]> git.scottworley.com Git - auto-upgrade-with-pinch/blame - overlays/keyedgpg.nix
Make signingKeys static again
[auto-upgrade-with-pinch] / overlays / keyedgpg.nix
CommitLineData
f1a53b29
SW
1# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
2# Use with git with -c gpg.program='keyedgpg /path/to/keyfile.asc'
3
4self: super:
5let
6 homelessGPG = super.writeShellScript "homeless-gpg" ''
7 set -eo pipefail
8
9 export GNUPGHOME=$(${self.coreutils}/bin/mktemp -d)
10 trap '${self.coreutils}/bin/rm -r "$GNUPGHOME"' EXIT
11 ${self.gnupg}/bin/gpg --no-default-keyring "$@"
12 '';
13in {
5ea02587 14 keyedgpg = keyfiles: super.writeShellScript "keyed-gpg" ''
f1a53b29
SW
15 set -eo pipefail
16
f1a53b29
SW
17 keyring=$(${self.coreutils}/bin/mktemp)
18 cleanup() { ${self.coreutils}/bin/rm "$keyring"; }
19 trap cleanup EXIT
5ea02587 20 ${homelessGPG} --keyring="$keyring" --import ${self.lib.escapeShellArgs keyfiles}
f1a53b29
SW
21
22 trusted_key_args=()
23 while read keyid;do
24 trusted_key_args+=( --trusted-key "$keyid" )
25 done < <(
5ea02587 26 ${homelessGPG} --with-colons --show-keys ${self.lib.escapeShellArgs keyfiles} |
f1a53b29
SW
27 ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }')
28
29 ${homelessGPG} --keyring="$keyring" "''${trusted_key_args[@]}" "$@"
30 '';
31}