git.scottworley.com Git - auto-upgrade-with-pinch/blob - pkgs/keyed-gpg.nix

   1 # Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
   2 # Use with git with -c gpg.program='keyedgpg /path/to/keyfile.asc'
   3
   4 {
   5   coreutils,
   6   gawk,
   7   homeless-gpg,
   8   lib,
   9   writeShellScript,
  10 }:
  11 keyfiles:
  12 writeShellScript "keyed-gpg" ''
  13   set -eo pipefail
  14
  15   keyring=$(${coreutils}/bin/mktemp)
  16   cleanup() { ${coreutils}/bin/rm "$keyring"; }
  17   trap cleanup EXIT
  18   ${homeless-gpg} --keyring="$keyring" --import ${lib.escapeShellArgs keyfiles}
  19
  20   trusted_key_args=()
  21   while read keyid;do
  22     trusted_key_args+=( --trusted-key "$keyid" )
  23   done < <(
  24     ${homeless-gpg} --with-colons --show-keys ${lib.escapeShellArgs keyfiles} |
  25       ${gawk}/bin/awk -F: '$1 == "pub" { print $5 }')
  26
  27   ${homeless-gpg} --keyring="$keyring" "''${trusted_key_args[@]}" "$@"
  28 ''