#!/bin/bash
# usage: script/sign <file>
#
# Signs macOS binaries using codesign, notarizes macOS zip archives using notarytool
#
set -e

sign_macos() {
  if [[ -z "$APPLE_DEVELOPER_ID" ]]; then
    echo "skipping macOS code-signing; APPLE_DEVELOPER_ID not set" >&2
    return 0
  fi

  if [[ $1 == *.zip ]]; then
    xcrun notarytool submit "$1" --apple-id "${APPLE_ID?}" --team-id "${APPLE_DEVELOPER_ID?}" --password "${APPLE_ID_PASSWORD?}"
  else
    codesign --timestamp --options=runtime -s "${APPLE_DEVELOPER_ID?}" -v "$1"
  fi
}

if [[ $# -eq 0 ]]; then
  echo "usage: script/sign <file>" >&2
  exit 1
fi

platform="$(uname -s)"
if [[ $platform != "Darwin" ]]; then
  echo "error: must run on macOS; skipping codesigning/notarization" >&2
  exit 1
fi

for input_file; do
  sign_macos "$input_file"
done