name: Test Local Signing

on:
  workflow_dispatch:  # Manual trigger
  push:
    branches: [ozgur/build]

jobs:
  test-local-signing:
    runs-on: macos
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
        
      - name: Setup Certificate
        env:
          CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
          CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        run: |
          echo "🔑 Setting up certificate and keychain..."
          
          # Create working directory
          CERT_DIR="$HOME/certificates"
          mkdir -p "$CERT_DIR"
          cd "$CERT_DIR"
          
          # Decode certificate
          echo "📜 Decoding certificate..."
          echo "$CERTIFICATE_BASE64" | base64 --decode > certificate.p12
          
          # Check certificate info
          echo "🔍 Certificate info:"
          file certificate.p12
          
          # Create keychain with a fixed password
          KEYCHAIN_PATH="$CERT_DIR/build.keychain-db"
          KEYCHAIN_PASSWORD="keychainpassword"
          
          echo "🔐 Creating keychain: $KEYCHAIN_PATH"
          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          
          # Configure keychain settings
          security set-keychain-settings -t 3600 -l "$KEYCHAIN_PATH"
          
          # Add to keychain list and make it default
          security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed s/\"//g)
          security default-keychain -s "$KEYCHAIN_PATH"
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          
          # Download and import Apple root certificates
          echo "📥 Downloading Apple root certificates..."
          curl -O https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
          curl -O https://www.apple.com/certificateauthority/DeveloperIDG2.cer
          
          echo "🔐 Importing Apple root certificates..."
          security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign
          security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign
          
          # Import certificate with all access rights
          echo "📥 Importing developer certificate..."
          security import certificate.p12 \
            -k "$KEYCHAIN_PATH" \
            -P "$CERTIFICATE_PASSWORD" \
            -T "/usr/bin/codesign" \
            -T "/usr/bin/security" \
            -T "/usr/bin/xcrun"
          
          # Update keychain partition list
          security set-key-partition-list \
            -S apple-tool:,apple:,codesign: \
            -s \
            -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          
          # Allow codesign to access the keychain
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          
          # Verify certificate access
          echo "🔍 Verifying certificate access..."
          security find-identity -v -p codesigning "$KEYCHAIN_PATH"
          
          # Save environment variables
          echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
          echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
          echo "APPLE_TEAM_ID=$APPLE_TEAM_ID" >> "$GITHUB_ENV"
          echo "WORKSPACE_DIR=$(pwd)" >> "$GITHUB_ENV"
          
          # Check certificate status and get identity
          echo "✅ Checking codesigning identities..."
          security find-identity -v -p codesigning "$KEYCHAIN_PATH"
          
          # Extract the identity hash for signing
          IDENTITY_HASH=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk '{print $2}')
          if [ -n "$IDENTITY_HASH" ]; then
            echo "Found identity hash: $IDENTITY_HASH"
            echo "IDENTITY_HASH=$IDENTITY_HASH" >> "$GITHUB_ENV"
          else
            echo "No valid identity hash found"
            echo "🔍 Debugging certificate access..."
            security find-identity -v -p codesigning "$KEYCHAIN_PATH"
            security find-certificate -a -c "Developer ID Application" -p "$KEYCHAIN_PATH"
            exit 1
          fi
        shell: bash
        
      - name: Verify Certificate
        run: |
          echo "🔍 Verifying certificate in keychain..."
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          security find-identity -v -p codesigning "$KEYCHAIN_PATH"
          
          echo "📋 Certificate details:"
          security find-certificate -a -c "Developer ID Application" -p "$KEYCHAIN_PATH" | \
            openssl x509 -text | \
            grep -E "Subject:|Issuer:|Not Before:|Not After:|Serial Number:"
        shell: bash
        
      - name: Create Test Entitlements
        run: |
          echo "📝 Creating entitlements file..."
          cat > LuckyWorld.entitlements << EOF
          <?xml version="1.0" encoding="UTF-8"?>
          <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
          <plist version="1.0">
          <dict>
              <key>com.apple.security.cs.allow-jit</key>
              <true/>
              <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
              <true/>
              <key>com.apple.security.cs.disable-library-validation</key>
              <true/>
              <key>com.apple.security.cs.allow-dyld-environment-variables</key>
              <true/>
              <key>com.apple.security.device.audio-input</key>
              <true/>
              <key>com.apple.security.device.camera</key>
              <true/>
          </dict>
          </plist>
          EOF
          
          echo "✅ Created entitlements file"
          cat LuckyWorld.entitlements
        shell: bash
        
      - name: Create Test App Bundle
        run: |
          echo "📦 Creating test app bundle..."
          
