#!/bin/sh
# XXX: change XXX_EMAIL_IDENTITY to the email address that holds the sign key

set -e

log() {
	msg="$*"
	datetime="$(date --utc --iso-8601='ns')"
	printf -- ':: %s %s\n' "$datetime" "$msg"
}

input="$1"

if [ -z "$input" ]
then
	log "no input. aborting.."
	exit 1
else log "using input: $1"
fi

name="${input%.pdf}"
output_detached="${name}.sig"
output_clearsign="${name}.clearsign.pdf"
archive="${name}.zip"

keyid="$(
	gpg --list-key XXX_EMAIL_IDENTITY \
	| awk '$1 == "pub"{sub("^[^/]*/", "", $2); print $2; exit}'
)"
log "using keyid: $keyid"

gpg -u "$keyid" --detach-sig --output="$output_detached" "$input"
if [ "$?" = 0 ]
then log "detached signature success"
else log "detached signature failed"
fi

gpg --verify "$output_detached" "$input"
if [ "$?" = 0 ]
then log "signature is valid"
else log "signature is invalid"
fi

gpg --clearsign --output="$output_clearsign" "$input"
if [ "$?" = 0 ]
then log "clearsign success"
else log "clearsign failed"
fi

zip "$archive" "$input" "$output_detached" "$output_clearsign"
if [ "$?" = 0 ]
then log "archive success"
else log "archive failed"
fi

unzip -vl "$archive"