| | 1 | # Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys |
| | 2 | # Use with git with -c gpg.program='keyedgpg /path/to/keyfile.asc' |
| | 3 | |
| | 4 | { coreutils, gawk, homeless-gpg, lib, writeShellScript, }: |
| | 5 | keyfiles: |
| | 6 | writeShellScript "keyed-gpg" '' |
| | 7 | set -eo pipefail |
| | 8 | |
| | 9 | keyring=$(${coreutils}/bin/mktemp) |
| | 10 | cleanup() { ${coreutils}/bin/rm "$keyring"; } |
| | 11 | trap cleanup EXIT |
| | 12 | ${homeless-gpg} --keyring="$keyring" --import ${lib.escapeShellArgs keyfiles} |
| | 13 | |
| | 14 | trusted_key_args=() |
| | 15 | while read keyid;do |
| | 16 | trusted_key_args+=( --trusted-key "$keyid" ) |
| | 17 | done < <( |
| | 18 | ${homeless-gpg} --with-colons --show-keys ${lib.escapeShellArgs keyfiles} | |
| | 19 | ${gawk}/bin/awk -F: '$1 == "pub" { print $5 }') |
| | 20 | |
| | 21 | ${homeless-gpg} --keyring="$keyring" "''${trusted_key_args[@]}" "$@" |
| | 22 | '' |
| | 23 | |
projects / auto-upgrade-with-pinch / blame_incremental