package codesign

import (
	"context"
	"fmt"

	"github.com/leonmika/wails-release/internal/runner"
)

// SignOpts configures a codesign invocation.
type SignOpts struct {
	AppPath      string
	Identity     string
	KeychainPath string
}

// Sign runs `codesign` against a .app bundle, signing recursively with
// the hardened runtime and a secure timestamp.
func Sign(ctx context.Context, r runner.Runner, opts SignOpts) error {
	args := []string{
		"--deep", "--force", "--options", "runtime", "--timestamp",
		"--sign", opts.Identity,
		"--keychain", opts.KeychainPath,
		opts.AppPath,
	}
	if _, err := r.Run(ctx, runner.Spec{Name: "codesign", Args: args}); err != nil {
		return fmt.Errorf("codesign sign: %w", err)
	}
	return nil
}

// Verify runs `codesign --verify --deep --strict` against the bundle.
func Verify(ctx context.Context, r runner.Runner, appPath string) error {
	if _, err := r.Run(ctx, runner.Spec{
		Name: "codesign",
		Args: []string{"--verify", "--deep", "--strict", appPath},
	}); err != nil {
		return fmt.Errorf("codesign verify: %w", err)
	}
	return nil
}