#!/bin/bash
set -e
script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
source "$script_dir/functions"
source "$script_dir/set-config.update-responses"

NON_INTERACTIVE=1
steps_dir="$signed_version_dir.steps"
test -d "$steps_dir" || mkdir -p "$steps_dir"

if test -n "$use_rcodesign"
then
  test -f "$steps_dir/linux-signer-rcodesign-sign.done" ||
    read -sp "Enter rcodesign passphrase for key-1: " RCODESIGN_PW
  echo
else
  test -f "$steps_dir/macos-signer-gatekeeper-signing.done" ||
    read -sp "Enter macos keychain passphrase: " KEYCHAIN_PW
  echo
  test -f "$steps_dir/macos-signer-notarization.done" ||
    read -sp "Enter macos notarization passphrase: " NOTARIZATION_PW
  echo
fi
is_project torbrowser && nssdb=torbrowser-nssdb7
is_project mullvadbrowser && nssdb=mullvadbrowser-nssdb-1
test -f "$steps_dir/linux-signer-signmars.done" ||
  read -sp "Enter $nssdb (mar signing) passphrase: " NSSPASS
echo

if is_project torbrowser; then
  test -f "$steps_dir/linux-signer-sign-android-apks.done" ||
    read -sp "Enter android apk signing password ($tbb_version_type): " KSPASS
  echo
fi
test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
  read -sp "Enter windows authenticode passphrase: " YUBIPASS
echo
test -f "$steps_dir/linux-signer-gpg-sign.done" ||
  read -sp "Enter gpg passphrase: " GPG_PASS
echo

function wait-for-finished-build {
  "$script_dir/wait-for-finished-build"
}

function sync-builder-unsigned-to-local-signed {
  "$script_dir/sync-builder-unsigned-to-local-signed"
}

function sync-before-linux-signer-rcodesign-sign {
  "$script_dir/sync-local-to-linux-signer"
}

function linux-signer-rcodesign-sign {
  ssh -R 8080:timestamp.apple.com:80 "$ssh_host_linux_signer" 'bash -s' << EOF
  export RCODESIGN_PW=$RCODESIGN_PW
  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-rcodesign-sign.$SIGNING_PROJECTNAME
EOF
  unset RCODESIGN_PW
}

function sync-linux-signer-macos-signed-tar-to-local {
  "$script_dir/sync-linux-signer-macos-signed-tar-to-local"
}

function rcodesign-notary-submit {
  "$script_dir/rcodesign-notary-submit"
}

function macos-signer-directory-not-present {
  # To avoid doing two signings at the same time, or to avoid unknowingly
  # using parts from a previous signing attempt, we check that the
  # directory does not exist yet (see tor-browser-build#40497)
  if ssh "$ssh_host_macos_signer" "test -d $tbb_version"
  then
    echo "The directory $tbb_version already exists on $ssh_host_macos_signer"
    return 1
  fi
  return 0
}

function sync-scripts-to-macos-signer {
  "$script_dir/sync-scripts-to-macos-signer"
}

function macos-signer-enable-network-proxy-settings {
  ssh "$ssh_host_macos_signer" 'networksetup -setsecurewebproxystate Ethernet on'
}

function macos-signer-gatekeeper-signing {
  "$script_dir/sync-macos-local-to-macos-signer"
  ssh "$ssh_host_macos_signer" 'bash -s' << EOF
  export KEYCHAIN_PW=$KEYCHAIN_PW
  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/macos-signer-gatekeeper-signing.$SIGNING_PROJECTNAME
EOF
  unset KEYCHAIN_PW
}

function macos-signer-notarization {
  ssh "$ssh_host_macos_signer" 'bash -s' << EOF
  export PW=$NOTARIZATION_PW
  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/macos-signer-notarization.$SIGNING_PROJECTNAME
EOF
  unset NOTARIZATION_PW
}

function macos-signer-stapler {
  ssh "$ssh_host_macos_signer" "~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/macos-signer-stapler.$SIGNING_PROJECTNAME"
  "$script_dir/sync-macos-signer-stapled-to-macos-local-stapled"
}

function macos-signer-disable-network-proxy-settings {
  ssh "$ssh_host_macos_signer" 'networksetup -setsecurewebproxystate Ethernet off'
}

function gatekeeper-bundling {
  "$script_dir/gatekeeper-bundling.sh"
}

function dmg2mar {
  "$script_dir/dmg2mar"
}

function sync-scripts-to-linux-signer {
  "$script_dir/sync-scripts-to-linux-signer"
}

function sync-before-linux-signer-signmars {
  "$script_dir/sync-local-to-linux-signer"
}

function linux-signer-signmars {
  ssh "$ssh_host_linux_signer" 'bash -s' << EOF
  export NSSPASS=$NSSPASS
  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-signmars.$SIGNING_PROJECTNAME
EOF
  unset NSSPASS
}

