package org.jreleaser.engine.sign;

import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.security.Security;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.stream.Collectors;
import org.bouncycastle.bcpg.ArmoredOutputStream;
import org.bouncycastle.bcpg.BCPGOutputStream;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openpgp.PGPCompressedData;
import org.bouncycastle.openpgp.PGPCompressedDataGenerator;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPObjectFactory;
import org.bouncycastle.openpgp.PGPPrivateKey;
import org.bouncycastle.openpgp.PGPSecretKey;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPSignatureGenerator;
import org.bouncycastle.openpgp.PGPUtil;
import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder;
import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentVerifierBuilderProvider;
import org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder;
import org.jreleaser.model.Artifact;
import org.jreleaser.model.Distribution;
import org.jreleaser.model.JReleaserContext;
import org.jreleaser.model.Signing;
import org.jreleaser.model.util.Artifacts;
import org.jreleaser.util.Algorithm;
import org.jreleaser.util.signing.Keyring;
import org.jreleaser.util.signing.SigningException;

/* loaded from: input_file:org/jreleaser/engine/sign/Signer.class */
public class Signer {

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/jreleaser/engine/sign/Signer$FilePair.class */
    public static class FilePair {
        private final Path inputFile;
        private final Path signatureFile;
        private boolean valid;

        private FilePair(Path path, Path path2) {
            this.inputFile = path;
            this.signatureFile = path2;
        }

        public Path getInputFile() {
            return this.inputFile;
        }

        public Path getSignatureFile() {
            return this.signatureFile;
        }

        public boolean isValid() {
            return this.valid;
        }

        public void setValid(boolean z) {
            this.valid = z;
        }

        public boolean isInvalid() {
            return !this.valid;
        }
    }

    public static void sign(JReleaserContext jReleaserContext) throws SigningException {
        jReleaserContext.getLogger().info("Signing files");
        if (!jReleaserContext.getModel().getSigning().isEnabled()) {
            jReleaserContext.getLogger().info("Signing is not enabled. Skipping");
            return;
        }
        jReleaserContext.getLogger().increaseIndent();
        jReleaserContext.getLogger().setPrefix("sign");
        Keyring createKeyring = jReleaserContext.createKeyring();
        List<FilePair> collectArtifacts = collectArtifacts(jReleaserContext, createKeyring);
        if (collectArtifacts.isEmpty()) {
            jReleaserContext.getLogger().info("No files configured for signing. Skipping");
            jReleaserContext.getLogger().restorePrefix();
            jReleaserContext.getLogger().decreaseIndent();
            return;
        }
        List list = (List) collectArtifacts.stream().filter((v0) -> {
            return v0.isInvalid();
        }).collect(Collectors.toList());
        if (list.isEmpty()) {
            jReleaserContext.getLogger().info("All signatures are up-to-date and valid. Skipping");
            jReleaserContext.getLogger().restorePrefix();
            jReleaserContext.getLogger().decreaseIndent();
        } else {
            sign(jReleaserContext, createKeyring, list);
            verify(jReleaserContext, createKeyring, (List<FilePair>) list);
            jReleaserContext.getLogger().restorePrefix();
            jReleaserContext.getLogger().decreaseIndent();
        }
    }

    private static void verify(JReleaserContext jReleaserContext, Keyring keyring, List<FilePair> list) throws SigningException {
        jReleaserContext.getLogger().debug("verifying {} signatures", new Object[]{Integer.valueOf(list.size())});
        for (FilePair filePair : list) {
            filePair.setValid(verify(jReleaserContext, keyring, filePair));
            if (!filePair.isValid()) {
                throw new SigningException("Could not verify file " + jReleaserContext.relativizeToBasedir(filePair.inputFile) + " with signature " + jReleaserContext.relativizeToBasedir(filePair.signatureFile));
            }
        }
    }

