]> git.scottworley.com Git - auto-upgrade-with-pinch/blob - overlays/keyedgit.nix
6cce6fe2ffa9e681608e747a8f20679eebd0021f
[auto-upgrade-with-pinch] / overlays / keyedgit.nix
1 # Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
2
3 self: super: {
4 keyedgit = keys:
5 let
6 keyfile = if builtins.isList keys then
7 super.runCommand "keyfile" { } ''
8 cat ${super.lib.escapeShellArgs keys} > $out
9 ''
10 else
11 keys;
12 homelessGPG = super.writeShellScript "homeless-gpg" ''
13 export GNUPGHOME=$(mktemp -d)
14 trap 'rm -r "$GNUPGHOME"' EXIT
15 ${self.gnupg}/bin/gpg "$@"
16 '';
17 keyring = super.runCommand "keyedkeyring.gpg" { } ''
18 ${homelessGPG} --no-default-keyring --keyring=$out --import ${keyfile}
19 '';
20 keyids = super.runCommand "keyids" { } ''
21 ${homelessGPG} --no-default-keyring --with-colons --show-keys ${keyfile} |
22 ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }' > $out
23 '';
24 keyedGPG = super.writeShellScript "keyed-gpg" ''
25 trusted_key_args=()
26 while read keyid;do
27 trusted_key_args+=( --trusted-key "$keyid" )
28 done < ${keyids}
29 ${homelessGPG} --no-default-keyring --keyring=${keyring} "''${trusted_key_args[@]}" "$@"
30 '';
31 in super.symlinkJoin {
32 name = "keyedgit";
33 paths = [ self.git ];
34 buildInputs = [ super.makeWrapper ];
35 postBuild = ''
36 wrapProgram "$out/bin/git" \
37 --add-flags '-c gpg.program=${keyedGPG}'
38 '';
39 };
40 }