#!/bin/bash
set -euo pipefail
source "$(dirname "$0")/build_config.sh"

DMG="$DMG_NAME"

if [[ ! -f "$DMG" ]]; then
    echo "Error: DMG not found at: $DMG"
    exit 1
fi

ISSUER_ID="YOUR_ISSUER_ID"
KEY_ID="YOUR_KEY_ID"
PRIVATE_KEY_PATH="$HOME/keys/notarization.p8"

create_jwt() {
    local header payload unsigned_token signature

    header=$(printf '{"alg":"ES256","kid":"%s"}' "$KEY_ID" | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
    payload=$(printf '{"iss":"%s","iat":%d,"exp":%d}' "$ISSUER_ID" "$(date +%s)" "$(( $(date +%s) + 1200 ))" \
        | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')

    unsigned_token="$header.$payload"

    signature=$(printf '%s' "$unsigned_token" \
        | openssl dgst -sha256 -sign "$PRIVATE_KEY_PATH" \
        | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')

    echo "$unsigned_token.$signature"
}

echo "=== Submitting DMG for notarization ==="
JWT=$(create_jwt)

SUBMIT_RESPONSE=$(curl -s -X POST \
    -H "Authorization: Bearer $JWT" \
    -F "file=@${DMG}" \
    "https://appstoreconnect.apple.com/notary/v2/submissions")

REQUEST_ID=$(echo "$SUBMIT_RESPONSE" | sed -n 's/.*"id":"\([^"]*\)".*/\1/p')

if [[ -z "$REQUEST_ID" ]]; then
    echo "Failed to submit for notarization:"
    echo "$SUBMIT_RESPONSE"
    exit 1
fi

echo "Submission ID: $REQUEST_ID"
echo "Waiting for notarization result…"

while true; do
    sleep 15
    JWT=$(create_jwt)

    STATUS_RESPONSE=$(curl -s -X GET \
        -H "Authorization: Bearer $JWT" \
        "https://appstoreconnect.apple.com/notary/v2/submissions/$REQUEST_ID")

    STATUS=$(echo "$STATUS_RESPONSE" | sed -n 's/.*"status":"\([^"]*\)".*/\1/p')

    echo "Status: $STATUS"

    case "$STATUS" in
        "Accepted")
            echo "Notarization succeeded."
            break
            ;;
        "Invalid"|"Rejected"|"Failed")
            echo "Notarization failed."
            echo "$STATUS_RESPONSE"
            exit 1
            ;;
        *)
            ;;
    esac
done

echo "=== Downloading notarization log ==="
JWT=$(create_jwt)

curl -s -X GET \
    -H "Authorization: Bearer $JWT" \
    "https://appstoreconnect.apple.com/notary/v2/submissions/$REQUEST_ID/log" \
    -o notarization-log.json

echo "Log saved to notarization-log.json"

echo "=== Stapling DMG ==="
xcrun stapler staple "$DMG"

echo "=== Verifying stapled DMG ==="
spctl --assess --type open --verbose "$DMG"

echo "=== notarize_dmg.sh complete ==="