#!/bin/bash

## Copyright (C) 2026 - 2026 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## sequoia-pgp ('sq') wrapper for debsign
## Usage: debsign -p /path/to/sq-debsign-wrapper
## When using this wrapper, 'sq' will be used rather than 'gpg'.

## Quote 'man debsign':
## -pprogname
## When debsign needs to execute GPG to sign it will run progname
## (searching the PATH if necessary), instead of gpg.

## In practice, what will run is, sample log:
#/usr/share/genmkfile/make-helper-one.bsh: running: debsign -p /home/user/derivative-maker/help-steps/sq-debsign-wrapper /home/user/derivative-binary/genmkfile-packages-result/helper-scripts_48.9-1_amd64.changes

## * 'debsign' is executing 'gpg' directly.
## * At the time of writing, 'debsign' did not have native 'sq' support yet.
## * Both, 'gpg' ('gpg-g10-code') and 'gpg-sq' require use of 'gpg's native
##   keystore folder. (Typically the '~/.gnupg' folder.)
## * Without this wrapper script,
##   * it would be required to export the private
##     signing key from the 'sq' keystore and import it into the 'gpg' (or 'gpg-sq')
##     keystore. That is considered unclean / legacy.
##   * both, 'gpg-g10-code' and 'gpg-sq' lacked support for v6 keys.
##   * usage of earlier key format versions would be required.
## * In conclusion, this wrapper is preferred.

#set -x
set -o nounset
set -o errexit
set -o errtrace
set -o pipefail

true "INFO: Currently running script: ${BASH_SOURCE[0]} $*"

## This is what 'debsign' passes:
## --no-auto-check-trustdb --local-user derivative-distribution@local-signing.key --clearsign --openpgp --personal-digest-preferences SHA512 SHA384 SHA256 SHA224 --list-options no-show-policy-urls --armor --textmode --output /tmp/user/1000/debsign.dbyCFnm7/anon-apt-sources-list_7.5-1.dsc.asc /tmp/user/1000/debsign.dbyCFnm7/anon-apt-sources-list_7.5-1.dsc

sq_bin="${SQ_BIN:-sq}"

die() {
  printf '%s\n' "$0: ERROR: $*" >&2
  exit 2
}

output=''

while (($#)); do
  case "$1" in
    --no-auto-check-trustdb|--openpgp|--armor|--clearsign|--textmode)
      shift
      ;;
    --local-user|--personal-digest-preferences|--list-options)
      (($# >= 2)) || die "'$1' requires an argument"
      shift 2
      ;;
    --local-user=*|--personal-digest-preferences=*|--list-options=*)
      shift
      ;;
    --output)
      (($# >= 2)) || die "--output requires an argument"
      output="$2"
      shift 2
      ;;
    --output=*)
      output="${1#*=}"
      shift
      ;;
    --)
      shift
      break
      ;;
    -*)
      bad_opt="$1"
      shift
      die "unexpected option: '$bad_opt'"
      ;;
    *)
      break
      ;;
  esac
done

[ -n "$output" ] || die "no --output path supplied"

(($# >= 1)) || die "no input file supplied"
input="$1"
shift

[ -n "$input" ] || die "input file must not be empty"

(($# == 0)) || die "unexpected extra argument(s): '$*'"

[ -n "${DEBEMAIL-}" ] || die "DEBEMAIL is not set or empty"

cmd=(
  "$sq_bin"
  sign
  --cleartext
  --signer-email "$DEBEMAIL"
  --output "$output"
  --
  "$input"
)

printf '%s\n' "$0: INFO: ${cmd[*]}"

"${cmd[@]}"

true "$0: END"
