]> git.scottworley.com Git - auto-upgrade-with-pinch/blob - overlays/keyedgit.nix
Specify key by long key id, not fingerprint
[auto-upgrade-with-pinch] / overlays / keyedgit.nix
1 # Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
2
3 self: super: {
4 keyedgit = keys:
5 let
6 homelessGPG = super.writeShellScript "homeless-gpg" ''
7 export GNUPGHOME=$(mktemp -d)
8 trap 'rm -r "$GNUPGHOME"' EXIT
9 ${self.gnupg}/bin/gpg "$@"
10 '';
11 keyring = super.runCommand "keyedkeyring.gpg" {} ''
12 ${homelessGPG} --no-default-keyring --keyring=$out --import ${keys}
13 '';
14 keyids = super.runCommand "keyids" {} ''
15 ${homelessGPG} --no-default-keyring --with-colons --show-keys ${keys} |
16 ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }' > $out
17 '';
18 keyedGPG = super.writeShellScript "keyed-gpg" ''
19 trusted_key_args=()
20 while read keyid;do
21 trusted_key_args+=( --trusted-key "$keyid" )
22 done < ${keyids}
23 ${homelessGPG} --no-default-keyring --keyring=${keyring} "''${trusted_key_args[@]}" "$@"
24 '';
25 in super.symlinkJoin {
26 name = "keyedgit";
27 paths = [ self.git ];
28 buildInputs = [ super.makeWrapper ];
29 postBuild = ''
30 wrapProgram "$out/bin/git" \
31 --add-flags '-c gpg.program=${keyedGPG}'
32 '';
33 };
34 }