#!/bin/sh

set -e

errx() {
	printf '%s\n' "$*" >&2
	exit 1
}

usage() {
	errx 'usage: git sign-for-cgit [-f format] <object>'
}

seckey=${SIGNIFY_SECKEY:-$HOME/.signify/release.sec}

format="$(git config --get package.format)" || true
: "${format:=tar.gz}"

while getopts f: opt; do
	case $opt in
		f) format=$OPTARG;;
		?) usage;;
	esac
done
shift $((OPTIND - 1))
test $# -eq 1 || usage

git archive -l | grep -Fqx "$format" || errx 'fatal: unknown format'

name=$(basename "$(git rev-parse --show-toplevel)")
object=$1

tmpdir=$(mktemp -d --suffix .sign-for-cgit)

# We do want to expand tmpdir now rather than later, 
# and mktemp should give us a path without spaces.
# shellcheck disable=SC2064
trap "{ rm -r $tmpdir; }" EXIT

archive_base=$name-$object.$format
archive_path=$tmpdir/$archive_base

git archive --prefix="$name-$object/" -o "$archive_path" -- "$object"

(
	cd "$tmpdir"
	sha256sum --tag "$archive_base" > "${archive_base}.SHA256"
	signify -Ses "$seckey" -m "${archive_base}.SHA256"
)

id=$(git hash-object -w "${archive_path}.SHA256.sig")

# do not use exec here because otherwise the EXIT trap will not fire
git notes --ref="refs/notes/signatures/$format" add -C "$id" "$object"