function sync-after-signmars {
  "$script_dir/sync-linux-signer-to-local"
}

function linux-signer-sign-android-apks {
  ssh "$ssh_host_linux_signer" 'bash -s' << EOF
  export KSPASS=$KSPASS
  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-sign-android-apks.$SIGNING_PROJECTNAME
EOF
  unset KSPASS
}

function sync-after-sign-android-apks {
  "$script_dir/sync-linux-signer-to-local"
}

function download-unsigned-sha256sums-gpg-signatures-from-people-tpo {
  "$script_dir/download-unsigned-sha256sums-gpg-signatures-from-people-tpo"
}

function linux-signer-authenticode-signing {
  ssh "$ssh_host_linux_signer" 'bash -s' << EOF
  export YUBIPASS='$YUBIPASS'
  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-authenticode-signing.$SIGNING_PROJECTNAME
EOF
  unset YUBIPASS
}

function sync-after-authenticode-signing {
  "$script_dir/sync-linux-signer-to-local"
}

function authenticode-timestamping {
  "$script_dir/authenticode-timestamping.sh"
}

function sync-after-authenticode-timestamping {
  "$script_dir/sync-local-to-linux-signer"
}

function hash_signed_bundles {
  "$script_dir/hash_signed_bundles.sh"
}

function sync-after-hash {
  "$script_dir/sync-local-to-linux-signer"
}

function linux-signer-gpg-sign {
  ssh "$ssh_host_linux_signer" 'bash -s' << EOF
  export GPG_PASS=$GPG_PASS
  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-gpg-sign.$SIGNING_PROJECTNAME
EOF
}

function sync-after-gpg-sign {
  "$script_dir/sync-linux-signer-to-local"
}

function sync-local-to-staticiforme {
  "$script_dir/sync-local-to-staticiforme"
}

function sync-scripts-to-staticiforme {
  "$script_dir/sync-scripts-to-staticiforme"
}

function staticiforme-prepare-cdn-dist-upload {
  ssh "$ssh_host_staticiforme" "signing-$SIGNING_PROJECTNAME-$tbb_version_type/staticiforme-prepare-cdn-dist-upload.$SIGNING_PROJECTNAME"
}

function upload-update_responses-to-staticiforme {
  "$script_dir/upload-update_responses-to-staticiforme"
}

function finished-signing-clean-macos-signer {
  "$script_dir/finished-signing-clean-macos-signer"
}

function finished-signing-clean-linux-signer {
  "$script_dir/finished-signing-clean-linux-signer"
}

function do_step {
  test -f "$steps_dir/$1.done" && return 0
  echo "$(date -Iseconds) - Starting step: $1"
  $1 2>&1 | tee "$steps_dir/$1.log"
  test ${PIPESTATUS[0]} -eq 0
  touch "$steps_dir/$1.done"
  echo "$(date -Iseconds) - Finished step: $1"
}

export SIGNING_PROJECTNAME

do_step wait-for-finished-build
do_step sync-builder-unsigned-to-local-signed
if test -n "$use_rcodesign";
then
  do_step sync-scripts-to-linux-signer
  do_step sync-before-linux-signer-rcodesign-sign
  do_step linux-signer-rcodesign-sign
  do_step sync-linux-signer-macos-signed-tar-to-local
  do_step rcodesign-notary-submit
else
  do_step macos-signer-directory-not-present
  do_step sync-scripts-to-macos-signer
  do_step macos-signer-enable-network-proxy-settings
  do_step macos-signer-gatekeeper-signing
  do_step macos-signer-notarization
  do_step macos-signer-stapler
  do_step macos-signer-disable-network-proxy-settings
fi
do_step gatekeeper-bundling
do_step dmg2mar
do_step sync-scripts-to-linux-signer
do_step sync-before-linux-signer-signmars
do_step linux-signer-signmars
do_step sync-after-signmars
is_project torbrowser && \
  do_step linux-signer-sign-android-apks
is_project torbrowser && \
  do_step sync-after-sign-android-apks
do_step linux-signer-authenticode-signing
do_step sync-after-authenticode-signing
do_step authenticode-timestamping
do_step sync-after-authenticode-timestamping
do_step hash_signed_bundles
do_step sync-after-hash
do_step linux-signer-gpg-sign
do_step sync-after-gpg-sign
do_step download-unsigned-sha256sums-gpg-signatures-from-people-tpo
do_step sync-local-to-staticiforme
do_step sync-scripts-to-staticiforme
do_step staticiforme-prepare-cdn-dist-upload
do_step upload-update_responses-to-staticiforme
do_step finished-signing-clean-macos-signer
do_step finished-signing-clean-linux-signer
