package dev.sigstore.plugin;

import dev.sigstore.ImmutableSigstoreRequest;
import dev.sigstore.SigstoreRequest;
import dev.sigstore.SigstoreResult;
import dev.sigstore.SigstoreSigner;
import dev.sigstore.pgp.ImmutablePgpSigningRequest;
import dev.sigstore.pgp.PgpSigner;
import java.io.File;
import java.io.IOException;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.StandardCopyOption;
import java.nio.file.attribute.FileAttribute;
import java.security.KeyPair;
import java.security.cert.CertPath;
import java.util.ArrayList;
import javax.inject.Inject;
import org.apache.maven.artifact.Artifact;
import org.apache.maven.plugin.AbstractMojo;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugins.annotations.Mojo;
import org.apache.maven.plugins.annotations.Parameter;
import org.apache.maven.project.MavenProject;
import org.apache.maven.project.MavenProjectHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Mojo(name = "sign", threadSafe = true)
/* loaded from: input_file:dev/sigstore/plugin/SignMojo.class */
public class SignMojo extends AbstractMojo {
    public static final String PGP_SIGNATURE_EXTENSION = ".asc";
    public static final String X509_SIGNATURE_EXTENSION = ".sig";
    public static final String X509_CERTIFICATE_EXTENSION = ".pem";
    private static final Logger logger = LoggerFactory.getLogger(SignMojo.class);
    private final MavenProjectHelper projectHelper;

    @Parameter(defaultValue = "${project}", readonly = true, required = true)
    private MavenProject project;

    @Parameter(property = "mavenPgpSignatures")
    private boolean mavenPgpSignatures;

    @Parameter(property = "pgpPassphrase")
    private String pgpPassphrase;

    @Parameter(defaultValue = "sigstore", property = "signer-name", required = true)
    private String signerName;

    @Parameter(defaultValue = "EC", property = "signing-algorithm", required = true)
    private String signingAlgorithm;

    @Parameter(defaultValue = "secp256r1", property = "signing-algorithm-spec", required = true)
    private String signingAlgorithmSpec;

    @Parameter(defaultValue = "https://fulcio.sigstore.dev", property = "fulcio-instance-url", required = true)
    private URL fulcioInstanceURL;

    @Parameter(defaultValue = "false", property = "oidc-device-code", required = true)
    private boolean oidcDeviceCodeFlow;

    @Parameter(defaultValue = "sigstore", property = "oidc-client-id", required = true)
    private String oidcClientID;

    @Parameter(defaultValue = "https://oauth2.sigstore.dev/auth/auth", property = "oidc-auth-url", required = true)
    private URL oidcAuthURL;

    @Parameter(defaultValue = "https://oauth2.sigstore.dev/auth/token", property = "oidc-token-url", required = true)
    private URL oidcTokenURL;

    @Parameter(defaultValue = "https://oauth2.sigstore.dev/auth/device/code", property = "oidc-device-code-url", required = true)
    private URL oidcDeviceCodeURL;

    @Parameter(defaultValue = "https://rekor.sigstore.dev", property = "rekor-instance-url", required = true)
    private URL rekorInstanceURL;

    @Parameter(property = "emailAddress")
    private String emailAddress;

    @Parameter(defaultValue = "https://rekor.sigstore.dev/api/v1/timestamp", property = "tsa-url", required = true)
    private URL tsaURL;

    @Inject
    public SignMojo(MavenProjectHelper mavenProjectHelper) {
        this.projectHelper = mavenProjectHelper;
    }

    public void execute() throws MojoExecutionException {
        PgpSigner pgpSigner = new PgpSigner(ImmutablePgpSigningRequest.builder().build());
        ArrayList<SignedFile> arrayList = new ArrayList();
        if (!"pom".equals(this.project.getPackaging())) {
            Artifact artifact = this.project.getArtifact();
            File file = artifact.getFile();
            if (file == null) {
                logger.info("There is no artifact present. Make sure you run this after the package phase.");
                return;
            }
            arrayList.add(new SignedFile(file.toPath(), artifact.getArtifactHandler().getExtension()));
        }
        File file2 = new File(this.project.getBuild().getDirectory(), String.valueOf(this.project.getBuild().getFinalName()) + ".pom");
        try {
            Files.createDirectories(file2.getParentFile().toPath(), new FileAttribute[0]);
            Files.copy(this.project.getFile().toPath(), file2.toPath(), StandardCopyOption.REPLACE_EXISTING);
            arrayList.add(new SignedFile(file2.toPath(), "pom"));
            for (Artifact artifact2 : this.project.getAttachedArtifacts()) {
                arrayList.add(new SignedFile(artifact2.getFile().toPath(), artifact2.getArtifactHandler().getExtension(), artifact2.getClassifier()));
            }
            KeyPair keyPair = null;
            CertPath certPath = null;
            logger.debug("Signing the following files sigstore:");
            arrayList.forEach(signedFile -> {
                logger.debug(signedFile.toString());
            });
            ArrayList<SignedFile> arrayList2 = new ArrayList();
            for (SignedFile signedFile2 : arrayList) {
                try {
                    ImmutableSigstoreRequest build = ImmutableSigstoreRequest.builder().keyPair(keyPair).signingCert(certPath).artifact(signedFile2.file()).type(SigstoreRequest.Type.X_509).build();
                    SigstoreResult sign = new SigstoreSigner(build).sign();
                    arrayList2.add(signedFile2);
                    this.projectHelper.attachArtifact(this.project, String.valueOf(signedFile2.extension()) + X509_SIGNATURE_EXTENSION, signedFile2.classifier(), sign.artifactSignature().toFile());
                    arrayList2.add(new SignedFile(build.artifactSignature(), String.valueOf(signedFile2.extension()) + X509_SIGNATURE_EXTENSION, signedFile2.classifier()));
                    this.projectHelper.attachArtifact(this.project, String.valueOf(signedFile2.extension()) + X509_CERTIFICATE_EXTENSION, signedFile2.classifier(), sign.signingCertificate().toFile());
                    arrayList2.add(new SignedFile(build.outputSigningCert(), String.valueOf(signedFile2.extension()) + X509_CERTIFICATE_EXTENSION, signedFile2.classifier()));
                    keyPair = sign.keyPair();
                    certPath = sign.signingCert();
                } catch (Exception e) {
                    throw new MojoExecutionException(String.format("Error signing Maven file %s with Sigstore.", signedFile2), e);
                }
            }
            logger.debug("Signing the following files with PGP:");
            arrayList2.forEach(signedFile3 -> {
                logger.debug(signedFile3.toString());
            });
            for (SignedFile signedFile4 : arrayList2) {
                Path file3 = signedFile4.file();
                if (this.mavenPgpSignatures) {
                    try {
                        this.projectHelper.attachArtifact(this.project, String.valueOf(signedFile4.extension()) + PGP_SIGNATURE_EXTENSION, signedFile4.classifier(), pgpSigner.sign(file3.toFile()));
                    } catch (Exception e2) {
                        throw new MojoExecutionException("Error signing artifact " + file3 + ".", e2);
                    }
                }
            }
        } catch (IOException e3) {
            throw new MojoExecutionException("Error copying POM for signing.", e3);
        }
    }
}
