name: Test Local Signing

on:
  workflow_dispatch:  # Manual trigger
  # push:
  #   branches: [ozgur/build]

jobs:
  test-local-signing:
    runs-on: macos
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
        
      - name: Create Test Entitlements
        run: |
          echo "📝 Creating entitlements file..."
          cat > LuckyWorld.entitlements << EOF
          <?xml version="1.0" encoding="UTF-8"?>
          <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
          <plist version="1.0">
          <dict>
              <key>com.apple.security.cs.allow-jit</key>
              <true/>
              <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
              <true/>
              <key>com.apple.security.cs.disable-library-validation</key>
              <true/>
              <key>com.apple.security.cs.allow-dyld-environment-variables</key>
              <true/>
              <key>com.apple.security.device.audio-input</key>
              <true/>
              <key>com.apple.security.device.camera</key>
              <true/>
          </dict>
          </plist>
          EOF
          
          echo "✅ Created entitlements file"
          cat LuckyWorld.entitlements
        shell: bash
        
      - name: Create Test App Bundle
        run: |
          echo "📦 Creating test app bundle..."
          
          # Create test app bundle structure
          TEST_APP_DIR="TestApp.app"
          mkdir -p "$TEST_APP_DIR/Contents/MacOS"
          
          # Create a simple test executable
          echo '#!/bin/bash
          echo "Hello from TestApp!"' > "$TEST_APP_DIR/Contents/MacOS/TestApp"
          chmod +x "$TEST_APP_DIR/Contents/MacOS/TestApp"
          
          # Create Info.plist
          cat > "$TEST_APP_DIR/Contents/Info.plist" << EOF
          <?xml version="1.0" encoding="UTF-8"?>
          <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
          <plist version="1.0">
          <dict>
              <key>CFBundleExecutable</key>
              <string>TestApp</string>
              <key>CFBundleIdentifier</key>
              <string>com.luckyworld.testapp</string>
              <key>CFBundleName</key>
              <string>TestApp</string>
              <key>CFBundlePackageType</key>
              <string>APPL</string>
              <key>CFBundleShortVersionString</key>
              <string>1.0</string>
              <key>LSMinimumSystemVersion</key>
              <string>10.10</string>
          </dict>
          </plist>
          EOF
          
          echo "✅ Created test app bundle"
          
          # Verify app bundle exists
          if [ ! -d "$TEST_APP_DIR" ]; then
            echo "❌ Error: App bundle not found at $TEST_APP_DIR"
            exit 1
          fi
          
          echo "🔍 App bundle contents:"
          ls -la "$TEST_APP_DIR"
        shell: bash
        
      - name: Self-Sign App for Testing
        run: |
          echo "🔏 Self-signing app for testing..."
          
          # Create a self-signed certificate for testing
          echo "🔑 Creating self-signed certificate..."
          
          # Generate key and certificate
          openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
            -keyout TestKey.key -out TestCert.crt \
            -subj "/CN=Test Signing/O=LuckyWorld/C=TR"
          
          # Sign the app with ad-hoc identity
          echo "🔏 Signing app with ad-hoc identity..."
          codesign --force --sign - --timestamp --options runtime --entitlements LuckyWorld.entitlements TestApp.app
          
          # Verify signing
          echo "🔍 Verifying signature..."
          codesign -vvv --deep --strict TestApp.app
          
          # Check entitlements
          echo "🔍 Checking entitlements..."
          codesign -d --entitlements - TestApp.app
        shell: bash
        
      - name: Create Sign and Notarize Script (Developer Reference)
        run: |
          echo "📝 Creating reference script for actual code signing..."
          
          cat > sign_and_notarize.sh << 'EOF'
          #!/bin/bash
          # Sign and notarize macOS application
          # This script is a reference for using a real Developer ID certificate
          
          # Configuration (replace with your values)
          APP_PATH="YourApp.app"
          TEAM_ID="YOUR_TEAM_ID"
          BUNDLE_ID="com.yourdomain.yourapp"
          ENTITLEMENTS_PATH="YourApp.entitlements"
          APPLE_ID="your_apple_id@example.com"
          APP_PASSWORD="your_app_specific_password"
          
