package org.jreleaser.engine.sign;

import java.io.BufferedInputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import org.bouncycastle.openpgp.PGPCompressedData;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPObjectFactory;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPSignatureGenerator;
import org.bouncycastle.openpgp.PGPUtil;
import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentVerifierBuilderProvider;
import org.jreleaser.bundle.RB;
import org.jreleaser.model.Signing;
import org.jreleaser.model.api.signing.Keyring;
import org.jreleaser.model.api.signing.SigningException;
import org.jreleaser.model.internal.JReleaserContext;
import org.jreleaser.model.internal.catalog.sbom.SbomCataloger;
import org.jreleaser.model.internal.common.Artifact;
import org.jreleaser.model.internal.distributions.Distribution;
import org.jreleaser.model.internal.util.Artifacts;
import org.jreleaser.model.spi.catalog.sbom.SbomCatalogerProcessorHelper;
import org.jreleaser.sdk.signing.GpgCommandSigner;
import org.jreleaser.sdk.signing.SigningUtils;
import org.jreleaser.sdk.tool.Cosign;
import org.jreleaser.sdk.tool.ToolException;
import org.jreleaser.util.Algorithm;
import org.jreleaser.util.StringUtils;

/* loaded from: input_file:org/jreleaser/engine/sign/Signer.class */
public final class Signer {
    private Signer() {
    }

    public static void sign(JReleaserContext jReleaserContext) throws SigningException {
        jReleaserContext.getLogger().info(RB.$("signing.header", new Object[0]));
        jReleaserContext.getLogger().increaseIndent();
        jReleaserContext.getLogger().setPrefix("sign");
        if (!jReleaserContext.getModel().getSigning().isEnabled()) {
            jReleaserContext.getLogger().info(RB.$("signing.not.enabled", new Object[0]));
            return;
        }
        try {
            if (jReleaserContext.getModel().getSigning().getMode() == Signing.Mode.COMMAND) {
                cmdSign(jReleaserContext);
            } else if (jReleaserContext.getModel().getSigning().getMode() == Signing.Mode.COSIGN) {
                cosignSign(jReleaserContext);
            } else {
                bcSign(jReleaserContext);
            }
        } finally {
            jReleaserContext.getLogger().restorePrefix();
            jReleaserContext.getLogger().decreaseIndent();
        }
    }

    private static void cmdSign(JReleaserContext jReleaserContext) throws SigningException {
        List<SigningUtils.FilePair> collectArtifacts = collectArtifacts(jReleaserContext, filePair -> {
            return SigningUtils.isValid(jReleaserContext.asImmutable(), (Keyring) null, filePair);
        });
        if (collectArtifacts.isEmpty()) {
            jReleaserContext.getLogger().info(RB.$("signing.no.match", new Object[0]));
            return;
        }
        List list = (List) collectArtifacts.stream().filter((v0) -> {
            return v0.isInvalid();
        }).collect(Collectors.toList());
        if (list.isEmpty()) {
            jReleaserContext.getLogger().info(RB.$("signing.up.to.date", new Object[0]));
            return;
        }
        sign(jReleaserContext, list);
        if (jReleaserContext.getModel().getSigning().isVerify()) {
            verify(jReleaserContext, list);
        }
    }

