#!/usr/bin/env bash
set -u
KEY_ID="$1"
if [ -z "$KEY_ID" ]; then echo "polsign: A signing key id must be defined!" 1>&2; exit 255; fi
# echo "{}" | mkpolicy key_id

JSON="$(jq . < /dev/stdin)"
if [ "$?" != "0" ]; then echo "polsign: Unexpected exit code when loading JSON from stdin: $?" 1>&2; exit 255; fi

_JSON="$(echo "$JSON" | jq '{ rules: .rules, signature: null }' -c)"
if [ "$?" != "0" ]; then echo "polsign: Unexpected exit code when stripping JSON: $?" 1>&2; exit 255; fi

SIGNATURE="$(echo "$_JSON" | gpg --local-user "$KEY_ID" --sign --armor --detach-sig)"
if [ "$?" != "0" ]; then echo "polsign: Unexpected exit code when signing JSON: $?" 1>&2; exit 255; fi

SIGNED="$(jq --null-input \
  --argjson event "$_JSON" \
  --arg signature "$SIGNATURE" \
  '$event * { signature: $signature }')"
if [ "$?" != "0" ]; then echo "polsign: Unexpected exit code when signing JSON: $?" 1>&2; exit 255; fi

echo "$SIGNED"