    private static boolean verify(JReleaserContext jReleaserContext, Keyring keyring, FilePair filePair) throws SigningException {
        jReleaserContext.getLogger().setPrefix("verify");
        try {
            try {
                jReleaserContext.getLogger().debug("{}", new Object[]{jReleaserContext.relativizeToBasedir(filePair.signatureFile)});
                InputStream decoderStream = PGPUtil.getDecoderStream(new BufferedInputStream(new FileInputStream(filePair.signatureFile.toFile())));
                Object nextObject = new PGPObjectFactory(decoderStream, keyring.getKeyFingerPrintCalculator()).nextObject();
                Iterable iterable = nextObject instanceof PGPCompressedData ? (Iterable) new PGPObjectFactory(((PGPCompressedData) nextObject).getDataStream(), keyring.getKeyFingerPrintCalculator()).nextObject() : (Iterable) nextObject;
                BufferedInputStream bufferedInputStream = new BufferedInputStream(new FileInputStream(filePair.inputFile.toFile()));
                PGPSignature pGPSignature = (PGPSignature) iterable.iterator().next();
                pGPSignature.init(new JcaPGPContentVerifierBuilderProvider().setProvider("BC"), keyring.readPublicKey());
                while (true) {
                    int read = bufferedInputStream.read();
                    if (read < 0) {
                        bufferedInputStream.close();
                        decoderStream.close();
                        boolean verify = pGPSignature.verify();
                        jReleaserContext.getLogger().restorePrefix();
                        return verify;
                    }
                    pGPSignature.update((byte) read);
                }
            } catch (IOException | PGPException e) {
                throw new SigningException("Error when verifying signature of " + jReleaserContext.relativizeToBasedir(filePair.inputFile), e);
            }
        } catch (Throwable th) {
            jReleaserContext.getLogger().restorePrefix();
            throw th;
        }
    }

    private static void sign(JReleaserContext jReleaserContext, Keyring keyring, List<FilePair> list) throws SigningException {
        Path signaturesDirectory = jReleaserContext.getSignaturesDirectory();
        try {
            Files.createDirectories(signaturesDirectory, new FileAttribute[0]);
            jReleaserContext.getLogger().debug("signing {} files into {}", new Object[]{Integer.valueOf(list.size()), jReleaserContext.relativizeToBasedir(signaturesDirectory)});
            PGPSignatureGenerator initSignatureGenerator = initSignatureGenerator(jReleaserContext.getModel().getSigning(), keyring);
            for (FilePair filePair : list) {
                sign(jReleaserContext, initSignatureGenerator, filePair.inputFile, filePair.signatureFile);
            }
        } catch (IOException e) {
            throw new SigningException("Could not create signatures directory", e);
        }
    }

    private static PGPSignatureGenerator initSignatureGenerator(Signing signing, Keyring keyring) throws SigningException {
        try {
            PGPSecretKey secretKey = keyring.getSecretKey();
            PGPPrivateKey extractPrivateKey = secretKey.extractPrivateKey(new JcePBESecretKeyDecryptorBuilder().setProvider("BC").build(signing.getResolvedPassphrase().toCharArray()));
            PGPSignatureGenerator pGPSignatureGenerator = new PGPSignatureGenerator(new JcaPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), 2).setProvider("BC"));
            pGPSignatureGenerator.init(0, extractPrivateKey);
            return pGPSignatureGenerator;
        } catch (PGPException e) {
            throw new SigningException("Unexpected error when initializing signature generator", e);
        }
    }

    private static void sign(JReleaserContext jReleaserContext, PGPSignatureGenerator pGPSignatureGenerator, Path path, Path path2) throws SigningException {
        try {
            jReleaserContext.getLogger().info("{}", new Object[]{jReleaserContext.relativizeToBasedir(path)});
            OutputStream bufferedOutputStream = new BufferedOutputStream(new FileOutputStream(path2.toFile()));
            if (jReleaserContext.getModel().getSigning().isArmored().booleanValue()) {
                bufferedOutputStream = new ArmoredOutputStream(bufferedOutputStream);
            }
            PGPCompressedDataGenerator pGPCompressedDataGenerator = new PGPCompressedDataGenerator(0);
            BCPGOutputStream bCPGOutputStream = new BCPGOutputStream(pGPCompressedDataGenerator.open(bufferedOutputStream));
            FileInputStream fileInputStream = new FileInputStream(path.toFile());
            while (true) {
                int read = fileInputStream.read();
                if (read < 0) {
                    pGPSignatureGenerator.generate().encode(bCPGOutputStream);
                    pGPCompressedDataGenerator.close();
                    fileInputStream.close();
                    bufferedOutputStream.flush();
                    bufferedOutputStream.close();
                    return;
                }
                pGPSignatureGenerator.update((byte) read);
            }
        } catch (IOException | PGPException e) {
            throw new SigningException("Unexpected error when signing " + path.toAbsolutePath(), e);
        }
    }

