git.scottworley.com Git - auto-upgrade-with-pinch/blob - overlays/keyedgit.nix

   1 # Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
   2
   3 self: super: {
   4   keyedgit = keys:
   5     let
   6       homelessGPG = super.writeShellScript "homeless-gpg" ''
   7         export GNUPGHOME=$(mktemp -d)
   8         trap 'rm -r "$GNUPGHOME"' EXIT
   9         ${self.gnupg}/bin/gpg "$@"
  10       '';
  11       keyring = super.runCommand "keyedkeyring.gpg" {} ''
  12         ${homelessGPG} --no-default-keyring --keyring=$out --import ${keys}
  13       '';
  14       keyids = super.runCommand "keyids" {} ''
  15         ${homelessGPG} --no-default-keyring --with-colons --show-keys ${keys} |
  16           ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }' > $out
  17       '';
  18       keyedGPG = super.writeShellScript "keyed-gpg" ''
  19         trusted_key_args=()
  20         while read keyid;do
  21           trusted_key_args+=( --trusted-key "$keyid" )
  22         done < ${keyids}
  23         ${homelessGPG} --no-default-keyring --keyring=${keyring} "''${trusted_key_args[@]}" "$@"
  24       '';
  25     in super.symlinkJoin {
  26       name = "keyedgit";
  27       paths = [ self.git ];
  28       buildInputs = [ super.makeWrapper ];
  29       postBuild = ''
  30         wrapProgram "$out/bin/git" \
  31           --add-flags '-c gpg.program=${keyedGPG}'
  32       '';
  33     };
  34 }