From 5f5a75ef2abe6f4879bf07be9b246a1adf89d362 Mon Sep 17 00:00:00 2001
From: Tomas Restrepo <tomas@winterdom.com>
Date: Mon, 11 Sep 2023 15:45:22 -0500
Subject: [PATCH 1/3] Implement a sign-many command for better performance

---
 cmdline/token/signmanycmd.go | 151 +++++++++++++++++++++++++++++++++++
 1 file changed, 151 insertions(+)
 create mode 100644 cmdline/token/signmanycmd.go

diff --git a/cmdline/token/signmanycmd.go b/cmdline/token/signmanycmd.go
new file mode 100644
index 0000000..6f91d7e
--- /dev/null
+++ b/cmdline/token/signmanycmd.go
@@ -0,0 +1,151 @@
+//
+// Copyright (c) SAS Institute Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+package token
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+
+	"github.com/sassoftware/relic/v7/cmdline/shared"
+	"github.com/sassoftware/relic/v7/internal/signinit"
+	"github.com/sassoftware/relic/v7/lib/certloader"
+	"github.com/sassoftware/relic/v7/signers"
+)
+
+var SignManyCmd = &cobra.Command{
+	Use:   "sign-many",
+	Short: "Sign multiple packages using a token",
+	RunE:  signManyCmd,
+}
+
+var (
+	margIfUnsigned bool
+	margSigType    string
+	margFiles      []string
+)
+
+func init() {
+	shared.RootCmd.AddCommand(SignManyCmd)
+	addKeyFlags(SignManyCmd)
+	SignManyCmd.Flags().StringArrayVarP(&margFiles, "file", "f", []string{}, "Input file to sign; Can be specified multiple times")
+	SignManyCmd.Flags().StringVarP(&argSigType, "sig-type", "T", "", "Specify signature type (default: auto-detect)")
+	SignManyCmd.Flags().BoolVar(&argIfUnsigned, "if-unsigned", false, "Skip signing if the file already has a signature")
+	shared.AddDigestFlag(SignManyCmd)
+	shared.AddLateHook(func() {
+		signers.MergeFlags(SignManyCmd)
+	})
+}
+
+func signFile(mod *signers.Signer, opts *signers.SignOpts, cert *certloader.Certificate, argFile string, argOutput string) error {
+	opts.Path = argFile
+	infile, err := shared.OpenForPatching(argFile, argOutput)
+	if err != nil {
+		return shared.Fail(err)
+	} else {
+		defer infile.Close()
+	}
+	if argIfUnsigned {
+		if infile == os.Stdin {
+			return shared.Fail(errors.New("cannot use --if-unsigned with standard input"))
+		}
+		if signed, err := mod.IsSigned(infile); err != nil {
+			return shared.Fail(err)
+		} else if signed {
+			fmt.Fprintf(os.Stderr, "skipping already-signed file: %s\n", argFile)
+			return nil
+		}
+		if _, err := infile.Seek(0, 0); err != nil {
+			return shared.Fail(fmt.Errorf("rewinding input file: %w", err))
+		}
+	}
+	// transform the input, sign the stream, and apply the result
+	transform, err := mod.GetTransform(infile, *opts)
+	if err != nil {
+		return shared.Fail(err)
+	}
+	stream, err := transform.GetReader()
+	if err != nil {
+		return shared.Fail(err)
+	}
+	blob, err := mod.Sign(stream, cert, *opts)
+	if err != nil {
+		return shared.Fail(err)
+	}
+	mimeType := opts.Audit.GetMimeType()
+	if err := transform.Apply(argOutput, mimeType, bytes.NewReader(blob)); err != nil {
+		return shared.Fail(err)
+	}
+	// if needed, do a final fixup step
+	if mod.Fixup != nil {
+		f, err := os.OpenFile(argOutput, os.O_RDWR, 0)
+		if err != nil {
+			return shared.Fail(err)
+		}
+		defer f.Close()
+		if err := mod.Fixup(f); err != nil {
+			return shared.Fail(err)
+		}
+	}
+	if err := signinit.PublishAudit(opts.Audit); err != nil {
+		return err
+	}
+	fmt.Fprintln(os.Stderr, "Signed", argFile)
+	return nil
+}
+
+func signManyCmd(cmd *cobra.Command, args []string) error {
+	if len(margFiles) == 0 || argKeyName == "" {
+		return errors.New("--file and --key are required")
+	}
+	mod, err := signers.ByFile(margFiles[0], argSigType)
+	if err != nil {
+		return shared.Fail(err)
+	}
+	if mod.Sign == nil {
+		return shared.Fail(fmt.Errorf("can't sign files of type: %s", mod.Name))
+	}
+	flags, err := mod.FlagsFromCmdline(cmd.Flags())
+	if err != nil {
+		return shared.Fail(err)
+	}
+	hash, err := shared.GetDigest()
+	if err != nil {
+		return shared.Fail(err)
+	}
+	token, err := openTokenByKey(argKeyName)
+	if err != nil {
+		return shared.Fail(err)
+	}
+	cert, opts, err := signinit.Init(context.Background(), mod, token, argKeyName, hash, flags)
+	if err != nil {
+		return shared.Fail(err)
+	}
+
+	for _, file := range margFiles {
+		err := signFile(mod, opts, cert, file, file)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

