#!/bin/bash

# =============================================================================
# Verify APK Signature
# =============================================================================
# This script verifies that an APK is properly signed and displays
# certificate information
#
# Usage:
#   ./verify-apk-signature.sh <apk_path>
#
# Arguments:
#   apk_path - Path to the APK file to verify
# =============================================================================

set -e

APK_PATH="$1"

if [ -z "$APK_PATH" ]; then
    echo "❌ Error: Missing APK path" >&2
    echo "Usage: $0 <apk_path>" >&2
    exit 1
fi

if [ ! -f "$APK_PATH" ]; then
    echo "❌ APK not found at: $APK_PATH" >&2
    exit 1
fi

echo "🔍 Verifying APK signature..." >&2

# Check if APK is signed
if jarsigner -verify -verbose "$APK_PATH" 2>&1 | grep -q "jar verified"; then
    echo "✅ APK is properly signed!" >&2
    
    # Extract certificate details
    echo "" >&2
    echo "📜 Certificate Details:" >&2
    jarsigner -verify -verbose -certs "$APK_PATH" 2>&1 | grep -A 3 "X.509" || true
    
    # Get signer info
    echo "" >&2
    echo "🔑 Signer Information:" >&2
    keytool -printcert -jarfile "$APK_PATH" | head -n 15
    
else
    echo "⚠️  WARNING: APK signature verification failed or APK is unsigned!" >&2
    echo "" >&2
    echo "This may happen if:" >&2
    echo "  1. GitHub Secrets are not configured for this environment" >&2
    echo "  2. Keystore credentials are incorrect" >&2
    echo "  3. Build configuration didn't apply signing" >&2
    echo "" >&2
    echo "See: docs/RELEASE/APK_SIGNING_SETUP.md for setup instructions" >&2
    
    # Don't fail the build, just warn
    # exit 1
fi