#!/usr/bin/bash

COMMIT_MSG_FILE=$1
GL_PASSED=".git/.gitleaks_passed"

if [[ -f "${GL_PASSED}" ]]; then
    GL_VER=$(cat "${GL_PASSED}")
    rm -f "${GL_PASSED}"

    TREE_HASH=$(git write-tree)
    TS=$(date -u +%FT%T)
    GL_SIGN=$(echo -n "${GL_VER}|${TS}|${TREE_HASH}" | base64 -w 0)
    GL_HASH=$(echo -n "${GL_SIGN}" | sha256sum | awk '{print $1}')

    # Remove any existing Gitleaks- lines
    sed -i -e '/^Gitleaks-/d' "${COMMIT_MSG_FILE}"

    # Append fresh signature
    echo "" >> "${COMMIT_MSG_FILE}"
    echo "Gitleaks-Sign: ${GL_SIGN}" >> "${COMMIT_MSG_FILE}"
    echo "Gitleaks-Hash: ${GL_HASH}" >> "${COMMIT_MSG_FILE}"
fi

exit 0
