]> git.scottworley.com Git - auto-upgrade-with-pinch/blame - overlays/keyedgit.nix
Don't upgrade during business hours
[auto-upgrade-with-pinch] / overlays / keyedgit.nix
CommitLineData
3953b166
SW
1# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
2
3self: super: {
4 keyedgit = key:
5 let
00a79ae1 6 homelessGPG = super.writeShellScript "homeless-gpg" ''
3953b166 7 export GNUPGHOME=$(mktemp -d)
00a79ae1
SW
8 trap 'rm -r "$GNUPGHOME"' EXIT
9 ${self.gnupg}/bin/gpg "$@"
10 '';
11 keyring = super.runCommand "keyedkeyring.gpg" {} ''
12 ${homelessGPG} --no-default-keyring --keyring=$out --import ${key}
13 '';
14 keyid = super.runCommand "keyid" {} ''
15 ${homelessGPG} --with-colons --show-keys ${key} | awk -F: '{ print $5; exit }' > $out
16 '';
17 keyedGPG = super.writeShellScript "keyed-gpg" ''
18 ${homelessGPG} --no-default-keyring --keyring=${keyring} --trusted-key "$(< ${keyid} )" "$@"
3953b166 19 '';
3953b166
SW
20 in super.symlinkJoin {
21 name = "keyedgit";
22 paths = [ self.git ];
23 buildInputs = [ super.makeWrapper ];
24 postBuild = ''
25 wrapProgram "$out/bin/git" \
00a79ae1 26 --add-flags '-c gpg.program=${keyedGPG}'
3953b166
SW
27 '';
28 };
29}