    private static void cosignSign(JReleaserContext jReleaserContext) throws SigningException {
        org.jreleaser.model.internal.signing.Signing signing = jReleaserContext.getModel().getSigning();
        Cosign cosign = new Cosign(jReleaserContext.asImmutable(), signing.getCosign().getVersion());
        try {
            if (!cosign.setup()) {
                jReleaserContext.getLogger().warn(RB.$("tool_unavailable", new Object[]{"cosign"}));
                return;
            }
            String privateKeyFile = signing.getCosign().getPrivateKeyFile();
            String publicKeyFile = signing.getCosign().getPublicKeyFile();
            Path resolve = StringUtils.isNotBlank(privateKeyFile) ? jReleaserContext.getBasedir().resolve(privateKeyFile) : null;
            Path resolve2 = StringUtils.isNotBlank(publicKeyFile) ? jReleaserContext.getBasedir().resolve(publicKeyFile) : null;
            String passphrase = signing.getPassphrase();
            boolean z = false;
            if (null == resolve) {
                resolve = signing.getCosign().getResolvedPrivateKeyFilePath(jReleaserContext);
                resolve2 = resolve.resolveSibling("cosign.pub");
                if (!Files.exists(resolve, new LinkOption[0])) {
                    resolve = cosign.generateKeyPair(passphrase);
                    z = true;
                }
            }
            Path path = resolve2;
            List<SigningUtils.FilePair> collectArtifacts = collectArtifacts(jReleaserContext, z, filePair -> {
                return isValid(jReleaserContext, cosign, path, filePair);
            });
            if (collectArtifacts.isEmpty()) {
                jReleaserContext.getLogger().info(RB.$("signing.no.match", new Object[0]));
                return;
            }
            List list = (List) collectArtifacts.stream().filter((v0) -> {
                return v0.isInvalid();
            }).collect(Collectors.toList());
            if (list.isEmpty()) {
                jReleaserContext.getLogger().info(RB.$("signing.up.to.date", new Object[0]));
            } else if (!cosign.checkPassword(resolve, passphrase)) {
                jReleaserContext.getLogger().warn(RB.$("WARN_cosign_password_does_not_match", new Object[]{"cosign"}));
            } else {
                sign(jReleaserContext, list, cosign, resolve, passphrase);
                verify(jReleaserContext, list, cosign, resolve2);
            }
        } catch (ToolException e) {
            throw new SigningException(e.getMessage(), e);
        }
    }

    private static void bcSign(JReleaserContext jReleaserContext) throws SigningException {
        Keyring createKeyring = jReleaserContext.createKeyring();
        List<SigningUtils.FilePair> collectArtifacts = collectArtifacts(jReleaserContext, filePair -> {
            return SigningUtils.isValid(jReleaserContext.asImmutable(), createKeyring, filePair);
        });
        if (collectArtifacts.isEmpty()) {
            jReleaserContext.getLogger().info(RB.$("signing.no.match", new Object[0]));
            return;
        }
        List list = (List) collectArtifacts.stream().filter((v0) -> {
            return v0.isInvalid();
        }).collect(Collectors.toList());
        if (list.isEmpty()) {
            jReleaserContext.getLogger().info(RB.$("signing.up.to.date", new Object[0]));
            return;
        }
        sign(jReleaserContext, createKeyring, list);
        if (jReleaserContext.getModel().getSigning().isVerify()) {
            verify(jReleaserContext, createKeyring, (List<SigningUtils.FilePair>) list);
        }
    }

    private static void verify(JReleaserContext jReleaserContext, Keyring keyring, List<SigningUtils.FilePair> list) throws SigningException {
        if (null == keyring) {
            verify(jReleaserContext, list);
            return;
        }
        jReleaserContext.getLogger().debug(RB.$("signing.verify.signatures", new Object[0]), new Object[]{Integer.valueOf(list.size())});
        for (SigningUtils.FilePair filePair : list) {
            filePair.setValid(verify(jReleaserContext, keyring, filePair));
            if (!filePair.isValid()) {
                throw new SigningException(RB.$("ERROR_signing_verify_file", new Object[]{jReleaserContext.relativizeToBasedir(filePair.getInputFile()), jReleaserContext.relativizeToBasedir(filePair.getSignatureFile())}));
            }
        }
    }