          # Create test app bundle structure
          TEST_APP_DIR="TestApp.app"
          mkdir -p "$TEST_APP_DIR/Contents/MacOS"
          
          # Create a simple test executable
          echo '#!/bin/bash
          echo "Hello from TestApp!"' > "$TEST_APP_DIR/Contents/MacOS/TestApp"
          chmod +x "$TEST_APP_DIR/Contents/MacOS/TestApp"
          
          # Create Info.plist
          cat > "$TEST_APP_DIR/Contents/Info.plist" << EOF
          <?xml version="1.0" encoding="UTF-8"?>
          <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
          <plist version="1.0">
          <dict>
              <key>CFBundleExecutable</key>
              <string>TestApp</string>
              <key>CFBundleIdentifier</key>
              <string>com.luckyworld.testapp</string>
              <key>CFBundleName</key>
              <string>TestApp</string>
              <key>CFBundlePackageType</key>
              <string>APPL</string>
              <key>CFBundleShortVersionString</key>
              <string>1.0</string>
              <key>LSMinimumSystemVersion</key>
              <string>10.10</string>
          </dict>
          </plist>
          EOF
          
          echo "✅ Created test app bundle"
          echo "APP_PATH=$TEST_APP_DIR" >> "$GITHUB_ENV"
        shell: bash
        
      - name: Test Signing
        run: |
          echo "🔏 Testing code signing..."
          
          # Prepare keychain
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          
          # Use identity hash directly for signing
          echo "📝 Signing app bundle with identity hash: $IDENTITY_HASH"
          /usr/bin/codesign --force --deep --verbose \
            --keychain "$KEYCHAIN_PATH" \
            --sign "$IDENTITY_HASH" \
            --entitlements "LuckyWorld.entitlements" \
            "$APP_PATH"
          
          echo "✅ Signing complete"
          
          echo "🔍 Verifying signature..."
          codesign -vv -d "$APP_PATH"
          
          echo "📋 Checking entitlements..."
          codesign -d --entitlements :- "$APP_PATH"
          
          echo "🔒 Testing Gatekeeper assessment..."
          spctl --assess --type exec "$APP_PATH"
        shell: bash
        
      - name: Test Notarization
        env:
          API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }}
          API_KEY_ID: ${{ secrets.NOTARY_API_KEY_ID }}
          API_KEY_ISSUER_ID: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }}
        run: |
          if [ -n "$API_KEY_PATH" ] && [ -n "$API_KEY_ID" ] && [ -n "$API_KEY_ISSUER_ID" ]; then
            echo "🔐 Testing notarization..."
            
            # Create API key file
            echo "$API_KEY_PATH" | base64 --decode > api_key.p8
            
            # Zip test app
            ditto -c -k --keepParent "$APP_PATH" "TestApp.zip"
            
            # Test notarization
            xcrun notarytool submit "TestApp.zip" \
              --key "api_key.p8" \
              --key-id "$API_KEY_ID" \
              --issuer "$API_KEY_ISSUER_ID" \
              --wait
            
            # Cleanup
            rm -f api_key.p8 TestApp.zip
          else
            echo "⚠️ Notarization secrets not found, skipping notarization test"
          fi
        shell: bash
        
      - name: Cleanup
        if: always()
        run: |
          echo "🧹 Cleaning up..."
          
          # Clean up keychain
          security delete-keychain "$KEYCHAIN_PATH" || true
          
          # Clean up test files
          rm -rf "$HOME/certificates" || true
          rm -rf TestApp.app || true
          
          echo "✅ Cleanup complete"
        shell: bash