git.scottworley.com Git - auto-upgrade-with-pinch/blob - overlays/keyedgit.nix

   1 # Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
   2
   3 self: super: {
   4   keyedgit = key:
   5     let
   6       homelessGPG = super.writeShellScript "homeless-gpg" ''
   7         export GNUPGHOME=$(mktemp -d)
   8         trap 'rm -r "$GNUPGHOME"' EXIT
   9         ${self.gnupg}/bin/gpg "$@"
  10       '';
  11       keyring = super.runCommand "keyedkeyring.gpg" {} ''
  12         ${homelessGPG} --no-default-keyring --keyring=$out --import ${key}
  13       '';
  14       keyid = super.runCommand "keyid" {} ''
  15         ${homelessGPG} --with-colons --show-keys ${key} | awk -F: '{ print $5; exit }' > $out
  16       '';
  17       keyedGPG = super.writeShellScript "keyed-gpg" ''
  18         ${homelessGPG} --no-default-keyring --keyring=${keyring} --trusted-key "$(< ${keyid} )" "$@"
  19       '';
  20     in super.symlinkJoin {
  21       name = "keyedgit";
  22       paths = [ self.git ];
  23       buildInputs = [ super.makeWrapper ];
  24       postBuild = ''
  25         wrapProgram "$out/bin/git" \
  26           --add-flags '-c gpg.program=${keyedGPG}'
  27       '';
  28     };
  29 }