#!/usr/bin/env bash
# CoraSigne one-URL installer.
# Served at https://get.corasigne.net.
#
# Usage:
#   curl -sSL https://get.corasigne.net | sudo bash
#
# What it does:
#   1. Detect Ubuntu 22.04 / 24.04 / AlmaLinux 9 / Rocky 9 (other distros: fail loud)
#   2. Verify GPG fingerprint matches the hardcoded one (defense against repo compromise)
#   3. Add the corasigne repo with signed-by= clause (apt) or gpgcheck=1 (yum)
#   4. apt/dnf install corasigne
#   5. Print "Run corasigne-installer init" to finish setup

set -euo pipefail

# CONSTANTS — update these in lockstep with the CI-published GPG key.
# CoraSigne signing key (RSA 4096, generated 2026-06-17, expires 2031-06-16).
# verify_fingerprint() asserts this exact value after importing pubkey.asc;
# any drift aborts the install with "Repo may be compromised."
EXPECTED_FINGERPRINT="11B23FB5B78C86EE05510CEAA56DFE55E2BBFB03"
# Repo base: operator-hosted static-file server.
REPO_BASE="https://repo.corasigne.net"
PUBKEY_URL="$REPO_BASE/pubkey.asc"

# Pre-flight
if [ "$(id -u)" -ne 0 ]; then
    echo "ERROR: install.sh must be run as root (use sudo)" >&2
    exit 1
fi
if [ "$(uname -m)" != "x86_64" ]; then
    echo "ERROR: only x86_64 is supported in v0.2.1; got $(uname -m)" >&2
    echo "       ARM support is post-MVP. Build from source if needed." >&2
    exit 1
fi

# Detect distro (sourced from install-lib.sh; in production this is inlined)
# shellcheck disable=SC1091  # sourcing from heredoc via /dev/stdin — body inlined just below
. /dev/stdin <<'INLINE_LIB'
detect_distro() {
    local osr="${OS_RELEASE_FILE:-/etc/os-release}"
    if [ ! -r "$osr" ]; then
        echo "unknown|?"
        return
    fi
    . "$osr"
    case "$ID" in
        ubuntu)              echo "ubuntu|${VERSION_ID:-?}" ;;
        almalinux|rocky|rhel) echo "rhel|${VERSION_ID:-?}" ;;
        *)                   echo "unknown|?" ;;
    esac
}
is_supported() {
    case "$1|$2" in
        'ubuntu|22.04'|'ubuntu|24.04') return 0 ;;
        'rhel|9'*) return 0 ;;
        *) return 1 ;;
    esac
}
verify_fingerprint() {
    local expected="$1" key="$2"
    local actual
    actual=$(gpg --fingerprint "$key" 2>/dev/null | grep -E '^\s+[A-F0-9]{4}( [A-F0-9]{4}){9}' | head -1 | tr -d ' ')
    [ "$actual" = "$expected" ]
}
INLINE_LIB

DISTRO=$(detect_distro)
FAMILY="${DISTRO%|*}"
VERSION="${DISTRO#*|}"

if ! is_supported "$FAMILY" "$VERSION"; then
    echo "ERROR: unsupported distro: $FAMILY $VERSION" >&2
    echo "       v0.2.1 supports Ubuntu 22.04 + 24.04, AlmaLinux/Rocky 9.x" >&2
    echo "       For other distros, use the tarball: $REPO_BASE/releases/" >&2
    exit 1
fi

TMP=$(mktemp -d /var/tmp/corasigne-install.XXXXXX)
# shellcheck disable=SC2064  # $TMP is set immediately above and we want it captured at trap-set time
trap "rm -rf $TMP" EXIT

# Fetch + verify GPG public key
echo "==> Fetching GPG public key..."
curl -fsSL "$PUBKEY_URL" -o "$TMP/pubkey.asc"
gpg --homedir "$TMP/gpg" --batch --import "$TMP/pubkey.asc" 2>/dev/null
if ! GNUPGHOME="$TMP/gpg" verify_fingerprint "$EXPECTED_FINGERPRINT" "signing@corasigne.net"; then
    echo "ERROR: GPG fingerprint mismatch! Repo may be compromised." >&2
    echo "       Expected: $EXPECTED_FINGERPRINT" >&2
    echo "       Do NOT proceed." >&2
    exit 1
fi
echo "==> GPG fingerprint verified: $EXPECTED_FINGERPRINT"

case "$FAMILY" in
ubuntu)
    echo "==> Setting up APT repo for Ubuntu $VERSION..."
    install -d /usr/share/keyrings
    gpg --dearmor < "$TMP/pubkey.asc" > /usr/share/keyrings/corasigne-archive-keyring.gpg
    echo "deb [signed-by=/usr/share/keyrings/corasigne-archive-keyring.gpg] $REPO_BASE/apt stable main" \
        > /etc/apt/sources.list.d/corasigne.list
    apt-get update -qq
    apt-get install -y corasigne
    ;;
rhel)
    echo "==> Setting up YUM repo for AlmaLinux/Rocky $VERSION..."
    install -m 0644 "$TMP/pubkey.asc" /etc/pki/rpm-gpg/RPM-GPG-KEY-corasigne
    cat > /etc/yum.repos.d/corasigne.repo <<EOF
[corasigne]
name=CoraSigne stable
baseurl=$REPO_BASE/yum/el9/x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-corasigne
EOF
    dnf install -y corasigne
    ;;
esac

cat <<EOF

CoraSigne v0.2.1 installed.

Next: run \`sudo corasigne-installer init\` to complete first-time setup.
Documentation: https://corasigne.net/docs/install
EOF
