{ lib
, stdenv
, rustPlatform
, fetchFromGitHub
, apple-sdk_11
, uutils-coreutils
}:

rustPlatform.buildRustPackage rec {
  pname = "rcodesign";
  version = "0.28.0";

  src = fetchFromGitHub {
    owner = "indygreg";
    repo = "apple-platform-rs";
    rev = "apple-codesign/${version}";
    hash = "sha256-xyjq5mdc29OwzlUAQZWSg1k68occ81i7KBGUiiq0ke0=";
  };

  patches = [
    # Disable cli_tests test that requires network access.
    ./disable-sign-for-notarization-test.patch
  ];

  cargoHash = "sha256-xMhyKovXoBPZp6epWQ+CYODpyvHgpv6eZfdWPTuDnK8=";

  buildInputs = lib.optionals stdenv.hostPlatform.isDarwin [ apple-sdk_11 ];

  cargoBuildFlags = [
    # Only build the binary we want
    "--bin"
    "rcodesign"
  ];

  checkFlags = [
    # Does network IO
    "--skip=ticket_lookup::test::lookup_ticket"
    # These tests require Xcode to be installed
    "--skip=find_all_platform_directories"
    "--skip=find_all_sdks"
  ];

  # Set up uutils-coreutils for cli_tests. Without this, it will be installed with `cargo install`, which will fail
  # due to the lack of network access in the build environment.
  preCheck = ''
    coreutils_dir=''${CARGO_TARGET_DIR:-"$(pwd)/target"}/${stdenv.hostPlatform.rust.cargoShortTarget}/coreutils/bin
    install -m 755 -d "$coreutils_dir"
    ln -s '${lib.getExe' uutils-coreutils "uutils-coreutils"}' "$coreutils_dir/coreutils"
  '';

  meta = with lib; {
    description = "Cross-platform CLI interface to interact with Apple code signing";
    mainProgram = "rcodesign";
    longDescription = ''
      rcodesign provides various commands to interact with Apple signing,
      including signing and notarizing binaries, generating signing
      certificates, and verifying existing signed binaries.

      For more information, refer to the [documentation](https://gregoryszorc.com/docs/apple-codesign/stable/apple_codesign_rcodesign.html).
    '';
    homepage = "https://github.com/indygreg/apple-platform-rs";
    license = licenses.mpl20;
    maintainers = with maintainers; [ euank ];
  };
}