    private static List<FilePair> collectArtifacts(JReleaserContext jReleaserContext, Keyring keyring) {
        ArrayList arrayList = new ArrayList();
        Path signaturesDirectory = jReleaserContext.getSignaturesDirectory();
        String str = jReleaserContext.getModel().getSigning().isArmored().booleanValue() ? ".asc" : ".sig";
        if (jReleaserContext.getModel().getSigning().isFiles().booleanValue()) {
            for (Artifact artifact : Artifacts.resolveFiles(jReleaserContext)) {
                if (artifact.isActive() && !artifact.extraPropertyIsTrue("skipSigning")) {
                    Path effectivePath = artifact.getEffectivePath(jReleaserContext);
                    FilePair filePair = new FilePair(effectivePath, signaturesDirectory.resolve(effectivePath.getFileName().toString().concat(str)));
                    filePair.setValid(isValid(jReleaserContext, keyring, filePair));
                    arrayList.add(filePair);
                }
            }
        }
        if (jReleaserContext.getModel().getSigning().isArtifacts().booleanValue()) {
            for (Distribution distribution : jReleaserContext.getModel().getActiveDistributions()) {
                if (!distribution.extraPropertyIsTrue("skipSigning")) {
                    for (Artifact artifact2 : distribution.getArtifacts()) {
                        if (artifact2.isActive() && !artifact2.extraPropertyIsTrue("skipSigning")) {
                            Path effectivePath2 = artifact2.getEffectivePath(jReleaserContext, distribution);
                            FilePair filePair2 = new FilePair(effectivePath2, signaturesDirectory.resolve(effectivePath2.getFileName().toString().concat(str)));
                            filePair2.setValid(isValid(jReleaserContext, keyring, filePair2));
                            arrayList.add(filePair2);
                        }
                    }
                }
            }
        }
        if (jReleaserContext.getModel().getSigning().isChecksums().booleanValue()) {
            Iterator it = jReleaserContext.getModel().getChecksum().getAlgorithms().iterator();
            while (it.hasNext()) {
                Path resolve = jReleaserContext.getChecksumsDirectory().resolve(jReleaserContext.getModel().getChecksum().getResolvedName(jReleaserContext, (Algorithm) it.next()));
                if (Files.exists(resolve, new LinkOption[0])) {
                    FilePair filePair3 = new FilePair(resolve, signaturesDirectory.resolve(resolve.getFileName().toString().concat(str)));
                    filePair3.setValid(isValid(jReleaserContext, keyring, filePair3));
                    arrayList.add(filePair3);
                }
            }
        }
        return arrayList;
    }

    private static boolean isValid(JReleaserContext jReleaserContext, Keyring keyring, FilePair filePair) {
        if (Files.notExists(filePair.getSignatureFile(), new LinkOption[0])) {
            jReleaserContext.getLogger().debug("signature does not exist: {}", new Object[]{jReleaserContext.relativizeToBasedir(filePair.getSignatureFile())});
            return false;
        }
        if (filePair.inputFile.toFile().lastModified() > filePair.signatureFile.toFile().lastModified()) {
            jReleaserContext.getLogger().debug("{} is newer than {}", new Object[]{jReleaserContext.relativizeToBasedir(filePair.inputFile), jReleaserContext.relativizeToBasedir(filePair.signatureFile)});
            return false;
        }
        try {
            return verify(jReleaserContext, keyring, filePair);
        } catch (SigningException e) {
            return false;
        }
    }

    private static void deleteDirectory(Path path) {
        File file = path.toFile();
        if (file.exists()) {
            for (File file2 : file.listFiles()) {
                file2.delete();
            }
            file.delete();
        }
    }

    static {
        Security.removeProvider("BC");
        Security.setProperty("crypto.policy", "unlimited");
        Security.addProvider(new BouncyCastleProvider());
    }
}