          # Step 1: Check for Developer ID Application certificate
          echo "Checking for Developer ID Application certificate..."
          IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}')
          
          if [ -z "$IDENTITY" ]; then
            echo "Error: No Developer ID Application certificate found"
            echo "Please create a Developer ID Application certificate in your Apple Developer account"
            echo "and install it in your keychain"
            exit 1
          fi
          
          echo "Using identity: $IDENTITY"
          
          # Step 2: Sign the app
          echo "Signing app..."
          codesign --force --options runtime --entitlements "$ENTITLEMENTS_PATH" \
            --sign "$IDENTITY" --timestamp "$APP_PATH"
          
          # Step 3: Verify signing
          echo "Verifying signature..."
          codesign -vvv --deep --strict "$APP_PATH"
          
          # Step 4: Create zip for notarization
          echo "Creating zip for notarization..."
          zip_path="/tmp/app_for_notarization.zip"
          ditto -c -k --keepParent "$APP_PATH" "$zip_path"
          
          # Step 5: Submit for notarization
          echo "Submitting for notarization..."
          xcrun notarytool submit "$zip_path" \
            --apple-id "$APPLE_ID" \
            --password "$APP_PASSWORD" \
            --team-id "$TEAM_ID" \
            --wait
          
          # Step 6: Staple the notarization ticket
          echo "Stapling notarization ticket..."
          xcrun stapler staple "$APP_PATH"
          
          # Step 7: Verify notarization
          echo "Verifying notarization..."
          spctl --assess --verbose --type exec "$APP_PATH"
          
          echo "✅ App successfully signed and notarized!"
          EOF
          
          chmod +x sign_and_notarize.sh
          echo "✅ Created reference script for actual code signing"
        shell: bash
        
      - name: Documentation for Certificate Requirements
        run: |
          echo "📋 Requirements for code signing with Developer ID Application certificate:"
          echo ""
          echo "1. You must have a paid Apple Developer account"
          echo "2. You need to create a Developer ID Application certificate in Apple Developer Portal"
          echo "3. The certificate must be exported with its private key in p12 format"
          echo "4. The certificate must be properly imported into keychain with proper access controls"
          echo "5. For production, you should use the xcrun notarytool to notarize your app"
          echo ""
          echo "Common issues:"
          echo "- The p12 file doesn't contain a private key"
          echo "- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)"
          echo "- The certificate has expired"
          echo "- The certificate was revoked"
          echo "- Keychain access restrictions are preventing access to the private key"
          echo ""
          echo "For testing purposes, you can sign with ad-hoc identity (as demonstrated in this workflow)"
          echo "For production, follow the steps in the reference script created in this workflow"
          
          # Print this information in a file for reference
          echo "📋 Requirements for code signing with Developer ID Application certificate:" > signing_requirements.txt
          echo "" >> signing_requirements.txt
          echo "1. You must have a paid Apple Developer account" >> signing_requirements.txt
          echo "2. You need to create a Developer ID Application certificate in Apple Developer Portal" >> signing_requirements.txt
          echo "3. The certificate must be exported with its private key in p12 format" >> signing_requirements.txt
          echo "4. The certificate must be properly imported into keychain with proper access controls" >> signing_requirements.txt
          echo "5. For production, you should use the xcrun notarytool to notarize your app" >> signing_requirements.txt
          echo "" >> signing_requirements.txt
          echo "Common issues:" >> signing_requirements.txt
          echo "- The p12 file doesn't contain a private key" >> signing_requirements.txt
          echo "- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)" >> signing_requirements.txt
          echo "- The certificate has expired" >> signing_requirements.txt
          echo "- The certificate was revoked" >> signing_requirements.txt
          echo "- Keychain access restrictions are preventing access to the private key" >> signing_requirements.txt
          echo "" >> signing_requirements.txt
          echo "For testing purposes, you can sign with ad-hoc identity (as demonstrated in this workflow)" >> signing_requirements.txt
          echo "For production, follow the steps in the reference script created in this workflow" >> signing_requirements.txt
        shell: bash
        
      - name: Cleanup
        if: always()
        run: |
          echo "🧹 Cleaning up..."
          rm -rf TestApp.app TestKey.key TestCert.crt || true
          echo "✅ Cleanup complete"
        shell: bash