#!/usr/bin/env bash
set -e
readonly usage='usage: sign-notarize.bash -i <id> -k <keychain-profile> [--] <package>.dmg

Sign and notarize the "CMake.app" bundle inside the given "<package>.dmg" disk image.
Also produce a "<package>.tar.gz" tarball containing the same "CMake.app".

Options:

    -i <id>                Signing Identity
    -k <keychain-profile>  Keychain profile containing stored credentials

Create the keychain profile ahead of time using

    xcrun notarytool store-credentials <keychain-profile> \
      --apple-id <dev-acct> --team-id <team-id> [--password <app-specific-password>]

where:

    <dev-acct>              is an Apple ID of a developer account
    <team-id>               is from https://developer.apple.com/account/#!/membership
    <app-specific-password> is generated via https://support.apple.com/en-us/HT204397
                            If --password is omitted, notarytool will prompt for it.

This creates a keychain item called "com.apple.gke.notary.tool" with an
account name "com.apple.gke.notary.tool.saved-creds.<keychain-profile>".
'

cleanup() {
    if test -d "$tmpdir"; then
        rm -rf "$tmpdir"
    fi
    if test -d "$vol_path"; then
        hdiutil detach "$vol_path"
    fi
}

trap "cleanup" EXIT

die() {
    echo "$@" 1>&2; exit 1
}

id=''
keychain_profile=''
while test "$#" != 0; do
    case "$1" in
    -i) shift; id="$1" ;;
    -k) shift; keychain_profile="$1" ;;
    --) shift ; break ;;
    -*) die "$usage" ;;
    *) break ;;
    esac
    shift
done
case "$1" in
*.dmg) readonly dmg="$1"; shift ;;
*) die "$usage" ;;
esac
test "$#" = 0 || die "$usage"

# Verify arguments.
if test -z "$id" -o -z "$keychain_profile"; then
    die "$usage"
fi

# Verify environment.
if ! xcrun --find notarytool 2>/dev/null; then
    die "'xcrun notarytool' not found"
fi

readonly tmpdir="$(mktemp -d)"

# Prepare entitlements.
readonly entitlements_xml="$tmpdir/entitlements.xml"
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>com.apple.security.cs.allow-dyld-environment-variables</key>
  <true/>
</dict>
</plist>' > "$entitlements_xml"

# Convert from read-only original image to read-write.
readonly udrw_dmg="$tmpdir/udrw.dmg"
hdiutil convert "$dmg" -format UDRW -o "${udrw_dmg}"

# Mount the temporary udrw image.
readonly vol_name="$(basename "${dmg%.dmg}")"
readonly vol_path="/Volumes/$vol_name"
hdiutil attach "${udrw_dmg}"

codesign --verify --timestamp --options=runtime --verbose --deep \
  -s "$id" \
  --entitlements "$entitlements_xml" \
  "$vol_path/CMake.app/Contents/bin/cmake" \
  "$vol_path/CMake.app/Contents/bin/ccmake" \
  "$vol_path/CMake.app/Contents/bin/ctest" \
  "$vol_path/CMake.app/Contents/bin/cpack" \
  "$vol_path/CMake.app"

ditto -c -k --keepParent "$vol_path/CMake.app" "$tmpdir/CMake.app.zip"
xcrun notarytool submit "$tmpdir/CMake.app.zip" --keychain-profile "$keychain_profile" --wait
xcrun stapler staple "$vol_path/CMake.app"

# Create a tarball of the volume next to the original disk image.
readonly tar_gz="${dmg/%.dmg/.tar.gz}"
tar cvzf "$tar_gz" -C /Volumes "$vol_name/CMake.app"

# Unmount the modified udrw image.
hdiutil detach "$vol_path"

# Convert back to read-only, compressed image.
hdiutil convert "${udrw_dmg}" -format UDZO -imagekey zlib-level=9 -ov -o "$dmg"