git.scottworley.com Git - auto-upgrade-with-pinch/blob - pkgs/keyed-gpg.nix

   1 # Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
   2 # Use with git with -c gpg.program='keyedgpg /path/to/keyfile.asc'
   3
   4 { coreutils, gawk, homeless-gpg, lib, writeShellScript, }:
   5 keyfiles:
   6 writeShellScript "keyed-gpg" ''
   7   set -eo pipefail
   8
   9   keyring=$(${coreutils}/bin/mktemp)
  10   cleanup() { ${coreutils}/bin/rm "$keyring"; }
  11   trap cleanup EXIT
  12   ${homeless-gpg} --keyring="$keyring" --import ${lib.escapeShellArgs keyfiles}
  13
  14   trusted_key_args=()
  15   while read keyid;do
  16     trusted_key_args+=( --trusted-key "$keyid" )
  17   done < <(
  18     ${homeless-gpg} --with-colons --show-keys ${lib.escapeShellArgs keyfiles} |
  19       ${gawk}/bin/awk -F: '$1 == "pub" { print $5 }')
  20
  21   ${homeless-gpg} --keyring="$keyring" "''${trusted_key_args[@]}" "$@"
  22 ''
  23