]> git.scottworley.com Git - auto-upgrade-with-pinch/blame_incremental - pkgs/keyed-gpg.nix
pinch 1.5 -> 3.0.2
[auto-upgrade-with-pinch] / pkgs / keyed-gpg.nix
... / ...
CommitLineData
1# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
2# Use with git with -c gpg.program='keyedgpg /path/to/keyfile.asc'
3
4{ coreutils, gawk, homeless-gpg, lib, writeShellScript, }:
5keyfiles:
6writeShellScript "keyed-gpg" ''
7 set -eo pipefail
8
9 keyring=$(${coreutils}/bin/mktemp)
10 cleanup() { ${coreutils}/bin/rm "$keyring"; }
11 trap cleanup EXIT
12 ${homeless-gpg} --keyring="$keyring" --import ${lib.escapeShellArgs keyfiles}
13
14 trusted_key_args=()
15 while read keyid;do
16 trusted_key_args+=( --trusted-key "$keyid" )
17 done < <(
18 ${homeless-gpg} --with-colons --show-keys ${lib.escapeShellArgs keyfiles} |
19 ${gawk}/bin/awk -F: '$1 == "pub" { print $5 }')
20
21 ${homeless-gpg} --keyring="$keyring" "''${trusted_key_args[@]}" "$@"
22''
23