#!/bin/sh
set -eu

# CityMall CLI installer.
#   curl -fsSL https://cli.citymall.live/install.sh | sh
#
# Integrity chain:
#   1. SHA256SUMS is signed with the CityMall release key (RSA-4096).
#   2. This script PINS the public key below (source-controlled, NOT served from the
#      artifact bucket), so a compromised bucket cannot forge a valid signature.
#   3. We verify the signature, then verify the binary against the signed SHA256SUMS.

BASE_URL="${CM_INSTALL_BASE:-https://cli.citymall.live}"
BIN_DIR="${CM_BIN_DIR:-/usr/local/bin}"

# --- pinned release public key (independent trust anchor) ---
RELEASE_PUBKEY='-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxrYEETTtjBItVgNVmOk8
L4uX5gFuIbIBNv9+qOUft4bwtJiHhzCkbRXMRJpnb05w8ip98BXkk+fO0s4cmpWQ
aoRIknBWMF09dpVt+rwBe495UieWng+ei96YEVS01R9b0gt6q7NdB6uXyZx4wymY
d7cqLU1C0nJYkZWe9Qr4B5cajYbylAyKjpDfAzTJUftFygsygaNKrxZSSOM/x9KA
qFSkfOIBJcCYaQuV/+ce2orKwT++gwJiddZpbqWkQyJKcNy/FUslfAPUHK3SxsKR
+epN7f0W9q3knQX7I7k/eEqXJb4n4eNLFf/0SRriMIb0d/iYoFj1IoiWVWUbXENL
3OYTIpq9lojrNe5rrc5dnUZPsPjycH3Op1+PFmRcWxxzXA1AnxPUUa00AT/C9k44
4RVWeO6bw/mbinmzpr5iengh+BLAc2ot3F0ZkidkTtKDRLBMm36N1Dt7m5r1iSsn
j7VapjkzxQatirGcjFHkU7UWUte/I6PA5DYsr+a3QVJsxYHS6+PmINHGyLmWPbmk
Ua1WjGs6jACEumyA5+eTCdBxazCQKuZxi6NTI1RVg6RNW61h8CZbq0ByFdGJgYro
5tWYNPSbjOIizRAoM7/zjWLnh6C0vUuHd2u+EDoBnUOQVrljgNYNPRdAJvSMTLmD
Sdy0IkWpuQU4f+W5qhRU9/cCAwEAAQ==
-----END PUBLIC KEY-----'

os=$(uname -s | tr '[:upper:]' '[:lower:]')
arch=$(uname -m)
case "$arch" in
  x86_64|amd64) arch="amd64" ;;
  arm64|aarch64) arch="arm64" ;;
  *) echo "unsupported arch: $arch" >&2; exit 1 ;;
esac
case "$os" in
  darwin|linux) ;;
  *) echo "unsupported os: $os" >&2; exit 1 ;;
esac

command -v openssl >/dev/null 2>&1 || {
  echo "openssl is required to verify the release signature but was not found" >&2
  exit 1
}

asset="cm_${os}_${arch}"
tmp=$(mktemp -d)
trap 'rm -rf "$tmp"' EXIT

echo "Downloading $asset..."
curl -fsSL "$BASE_URL/$asset" -o "$tmp/cm"
curl -fsSL "$BASE_URL/SHA256SUMS" -o "$tmp/SHA256SUMS"
curl -fsSL "$BASE_URL/SHA256SUMS.sig" -o "$tmp/SHA256SUMS.sig"

echo "Verifying release signature..."
printf '%s\n' "$RELEASE_PUBKEY" > "$tmp/cm-release.pub"
if ! openssl dgst -sha256 -verify "$tmp/cm-release.pub" \
      -signature "$tmp/SHA256SUMS.sig" "$tmp/SHA256SUMS" >/dev/null 2>&1; then
  echo "SIGNATURE VERIFICATION FAILED — refusing to install (possible tampering)" >&2
  exit 1
fi

echo "Verifying checksum..."
expected=$(grep " $asset\$" "$tmp/SHA256SUMS" | awk '{print $1}')
if [ -z "$expected" ]; then echo "no checksum for $asset" >&2; exit 1; fi
if command -v sha256sum >/dev/null 2>&1; then
  actual=$(sha256sum "$tmp/cm" | awk '{print $1}')
else
  actual=$(shasum -a 256 "$tmp/cm" | awk '{print $1}')
fi
if [ "$expected" != "$actual" ]; then
  echo "checksum mismatch: expected $expected got $actual" >&2
  exit 1
fi

chmod +x "$tmp/cm"
if [ -w "$BIN_DIR" ]; then
  mv "$tmp/cm" "$BIN_DIR/cm"
else
  echo "Installing to $BIN_DIR (sudo)..."
  sudo mv "$tmp/cm" "$BIN_DIR/cm"
fi
echo "Installed cm to $BIN_DIR/cm"
cm --version