| | 1 | # Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys |
| | 2 | |
| | 3 | self: super: { |
| | 4 | keyedgit = keys: |
| | 5 | let |
| | 6 | homelessGPG = super.writeShellScript "homeless-gpg" '' |
| | 7 | export GNUPGHOME=$(mktemp -d) |
| | 8 | trap 'rm -r "$GNUPGHOME"' EXIT |
| | 9 | ${self.gnupg}/bin/gpg "$@" |
| | 10 | ''; |
| | 11 | keyring = super.runCommand "keyedkeyring.gpg" {} '' |
| | 12 | ${homelessGPG} --no-default-keyring --keyring=$out --import ${keys} |
| | 13 | ''; |
| | 14 | keyids = super.runCommand "keyids" {} '' |
| | 15 | ${homelessGPG} --no-default-keyring --with-colons --show-keys ${keys} | |
| | 16 | ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }' > $out |
| | 17 | ''; |
| | 18 | keyedGPG = super.writeShellScript "keyed-gpg" '' |
| | 19 | trusted_key_args=() |
| | 20 | while read keyid;do |
| | 21 | trusted_key_args+=( --trusted-key "$keyid" ) |
| | 22 | done < ${keyids} |
| | 23 | ${homelessGPG} --no-default-keyring --keyring=${keyring} "''${trusted_key_args[@]}" "$@" |
| | 24 | ''; |
| | 25 | in super.symlinkJoin { |
| | 26 | name = "keyedgit"; |
| | 27 | paths = [ self.git ]; |
| | 28 | buildInputs = [ super.makeWrapper ]; |
| | 29 | postBuild = '' |
| | 30 | wrapProgram "$out/bin/git" \ |
| | 31 | --add-flags '-c gpg.program=${keyedGPG}' |
| | 32 | ''; |
| | 33 | }; |
| | 34 | } |
projects / auto-upgrade-with-pinch / blame_incremental