From 5cf40d28a68f247d64fae4ecff0571fa34a08237 Mon Sep 17 00:00:00 2001
From: Tomas Restrepo <tomas@winterdom.com>
Date: Tue, 11 Feb 2025 10:33:42 -0500
Subject: [PATCH 2/3] Update references to v8

---
 cmdline/token/signmanycmd.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/cmdline/token/signmanycmd.go b/cmdline/token/signmanycmd.go
index 6f91d7e..45fffc0 100644
--- a/cmdline/token/signmanycmd.go
+++ b/cmdline/token/signmanycmd.go
@@ -25,10 +25,10 @@ import (
 
 	"github.com/spf13/cobra"
 
-	"github.com/sassoftware/relic/v7/cmdline/shared"
-	"github.com/sassoftware/relic/v7/internal/signinit"
-	"github.com/sassoftware/relic/v7/lib/certloader"
-	"github.com/sassoftware/relic/v7/signers"
+	"github.com/sassoftware/relic/v8/cmdline/shared"
+	"github.com/sassoftware/relic/v8/internal/signinit"
+	"github.com/sassoftware/relic/v8/lib/certloader"
+	"github.com/sassoftware/relic/v8/signers"
 )
 
 var SignManyCmd = &cobra.Command{

From 95dc51599b23b88226ce993ffee0a88be7bb4fe7 Mon Sep 17 00:00:00 2001
From: Tomas Restrepo <tomas@winterdom.com>
Date: Tue, 11 Feb 2025 10:59:43 -0500
Subject: [PATCH 3/3] Improve command description.

DCO Remediation Commit for Tomas Restrepo <tomas@winterdom.com>

I, Tomas Restrepo <tomas@winterdom.com>, hereby add my Signed-off-by to this commit: 5f5a75ef2abe6f4879bf07be9b246a1adf89d362
I, Tomas Restrepo <tomas@winterdom.com>, hereby add my Signed-off-by to this commit: 5cf40d28a68f247d64fae4ecff0571fa34a08237

Signed-off-by: Tomas Restrepo <tomas@winterdom.com>
---
 cmdline/token/signmanycmd.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmdline/token/signmanycmd.go b/cmdline/token/signmanycmd.go
index 45fffc0..0a5b2ef 100644
--- a/cmdline/token/signmanycmd.go
+++ b/cmdline/token/signmanycmd.go
@@ -33,7 +33,7 @@ import (
 
 var SignManyCmd = &cobra.Command{
 	Use:   "sign-many",
-	Short: "Sign multiple packages using a token",
+	Short: "Sign multiple packages at once using a token",
 	RunE:  signManyCmd,
 }