]> git.scottworley.com Git - auto-upgrade-with-pinch/blame - overlays/keyedgit.nix
Sync multiple repos, update multiple users
[auto-upgrade-with-pinch] / overlays / keyedgit.nix
CommitLineData
3953b166
SW
1# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
2
3self: super: {
9d0c0d71 4 keyedgit = keys:
3953b166 5 let
318cb8e2
SW
6 keyfile = if builtins.isList keys then
7 super.runCommand "keyfile" { } ''
8 cat ${super.lib.escapeShellArgs keys} > $out
9 ''
10 else
11 keys;
00a79ae1 12 homelessGPG = super.writeShellScript "homeless-gpg" ''
3953b166 13 export GNUPGHOME=$(mktemp -d)
00a79ae1
SW
14 trap 'rm -r "$GNUPGHOME"' EXIT
15 ${self.gnupg}/bin/gpg "$@"
16 '';
318cb8e2
SW
17 keyring = super.runCommand "keyedkeyring.gpg" { } ''
18 ${homelessGPG} --no-default-keyring --keyring=$out --import ${keyfile}
00a79ae1 19 '';
318cb8e2
SW
20 keyids = super.runCommand "keyids" { } ''
21 ${homelessGPG} --no-default-keyring --with-colons --show-keys ${keyfile} |
10f5329a 22 ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }' > $out
00a79ae1
SW
23 '';
24 keyedGPG = super.writeShellScript "keyed-gpg" ''
9d0c0d71
SW
25 trusted_key_args=()
26 while read keyid;do
27 trusted_key_args+=( --trusted-key "$keyid" )
28 done < ${keyids}
29 ${homelessGPG} --no-default-keyring --keyring=${keyring} "''${trusted_key_args[@]}" "$@"
3953b166 30 '';
3953b166
SW
31 in super.symlinkJoin {
32 name = "keyedgit";
33 paths = [ self.git ];
34 buildInputs = [ super.makeWrapper ];
35 postBuild = ''
36 wrapProgram "$out/bin/git" \
00a79ae1 37 --add-flags '-c gpg.program=${keyedGPG}'
3953b166
SW
38 '';
39 };
40}