]> git.scottworley.com Git - auto-upgrade-with-pinch/blame - overlays/keyedgit.nix
Keyed git - check signatures with a specified key
[auto-upgrade-with-pinch] / overlays / keyedgit.nix
CommitLineData
3953b166
SW
1# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
2
3self: super: {
4 keyedgit = key:
5 let
6 keyring = super.runCommand "keyedkeyring.gpg" {} ''
7 export GNUPGHOME=$(mktemp -d)
8 ${self.gnupg}/bin/gpg --no-default-keyring --keyring=$out --import ${key}
9 '';
10 keyedgpg = super.symlinkJoin {
11 name = "keyedgpg";
12 buildInputs = [ super.makeWrapper ];
13 paths = [ self.gnupg ];
14 postBuild = ''
15 wrapProgram "$out/bin/gpg" \
16 --add-flags '--no-default-keyring --keyring=${keyring}'
17 '';
18 };
19 in super.symlinkJoin {
20 name = "keyedgit";
21 paths = [ self.git ];
22 buildInputs = [ super.makeWrapper ];
23 postBuild = ''
24 wrapProgram "$out/bin/git" \
25 --add-flags '-c gpg.program=${keyedgpg}/bin/gpg'
26 '';
27 };
28}