projects / auto-upgrade-with-pinch / blame
| Commit | Line | Data |
|---|---|---|
| f1a53b29 SW |
1 | # Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys |
| 2 | # Use with git with -c gpg.program='keyedgpg /path/to/keyfile.asc' | |
| 3 | ||
| 4 | self: super: | |
| 5 | let | |
| 6 | homelessGPG = super.writeShellScript "homeless-gpg" '' | |
| 7 | set -eo pipefail | |
| 8 | ||
| 9 | export GNUPGHOME=$(${self.coreutils}/bin/mktemp -d) | |
| 10 | trap '${self.coreutils}/bin/rm -r "$GNUPGHOME"' EXIT | |
| 11 | ${self.gnupg}/bin/gpg --no-default-keyring "$@" | |
| 12 | ''; | |
| 13 | in { | |
| 5ea02587 | 14 | keyedgpg = keyfiles: super.writeShellScript "keyed-gpg" '' |
| f1a53b29 SW |
15 | set -eo pipefail |
| 16 | ||
| f1a53b29 SW |
17 | keyring=$(${self.coreutils}/bin/mktemp) |
| 18 | cleanup() { ${self.coreutils}/bin/rm "$keyring"; } | |
| 19 | trap cleanup EXIT | |
| 5ea02587 | 20 | ${homelessGPG} --keyring="$keyring" --import ${self.lib.escapeShellArgs keyfiles} |
| f1a53b29 SW |
21 | |
| 22 | trusted_key_args=() | |
| 23 | while read keyid;do | |
| 24 | trusted_key_args+=( --trusted-key "$keyid" ) | |
| 25 | done < <( | |
| 5ea02587 | 26 | ${homelessGPG} --with-colons --show-keys ${self.lib.escapeShellArgs keyfiles} | |
| f1a53b29 SW |
27 | ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }') |
| 28 | ||
| 29 | ${homelessGPG} --keyring="$keyring" "''${trusted_key_args[@]}" "$@" | |
| 30 | ''; | |
| 31 | } |