    private static void verify(JReleaserContext jReleaserContext, List<SigningUtils.FilePair> list) throws SigningException {
        jReleaserContext.getLogger().debug(RB.$("signing.verify.signatures", new Object[0]), new Object[]{Integer.valueOf(list.size())});
        for (SigningUtils.FilePair filePair : list) {
            filePair.setValid(SigningUtils.verify(jReleaserContext.asImmutable(), filePair));
            if (!filePair.isValid()) {
                throw new SigningException(RB.$("ERROR_signing_verify_file", new Object[]{jReleaserContext.relativizeToBasedir(filePair.getInputFile()), jReleaserContext.relativizeToBasedir(filePair.getSignatureFile())}));
            }
        }
    }

    private static boolean verify(JReleaserContext jReleaserContext, Keyring keyring, SigningUtils.FilePair filePair) throws SigningException {
        jReleaserContext.getLogger().setPrefix("verify");
        jReleaserContext.getLogger().debug("{}", new Object[]{jReleaserContext.relativizeToBasedir(filePair.getSignatureFile())});
        try {
            try {
                InputStream decoderStream = PGPUtil.getDecoderStream(new BufferedInputStream(new FileInputStream(filePair.getSignatureFile().toFile())));
                try {
                    Object nextObject = new PGPObjectFactory(decoderStream, keyring.getKeyFingerPrintCalculator()).nextObject();
                    PGPSignature pGPSignature = (PGPSignature) (nextObject instanceof PGPCompressedData ? (Iterable) new PGPObjectFactory(((PGPCompressedData) nextObject).getDataStream(), keyring.getKeyFingerPrintCalculator()).nextObject() : (Iterable) nextObject).iterator().next();
                    BufferedInputStream bufferedInputStream = new BufferedInputStream(new FileInputStream(filePair.getInputFile().toFile()));
                    try {
                        pGPSignature.init(new JcaPGPContentVerifierBuilderProvider().setProvider("BC"), keyring.readPublicKey());
                        while (true) {
                            int read = bufferedInputStream.read();
                            if (read < 0) {
                                break;
                            }
                            pGPSignature.update((byte) read);
                        }
                        bufferedInputStream.close();
                        boolean verify = pGPSignature.verify();
                        if (decoderStream != null) {
                            decoderStream.close();
                        }
                        return verify;
                    } catch (Throwable th) {
                        try {
                            bufferedInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                        throw th;
                    }
                } catch (Throwable th3) {
                    if (decoderStream != null) {
                        try {
                            decoderStream.close();
                        } catch (Throwable th4) {
                            th3.addSuppressed(th4);
                        }
                    }
                    throw th3;
                }
            } catch (IOException | PGPException e) {
                throw new SigningException(RB.$("ERROR_signing_verify_signature", new Object[]{jReleaserContext.relativizeToBasedir(filePair.getInputFile())}), e);
            }
        } finally {
            jReleaserContext.getLogger().restorePrefix();
        }
    }

    private static void sign(JReleaserContext jReleaserContext, List<SigningUtils.FilePair> list, Cosign cosign, Path path, String str) throws SigningException {
        Path signaturesDirectory = jReleaserContext.getSignaturesDirectory();
        try {
            Files.createDirectories(signaturesDirectory, new FileAttribute[0]);
            jReleaserContext.getLogger().debug(RB.$("signing.signing.files", new Object[0]), new Object[]{Integer.valueOf(list.size()), jReleaserContext.relativizeToBasedir(signaturesDirectory)});
            Iterator<SigningUtils.FilePair> it = list.iterator();
            while (it.hasNext()) {
                cosign.signBlob(path, str, it.next().getInputFile(), signaturesDirectory);
            }
        } catch (IOException e) {
            throw new SigningException(RB.$("ERROR_signing_create_signature_dir", new Object[0]), e);
        }
    }

