#!/bin/bash
set -euo pipefail

DIR="$(cd "$(dirname "$0")" && pwd)"

echo "=== 生成 ECDSA P-256 密钥对 ==="

# 生成私钥
openssl ecparam -genkey -name prime256v1 -out "$DIR/signing-private.pem"
chmod 600 "$DIR/signing-private.pem"

# 导出公钥
openssl ec -in "$DIR/signing-private.pem" -pubout -out "$DIR/signing-public.pem"

echo ""
echo "✅ 已生成:"
echo "   公钥: $DIR/signing-public.pem   ← 提交仓库，构建时嵌入 updater"
echo "   私钥: $DIR/signing-private.pem  ← 不要提交！拷到 Gitea Secrets"
echo ""
echo "添加到 Gitea Secrets:"
echo "   名称: UPDATER_SIGNING_KEY"
echo "   值:  cat $DIR/signing-private.pem 的内容"