$ErrorActionPreference = 'Stop'
$TimeServer = "http://timestamp.sectigo.com"

$signToolSearchPath = "${env:ProgramFiles(x86)}\Windows Kits\10\bin\*\x64\signtool.exe"

[string]$signtool = Get-ChildItem $signToolSearchPath -ErrorAction SilentlyContinue `
    | Sort-Object -Property FullName `
    | Select-Object -Last 1

if (!$signtool) {
    Write-Warning "SignTool.exe not found. You need to install a Windows SDK."
    exit 1
}

$certFile = Get-ChildItem "$PSScriptRoot\*.pfx" `
    | Sort-Object -Property Name `
    | Select-Object -First 1
if (!$certFile) {
    Write-Warning "No PFX file found in the project root."
    Write-Host "This script needs a certificate with private key as a PFX file in the project root to work."
    exit 1
}
# $certFile = Read-Host "Path of certificate with private key (PFX)"
# if (!(Test-Path $certFile)) {
#     Write-Warning "Could not find the PFX file"
#     exit 1
# }

function ConvertFrom-SecureToPlain {
    param([Parameter(Mandatory=$true)][System.Security.SecureString] $SecurePassword)
    # Create a "password pointer"
    $passwordPointer = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword)
    # Get the plain text version of the password
    $plainTextPassword = [Runtime.InteropServices.Marshal]::PtrToStringAuto($passwordPointer)
    # Free the pointer
    [Runtime.InteropServices.Marshal]::ZeroFreeBSTR($passwordPointer)
    # Return the plain text password
    $plainTextPassword
}

$pfxPassword = Read-Host -AsSecureString "PFX Password"

$jobs = @(
    @{
        "arch" = "x86"
        "src" = "$PSScriptRoot\target\i686-pc-windows-msvc\release\boom.exe"
    }
    @{
        "arch" = "x64"
        "src" = "$PSScriptRoot\target\x86_64-pc-windows-msvc\release\boom.exe"
    }
)

Write-Output "Signing and zipping EXE files..."
$releaseRoot = "$PSScriptRoot\release"
if (!(Test-Path $releaseRoot)) { mkdir $releaseRoot -Force | Out-Null }
foreach ($exe in $jobs) {
    if (!(Test-Path $exe.src)) {
        Write-Warning "Could not find '$($exe.src)'"
        exit 1
    }
    Write-Output "- Architecture: $($exe.arch)"
    $releaseDir = "$releaseRoot\$($exe.arch)"
    if (!(Test-Path $releaseDir)) { mkdir $releaseDir -Force | Out-Null }
    $releaseFile = "$releaseDir\boom.exe"
    $releaseZip = "$releaseRoot\boom_$($exe.arch).zip"

    if (Test-Path $releaseFile) { Remove-Item $releaseFile }
    if (Test-Path $releaseZip) { Remove-Item $releaseZip }
    Copy-Item $exe.src $releaseFile

    & $signtool sign `
        /f $certFile /p $(ConvertFrom-SecureToPlain $pfxPassword) `
        /fd sha256 /td sha256 /tr $TimeServer `
        $releaseFile
    if ($LASTEXITCODE) {
        Write-Warning "Signing failed."
        exit 1
    }

    Compress-Archive -Path $releaseFile -DestinationPath $releaseZip -CompressionLevel Optimal
}