    private static void verify(JReleaserContext jReleaserContext, List<SigningUtils.FilePair> list, Cosign cosign, Path path) throws SigningException {
        jReleaserContext.getLogger().debug(RB.$("signing.verify.signatures", new Object[0]), new Object[]{Integer.valueOf(list.size())});
        jReleaserContext.getLogger().setPrefix("verify");
        try {
            for (SigningUtils.FilePair filePair : list) {
                cosign.verifyBlob(path, filePair.getSignatureFile(), filePair.getInputFile());
                filePair.setValid(true);
                if (!filePair.isValid()) {
                    throw new SigningException(RB.$("ERROR_signing_verify_file", new Object[]{jReleaserContext.relativizeToBasedir(filePair.getInputFile()), jReleaserContext.relativizeToBasedir(filePair.getSignatureFile())}));
                }
            }
        } finally {
            jReleaserContext.getLogger().restorePrefix();
        }
    }

    private static void sign(JReleaserContext jReleaserContext, List<SigningUtils.FilePair> list) throws SigningException {
        Path signaturesDirectory = jReleaserContext.getSignaturesDirectory();
        try {
            Files.createDirectories(signaturesDirectory, new FileAttribute[0]);
            jReleaserContext.getLogger().debug(RB.$("signing.signing.files", new Object[0]), new Object[]{Integer.valueOf(list.size()), jReleaserContext.relativizeToBasedir(signaturesDirectory)});
            GpgCommandSigner initCommandSigner = SigningUtils.initCommandSigner(jReleaserContext.asImmutable());
            for (SigningUtils.FilePair filePair : list) {
                SigningUtils.sign(jReleaserContext.asImmutable(), initCommandSigner, filePair.getInputFile(), filePair.getSignatureFile());
            }
        } catch (IOException e) {
            throw new SigningException(RB.$("ERROR_signing_create_signature_dir", new Object[0]), e);
        }
    }

    private static void sign(JReleaserContext jReleaserContext, Keyring keyring, List<SigningUtils.FilePair> list) throws SigningException {
        Path signaturesDirectory = jReleaserContext.getSignaturesDirectory();
        try {
            Files.createDirectories(signaturesDirectory, new FileAttribute[0]);
            jReleaserContext.getLogger().debug(RB.$("signing.signing.files", new Object[0]), new Object[]{Integer.valueOf(list.size()), jReleaserContext.relativizeToBasedir(signaturesDirectory)});
            PGPSignatureGenerator initSignatureGenerator = SigningUtils.initSignatureGenerator(jReleaserContext.asImmutable(), keyring);
            for (SigningUtils.FilePair filePair : list) {
                SigningUtils.sign(jReleaserContext.asImmutable(), initSignatureGenerator, filePair.getInputFile(), filePair.getSignatureFile());
            }
        } catch (IOException e) {
            throw new SigningException(RB.$("ERROR_signing_create_signature_dir", new Object[0]), e);
        }
    }

    private static List<SigningUtils.FilePair> collectArtifacts(JReleaserContext jReleaserContext, Predicate<SigningUtils.FilePair> predicate) {
        return collectArtifacts(jReleaserContext, false, predicate);
    }

