<#
.SYNOPSIS
    Sign a single app package file and output its hash + signature for the manifest.

.DESCRIPTION
    Run this once per app package you want to add to apps.json.
    Copy the output values into the appropriate platforms entry in manifests/apps.json,
    then re-run sign-manifest.ps1 to re-sign the updated manifest.

.EXAMPLE
    .\scripts\sign-package.ps1 -PackagePath .\dist\my-app.exe
#>

param(
    [Parameter(Mandatory)]
    [string]$PackagePath,

    [string]$KeyPath = ".\keys\manifest-private.pem"
)

$ErrorActionPreference = "Stop"

# ── Locate OpenSSL (probes common Windows install paths if not on PATH) ───────
. "$PSScriptRoot\_openssl.ps1"

# Resolve to absolute paths so .NET IO methods use the correct CWD
$PackagePath = $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($PackagePath)
$KeyPath     = $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($KeyPath)

$resolvedPkg = Resolve-Path $PackagePath
$resolvedKey = $null
$tempKeyFile = $null

if ($env:MANIFEST_SIGNING_KEY) {
    $tempKeyFile = Join-Path $env:TEMP "psg-sign-key-$([System.Guid]::NewGuid()).pem"
    [IO.File]::WriteAllText($tempKeyFile, $env:MANIFEST_SIGNING_KEY)
    $resolvedKey = $tempKeyFile
} else {
    $resolvedKey = Resolve-Path $KeyPath
}

try {
    # SHA-256 hash
    $hashObj = Get-FileHash -Path $resolvedPkg -Algorithm SHA256
    $hash    = $hashObj.Hash.ToLower()

    # File size
    $sizeBytes = (Get-Item $resolvedPkg).Length

    # ed25519 signature
    $tempSig = Join-Path $env:TEMP "psg-pkg-sig-$([System.Guid]::NewGuid()).bin"
    & openssl pkeyutl -sign -inkey $resolvedKey -rawin -in $resolvedPkg -out $tempSig
    if ($LASTEXITCODE -ne 0) { throw "openssl signing failed" }

    $sigB64 = [Convert]::ToBase64String([IO.File]::ReadAllBytes($tempSig))
    Remove-Item $tempSig -Force

    Write-Host ""
    Write-Host "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" -ForegroundColor Yellow
    Write-Host "Add this to the relevant platforms entry in manifests/apps.json:" -ForegroundColor Yellow
    Write-Host ""
    Write-Host @"
  "hash_sha256": "$hash",
  "size_bytes": $sizeBytes,
  "signature": "$sigB64"
"@ -ForegroundColor Cyan
    Write-Host ""
    Write-Host "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" -ForegroundColor Yellow
    Write-Host "Then re-run:  .\scripts\sign-manifest.ps1"

} finally {
    if ($tempKeyFile -and (Test-Path $tempKeyFile)) {
        Remove-Item $tempKeyFile -Force
    }
}