#!/bin/sh
# sign-release.sh — sign a release binary with your Ed25519 private key
#
# Usage:
#   sh scripts/sign-release.sh <developer-name> <binary-path>
#
# Output:
#   <binary-path>.sig — raw 64-byte Ed25519 signature
#
# The .sig file must be uploaded alongside the binary to the Gitea release.
#
# Requirements: openssl 3.x

set -e

NAME="$1"
BINARY="$2"

if [ -z "$NAME" ] || [ -z "$BINARY" ]; then
    echo "Usage: sh scripts/sign-release.sh <developer-name> <binary-path>" >&2
    echo "Example: sh scripts/sign-release.sh mchusavitin dist/bee-audit-linux-amd64" >&2
    exit 1
fi

PRIVATE_KEY_PATH="$HOME/.keys/${NAME}.key"
SIG_PATH="${BINARY}.sig"

if [ ! -f "$PRIVATE_KEY_PATH" ]; then
    echo "Private key not found: $PRIVATE_KEY_PATH" >&2
    echo "Run scripts/keygen.sh $NAME first." >&2
    exit 1
fi

if [ ! -f "$BINARY" ]; then
    echo "Binary not found: $BINARY" >&2
    exit 1
fi

# Sign: produce raw 64-byte Ed25519 signature
openssl pkeyutl -sign \
    -inkey "$PRIVATE_KEY_PATH" \
    -rawin \
    -in "$BINARY" \
    -out "$SIG_PATH"

echo "Signed:    $BINARY"
echo "Signature: $SIG_PATH"
echo ""
echo "Upload both files to the Gitea release as assets."