    private static List<SigningUtils.FilePair> collectArtifacts(JReleaserContext jReleaserContext, boolean z, Predicate<SigningUtils.FilePair> predicate) {
        ArrayList arrayList = new ArrayList();
        org.jreleaser.model.internal.signing.Signing signing = jReleaserContext.getModel().getSigning();
        Path signaturesDirectory = jReleaserContext.getSignaturesDirectory();
        String str = signing.getMode() != Signing.Mode.COSIGN ? signing.isArmored() ? ".asc" : ".sig" : ".sig";
        if (signing.isFiles()) {
            for (Artifact artifact : Artifacts.resolveFiles(jReleaserContext)) {
                if (artifact.isActiveAndSelected() && !artifact.extraPropertyIsTrue("skipSigning") && (!artifact.isOptional(jReleaserContext) || artifact.resolvedPathExists())) {
                    Path effectivePath = artifact.getEffectivePath(jReleaserContext);
                    SigningUtils.FilePair filePair = new SigningUtils.FilePair(effectivePath, signaturesDirectory.resolve(effectivePath.getFileName().toString().concat(str)));
                    if (!z) {
                        filePair.setValid(predicate.test(filePair));
                    }
                    arrayList.add(filePair);
                }
            }
        }
        if (signing.isArtifacts()) {
            for (Distribution distribution : jReleaserContext.getModel().getActiveDistributions()) {
                if (!distribution.extraPropertyIsTrue("skipSigning")) {
                    for (Artifact artifact2 : distribution.getArtifacts()) {
                        if (artifact2.isActiveAndSelected() && !artifact2.extraPropertyIsTrue("skipSigning")) {
                            Path effectivePath2 = artifact2.getEffectivePath(jReleaserContext, distribution);
                            if (!artifact2.isOptional(jReleaserContext) || artifact2.resolvedPathExists()) {
                                SigningUtils.FilePair filePair2 = new SigningUtils.FilePair(effectivePath2, signaturesDirectory.resolve(effectivePath2.getFileName().toString().concat(str)));
                                if (!z) {
                                    filePair2.setValid(predicate.test(filePair2));
                                }
                                arrayList.add(filePair2);
                            }
                        }
                    }
                }
            }
        }
        if (signing.isCatalogs()) {
            for (SbomCataloger sbomCataloger : jReleaserContext.getModel().getCatalog().getSbom().findAllActiveSbomCatalogers()) {
                if (sbomCataloger.getPack().isEnabled()) {
                    Iterator it = SbomCatalogerProcessorHelper.resolveArtifacts(jReleaserContext, sbomCataloger).iterator();
                    while (it.hasNext()) {
                        Path effectivePath3 = ((Artifact) it.next()).getEffectivePath(jReleaserContext);
                        SigningUtils.FilePair filePair3 = new SigningUtils.FilePair(effectivePath3, signaturesDirectory.resolve(effectivePath3.getFileName().toString().concat(str)));
                        if (!z) {
                            filePair3.setValid(predicate.test(filePair3));
                        }
                        arrayList.add(filePair3);
                    }
                }
            }
        }
        if (signing.isChecksums()) {
            Iterator it2 = jReleaserContext.getModel().getChecksum().getAlgorithms().iterator();
            while (it2.hasNext()) {
                Path resolve = jReleaserContext.getChecksumsDirectory().resolve(jReleaserContext.getModel().getChecksum().getResolvedName(jReleaserContext, (Algorithm) it2.next()));
                if (Files.exists(resolve, new LinkOption[0])) {
                    SigningUtils.FilePair filePair4 = new SigningUtils.FilePair(resolve, signaturesDirectory.resolve(resolve.getFileName().toString().concat(str)));
                    if (!z) {
                        filePair4.setValid(predicate.test(filePair4));
                    }
                    arrayList.add(filePair4);
                }
            }
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isValid(JReleaserContext jReleaserContext, Cosign cosign, Path path, SigningUtils.FilePair filePair) {
        if (Files.notExists(filePair.getSignatureFile(), new LinkOption[0])) {
            jReleaserContext.getLogger().debug(RB.$("signing.signature.not.exist", new Object[0]), new Object[]{jReleaserContext.relativizeToBasedir(filePair.getSignatureFile())});
            return false;
        }
        if (filePair.getInputFile().toFile().lastModified() > filePair.getSignatureFile().toFile().lastModified()) {
            jReleaserContext.getLogger().debug(RB.$("signing.file.newer", new Object[0]), new Object[]{jReleaserContext.relativizeToBasedir(filePair.getInputFile()), jReleaserContext.relativizeToBasedir(filePair.getSignatureFile())});
            return false;
        }
        try {
            cosign.verifyBlob(path, filePair.getSignatureFile(), filePair.getInputFile());
            return true;
        } catch (SigningException e) {
            return false;
        }
    }
}
