#!/bin/bash
set -e

function exit_error {
  for msg in "$@"
  do
    echo "$msg" >&2
  done
  exit 1
}

if test "$tbb_version_type" != 'release' \
  && test "$tbb_version_type" != 'alpha'; then
  exit_error "Unexpected value for tbb_version_type: $tbb_version_type"
fi

case "$SIGNING_PROJECTNAME" in
  torbrowser | mullvadbrowser | torvpn)
    ;;
  *)
    exit_error "Unexpected value for SIGNING_PROJECTNAME: $SIGNING_PROJECTNAME"
    ;;
esac

android_signing_key_dir=/home/signing-apk/keys
android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12"
test -n "$SIGNING_PROJECTNAME" && test "$SIGNING_PROJECTNAME" = 'torvpn' && \
  android_signing_key_path="$android_signing_key_dir/torvpn.p12"
test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing"

setup_build_tools() {
  abt_version=16
  build_tools_dir=/signing/android-build-tools
  test -f "$build_tools_dir"/android-$abt_version/apksigner || \
    exit_error "$build_tools_dir/android-$abt_version/apksigner is missing"
  export PATH="$build_tools_dir/android-$abt_version:${PATH}"
}

# Sign individual apk
# https://developer.android.com/studio/publish/app-signing#sign-manually
sign_apk() {
    INPUTAPK="$1"
    OUTPUTAPK="$2"
    SIGNEDAPK=$(basename "${INPUTAPK}")

    # Verify alignment before signing
    # APKs have various requirements for being published on the Play Store.
    # The input APKs should be ready before starting this process.
    echo Verifying ${INPUTAPK}
    zipalign -c -P 16 4 "${INPUTAPK}"
    if [ ! $? = 0 ]; then
        echo "zipalign verify failed"
        exit 1
    fi
    echo zipalign verify succeeded

    # Sign
    echo Signing ${INPUTAPK}

    # Use this command if reading key from file
    apksigner sign --verbose -ks ${android_signing_key_path} --ks-type pkcs12 --ks-pass env:KSPASS --debuggable-apk-permitted=false --out "${SIGNEDAPK}" "${INPUTAPK}"

    # Or, use below command if using a hardware token
    # apksigner sign --verbose --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg pkcs11_java.cfg --ks NONE --ks-type PKCS11 --debuggable-apk-permitted=false --out "${SIGNEDAPK}" "${INPUTAPK}"

    if [ ! $? = 0 ]; then
        echo "apksigner sign failed"
        exit 1
    fi
    echo apksigner sign succeeded

    # Verify signature
    apksigner verify --verbose "${SIGNEDAPK}"
    if [ ! $? = 0 ]; then
        echo "apksigner verify failed"
        exit 1
    fi
    echo apksigner verify succeeded

    mv -f "${SIGNEDAPK}" "${OUTPUTAPK}"
    echo ${OUTPUTAPK} signed
}

setup_build_tools

tmpdir=$(mktemp -d)
cd "$tmpdir"

sign_apk "$1" "$2"

cd -
rm -Rf "$tmpdir"
