#!/bin/sh
# From: http://users.wfu.edu/cottrell/productsign/productsign_linux.html

PKG=$1

mkdir tmp
# extract the private key from certs.p12 (requires passphrase)
openssl pkcs12 -in leap-developer-id-installer.key.p12 -nodes | openssl rsa -out tmp/key.pem

# determine the size of the signature
: | openssl dgst -sign tmp/key.pem -binary | wc -c > tmp/siglen.txt

# prepare data for signing -- may have to adjust depending
# on the contents of the certs subdir in your case
xar --sign -f $PKG --digestinfo-to-sign tmp/digestinfo.dat \
    --sig-size `cat tmp/siglen.txt` \
    --cert-loc certs/cert00 \
    --cert-loc certs/cert01 \
    --cert-loc certs/cert02

# create the signature
openssl rsautl -sign -inkey tmp/key.pem -in tmp/digestinfo.dat \
	 -out tmp/signature.dat

# stuff it into the archive 
xar --inject-sig tmp/signature.dat -f $PKG

# and clean up
rm -rf tmp