export KSPASS=$KSPASS
  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-sign-android-apks.$SIGNING_PROJECTNAME
EOF
  unset KSPASS
}

function sync-after-sign-android-apks {
  "$script_dir/sync-linux-signer-to-local"
}

function download-unsigned-sha256sums-gpg-signatures-from-people-tpo {
  "$script_dir/download-unsigned-sha256sums-gpg-signatures-from-people-tpo"
}

function linux-signer-authenticode-signing {
  ssh "$ssh_host_linux_signer" 'bash -s' << EOF
  export YUBIPASS='$YUBIPASS'
  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-authenticode-signing.$SIGNING_PROJECTNAME
EOF
  unset YUBIPASS
}

function sync-after-authenticode-signing {
  "$script_dir/sync-linux-signer-to-local"
}

function authenticode-timestamping {
  "$script_dir/authenticode-timestamping.sh"
}

function sync-after-authenticode-timestamping {
  "$script_dir/sync-local-to-linux-signer"
}

function hash_signed_bundles {
  "$script_dir/hash_signed_bundles.sh"
}

function sync-after-hash {
  "$script_dir/sync-local-to-linux-signer"
}

function linux-signer-gpg-sign {
  ssh "$ssh_host_linux_signer" 'bash -s' << EOF
  export GPG_PASS=$GPG_PASS
  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-gpg-sign.$SIGNING_PROJECTNAME
EOF
}

function sync-after-gpg-sign {
  "$script_dir/sync-linux-signer-to-local"
}

function sync-local-to-staticiforme {
  "$script_dir/sync-local-to-staticiforme"
}

function sync-scripts-to-staticiforme {
  "$script_dir/sync-scripts-to-staticiforme"
}

function staticiforme-prepare-cdn-dist-upload {
  ssh "$ssh_host_staticiforme" "signing-$SIGNING_PROJECTNAME-$tbb_version_type/staticiforme-prepare-cdn-dist-upload.$SIGNING_PROJECTNAME"
}

function upload-update_responses-to-staticiforme {
  "$script_dir/upload-update_responses-to-staticiforme"
}

function finished-signing-clean-linux-signer {
  "$script_dir/finished-signing-clean-linux-signer"
}

function do_step {
  test -f "$steps_dir/$1.done" && return 0
  echo "$(date -Iseconds) - Starting step: $1"
  $1 2>&1 | tee "$steps_dir/$1.log"
  test ${PIPESTATUS[0]} -eq 0
  touch "$steps_dir/$1.done"
  echo "$(date -Iseconds) - Finished step: $1"
}

function is_legacy {
  [[ "$tbb_version" = 13.* ]]
}

export SIGNING_PROJECTNAME

do_step set-time-on-signing-machine
do_step wait-for-finished-build
do_step sync-builder-unsigned-to-local-signed
do_step clean-build-artifacts
do_step sync-scripts-to-linux-signer
do_step sync-before-linux-signer-rcodesign-sign
do_step linux-signer-rcodesign-sign
do_step sync-linux-signer-macos-signed-tar-to-local
do_step rcodesign-notary-submit
do_step gatekeeper-bundling
do_step dmg2mar
do_step sync-scripts-to-linux-signer
do_step sync-before-linux-signer-signmars
do_step linux-signer-signmars
do_step sync-after-signmars
is_project torbrowser && ! is_legacy && \
  do_step linux-signer-sign-android-apks
is_project torbrowser && ! is_legacy && \
  do_step sync-after-sign-android-apks
do_step linux-signer-authenticode-signing
do_step sync-after-authenticode-signing
do_step authenticode-timestamping
do_step sync-after-authenticode-timestamping
do_step hash_signed_bundles
do_step sync-after-hash
do_step linux-signer-gpg-sign
do_step sync-after-gpg-sign
do_step download-unsigned-sha256sums-gpg-signatures-from-people-tpo
do_step sync-local-to-staticiforme
do_step sync-scripts-to-staticiforme
do_step staticiforme-prepare-cdn-dist-upload
! is_legacy &&
  do_step upload-update_responses-to-staticiforme
do_step finished-signing-clean-linux-signer
