#!/bin/sh
# keygen.sh — generate an Ed25519 keypair for signing release binaries
#
# Usage:
#   sh scripts/keygen.sh <developer-name>
#
# Output:
#   ~/.keys/<developer-name>.key   — private key (KEEP SECRET, never commit)
#   developers/<developer-name>.pub — public key (safe to commit here)
#
# Requirements: openssl 3.x

set -e

NAME="$1"
if [ -z "$NAME" ]; then
    echo "Usage: sh scripts/keygen.sh <developer-name>" >&2
    echo "Example: sh scripts/keygen.sh mchusavitin" >&2
    exit 1
fi

PRIVATE_KEY_PATH="$HOME/.keys/${NAME}.key"
PUBLIC_KEY_PATH="$(dirname "$0")/../developers/${NAME}.pub"

if [ -f "$PRIVATE_KEY_PATH" ]; then
    echo "Private key already exists at $PRIVATE_KEY_PATH" >&2
    echo "Delete it manually if you want to regenerate." >&2
    exit 1
fi

mkdir -p "$HOME/.keys"
chmod 700 "$HOME/.keys"

# Generate Ed25519 private key (PEM format)
openssl genpkey -algorithm ed25519 -out "$PRIVATE_KEY_PATH"
chmod 600 "$PRIVATE_KEY_PATH"

# Extract raw 32-byte public key and base64-encode it
openssl pkey -in "$PRIVATE_KEY_PATH" -pubout -outform DER \
    | tail -c 32 \
    | base64 > "$PUBLIC_KEY_PATH"

echo "Private key: $PRIVATE_KEY_PATH  (DO NOT share or commit)"
echo "Public key:  $PUBLIC_KEY_PATH   (commit this to the keys repo)"
echo ""
echo "Next steps:"
echo "  1. git add developers/${NAME}.pub && git commit -m 'add ${NAME} public key'"
echo "  2. git push"
echo "  3. Rebuild any release binaries to include the new key"