name: demo-signserver
on:
 workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ./HelloWorld
    steps:
    - name: Checkout
      uses: actions/checkout@v4
    - run: javac src/com/example/helloworld/*.java

    - name: Create Jar
      run: |
        jar cf HelloWorld.jar -C out/production/HelloWorld .
        mv *.jar out/artifacts/HelloWorld_jar/

    - name: Upload Jar  
      uses: actions/upload-artifact@v4
      with:
        name: HelloWorld.jar
        path: ${{github.workspace}}/HelloWorld/out/artifacts/HelloWorld_jar/HelloWorld.jar
        retention-days: 1
      
  sign:
    runs-on: ubuntu-latest
    needs: build
    steps:

    - name: Download artifact from Build-Java
      uses: actions/download-artifact@v4
      with:
        name: HelloWorld.jar

    - name: Download SignServer Client Cert 
      run: |
        echo -n $SIGNSERVER_CLIENT_CERT | base64 -d > ${{github.workspace}}/client-cert.p12
      env:
        SIGNSERVER_CLIENT_CERT: ${{ secrets.SIGNSERVER_CLIENT_CERT }}

    - name: SignServer Signing
      uses: Keyfactor/signserver-signing-action@v1.0.0
      with:
        endpoint: ${{secrets.SIGNSERVER_URL}}
        file-path: ${{github.workspace}}/HelloWorld.jar
        worker-name: JArchiveSigner
        worker-type: JArchiveSigner
        client-cert: ${{github.workspace}}/client-cert.p12
        password: ${{secrets.SIGNSERVER_CLIENT_CRED}}

  verify:
    runs-on: ubuntu-latest
    needs: sign
    steps:

    - name: Download Signed JAR
      uses: actions/download-artifact@v4
      with:
        name: signed-input.jar
    
    - name: Verify JAR
      run: |
        jarsigner -verify -verbose ${{github.workspace}}/signed-input.jar