#!/usr/bin/env bash

set -e

: "${BUILDX_CMD=docker buildx}"
: "${DESTDIR=./bin/release}"
: "${CACHE_FROM=}"
: "${CACHE_TO=}"

: "${SIGN=}"
: "${PFX=}"
: "${PFXPASSWORD=}"

if [ -n "$CACHE_FROM" ]; then
	for cfrom in $CACHE_FROM; do
		cacheFlags+=(--set "*.cache-from=$cfrom")
	done
fi
if [ -n "$CACHE_TO" ]; then
	for cto in $CACHE_TO; do
		cacheFlags+=(--set "*.cache-to=$cto")
	done
fi

dockerpfx=$(mktemp -t dockercredhelper-pfx.XXXXXXXXXX)
function clean {
	rm -f "$dockerpfx"
}
trap clean EXIT

# release
(
	set -x
	${BUILDX_CMD} bake "${cacheFlags[@]}" --set "*.output=$DESTDIR" release
)

# wrap binaries
mv -f ./${DESTDIR}/**/* ./${DESTDIR}/
find ./${DESTDIR} -type d -empty -delete

# sign binaries
if [ -n "$SIGN" ]; then
	for f in "${DESTDIR}"/*".darwin-"*; do
		SIGNINGHASH=$(security find-identity -v -p codesigning | grep "Developer ID Application: Docker Inc" | cut -d ' ' -f 4)
		xcrun -log codesign -s "$SIGNINGHASH" --force --verbose "$f"
		xcrun codesign --verify --deep --strict --verbose=2 --display "$f"
	done
	for f in "${DESTDIR}"/*".windows-"*; do
		echo ${PFX} | base64 -d > "$dockerpfx"
		signtool sign /fd SHA256 /a /f pfx /p ${PFXPASSWORD} /d Docker /du https://www.docker.com /t http://timestamp.verisign.com/scripts/timestamp.dll "$f"
	done
fi

# checksums
(
  cd ${DESTDIR}
  sha256sum -b docker-credential-* > ./checksums.txt
  sha256sum -c --strict checksums.txt
)