#!/bin/bash

set -e

# Setup agent to read password from TTY (so we can use Expect)
gpg-agent --daemon --pinentry-program /usr/bin/pinentry-tty

# Import GPG key (passphrase set with $PLUGIN_GPG_PASSPHRASE)
echo "Importing GPG secret key"
tmpkey="$(mktemp /tmp/privkey-XXXXXXX)"
echo "$PLUGIN_GPG_SECRET_KEY" > "$tmpkey"
gpg.expect --import "$tmpkey" > /tmp/gpg.out || ret=$?
rm "$tmpkey"

if (( ! ret )); then
  echo "Failed to import secret key."
  echo "gpg output:"
  cat /tmp/gpg.out >&2
  exit 1
fi

# Retrieve key ID
keyid="$(cat /tmp/gpg.out | grep 'secret key imported' | awk '{ print $3 }' | tr -d ':')"

# Detach-sign all files
cd "$PLUGIN_SIGN_DIR"
find -mindepth 1 -maxdepth 1 -type f | while read -r filename; do
  gpg.expect --detach-sign --use-agent "${keyid}" --no-armor "$filename" > /tmp/gpg.out || ret=$?

  if (( ! ret )); then
    printf "Created signature file %s." "${filename##*/}.sig"
  else
    printf "Failed to sign file %s." "${filename##*/}"
    echo "gpg output:"
    cat /tmp/gpg.out >&2
    exit 1
  fi
done