]> git.scottworley.com Git - auto-upgrade-with-pinch/blob - overlays/keyedgpg.nix
202abb380f2637d6a9e74277b7bf9a0b943681e8
[auto-upgrade-with-pinch] / overlays / keyedgpg.nix
1 # Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
2 # Use with git with -c gpg.program='keyedgpg /path/to/keyfile.asc'
3
4 self: super:
5 let
6 homelessGPG = super.writeShellScript "homeless-gpg" ''
7 set -eo pipefail
8
9 export GNUPGHOME=$(${self.coreutils}/bin/mktemp -d)
10 trap '${self.coreutils}/bin/rm -r "$GNUPGHOME"' EXIT
11 ${self.gnupg}/bin/gpg --no-default-keyring "$@"
12 '';
13 in {
14 keyedgpg = super.writeShellScript "keyed-gpg" ''
15 set -eo pipefail
16
17 usage() {
18 echo "usage: keyed-gpg /path/to/keyfile1.asc ... -- gpg-command..." >&2
19 exit 1
20 }
21
22 incomplete=true
23 keyfiles=()
24 while (( $# > 0 ));do
25 if [[ "$1" == -- ]];then
26 shift
27 incomplete=false
28 break
29 fi
30 if [[ ! -r "$1" ]];then
31 usage
32 fi
33 keyfiles+=$1
34 shift
35 done
36 if "$incomplete";then
37 usage
38 fi
39
40 keyring=$(${self.coreutils}/bin/mktemp)
41 cleanup() { ${self.coreutils}/bin/rm "$keyring"; }
42 trap cleanup EXIT
43 ${homelessGPG} --keyring="$keyring" --import "''${keyfiles[@]}"
44
45 trusted_key_args=()
46 while read keyid;do
47 trusted_key_args+=( --trusted-key "$keyid" )
48 done < <(
49 ${homelessGPG} --with-colons --show-keys "''${keyfiles[@]}" |
50 ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }')
51
52 ${homelessGPG} --keyring="$keyring" "''${trusted_key_args[@]}" "$@"
53 '';
54 }