#!/bin/bash
set -e

if test "$#" -ne 2; then
  echo "Wrong number of arguments" >&2
  exit 1
fi

if test $(whoami) != 'signing-win'; then
  echo 'This script should be run as the signing-win user' >&2
  exit 2
fi

pass="$1"
to_sign_exe="$2"

key_dir=/home/signing-win/keys/key-1
tpo_cert=$key_dir/the_tor_project_inc.crt
tpo_key=$key_dir/private.pem

if ! test -f "$tpo_cert"; then
  echo "File $tpo_cert is missing" >&2
  exit 2
fi

output_signed_exe=/home/signing-win/last-signed-file.exe
rm -f "$output_signed_exe"

export 'YUBIHSM_PKCS11_CONF=/signing/tor-browser-build/tools/signing/machines-setup/etc/yubihsm_pkcs11.conf'
/home/signing-win/osslsigncode/bin/osslsigncode \
  -pass "$pass" \
  -h sha256 \
  -certs "$tpo_cert" \
  -key "$tpo_key" \
  "$to_sign_exe" "$output_signed_exe"

chmod 644 "$output_signed_exe"
