[auto-upgrade-with-pinch] / overlays / keyedgit.nix

# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys

self: super: {
  keyedgit = keys:
    let
      keyfile = if builtins.isList keys then
        super.runCommand "keyfile" { } ''
          cat ${super.lib.escapeShellArgs keys} > $out
        ''
      else
        keys;
      homelessGPG = super.writeShellScript "homeless-gpg" ''
        export GNUPGHOME=$(mktemp -d)
        trap 'rm -r "$GNUPGHOME"' EXIT
        ${self.gnupg}/bin/gpg "$@"
      '';
      keyring = super.runCommand "keyedkeyring.gpg" { } ''
        ${homelessGPG} --no-default-keyring --keyring=$out --import ${keyfile}
      '';
      keyids = super.runCommand "keyids" { } ''
        ${homelessGPG} --no-default-keyring --with-colons --show-keys ${keyfile} |
          ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }' > $out
      '';
      keyedGPG = super.writeShellScript "keyed-gpg" ''
        trusted_key_args=()
        while read keyid;do
          trusted_key_args+=( --trusted-key "$keyid" )
        done < ${keyids}
        ${homelessGPG} --no-default-keyring --keyring=${keyring} "''${trusted_key_args[@]}" "$@"
      '';
    in super.symlinkJoin {
      name = "keyedgit";
      paths = [ self.git ];
      buildInputs = [ super.makeWrapper ];
      postBuild = ''
        wrapProgram "$out/bin/git" \
          --add-flags '-c gpg.program=${keyedGPG}'
      '';
    };
}
Commit	Line	Data
3953b166 SW	1	# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
	2
	3	self: super: {
9d0c0d71	4	keyedgit = keys:
3953b166	5	let
318cb8e2 SW	6	keyfile = if builtins.isList keys then
	7	super.runCommand "keyfile" { } ''
	8	cat ${super.lib.escapeShellArgs keys} > $out
	9	''
	10	else
	11	keys;
00a79ae1	12	homelessGPG = super.writeShellScript "homeless-gpg" ''
3953b166	13	export GNUPGHOME=$(mktemp -d)
00a79ae1 SW	14	trap 'rm -r "$GNUPGHOME"' EXIT
	15	${self.gnupg}/bin/gpg "$@"
	16	'';
318cb8e2 SW	17	keyring = super.runCommand "keyedkeyring.gpg" { } ''
318cb8e2 SW	18	${homelessGPG} --no-default-keyring --keyring=$out --import ${keyfile}
00a79ae1	19	'';
318cb8e2 SW	20	keyids = super.runCommand "keyids" { } ''
318cb8e2 SW	21	${homelessGPG} --no-default-keyring --with-colons --show-keys ${keyfile} \|
10f5329a	22	${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }' > $out
00a79ae1 SW	23	'';
00a79ae1 SW	24	keyedGPG = super.writeShellScript "keyed-gpg" ''
9d0c0d71 SW	25	trusted_key_args=()
	26	while read keyid;do
	27	trusted_key_args+=( --trusted-key "$keyid" )
	28	done < ${keyids}
	29	${homelessGPG} --no-default-keyring --keyring=${keyring} "''${trusted_key_args[@]}" "$@"
3953b166	30	'';
3953b166 SW	31	in super.symlinkJoin {
	32	name = "keyedgit";
	33	paths = [ self.git ];
	34	buildInputs = [ super.makeWrapper ];
	35	postBuild = ''
	36	wrapProgram "$out/bin/git" \
00a79ae1	37	--add-flags '-c gpg.program=${keyedGPG}'
3953b166 SW	38	'';
	39	};
	40	}