git.scottworley.com Git - auto-upgrade-with-pinch/blob - overlays/keyedgpg.nix

   1 # Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
   2 # Use with git with -c gpg.program='keyedgpg /path/to/keyfile.asc'
   3
   4 self: super:
   5 let
   6   homelessGPG = super.writeShellScript "homeless-gpg" ''
   7     set -eo pipefail
   8
   9     export GNUPGHOME=$(${self.coreutils}/bin/mktemp -d)
  10     trap '${self.coreutils}/bin/rm -r "$GNUPGHOME"' EXIT
  11     ${self.gnupg}/bin/gpg --no-default-keyring "$@"
  12   '';
  13 in {
  14   keyedgpg = super.writeShellScript "keyed-gpg" ''
  15     set -eo pipefail
  16
  17     usage() {
  18       echo "usage: keyed-gpg /path/to/keyfile1.asc ... -- gpg-command..." >&2
  19       exit 1
  20     }
  21
  22     incomplete=true
  23     keyfiles=()
  24     while (( $# > 0 ));do
  25       if [[ "$1" == -- ]];then
  26         shift
  27         incomplete=false
  28         break
  29       fi
  30       if [[ ! -r "$1" ]];then
  31         usage
  32       fi
  33       keyfiles+=$1
  34       shift
  35     done
  36     if "$incomplete";then
  37       usage
  38     fi
  39
  40     keyring=$(${self.coreutils}/bin/mktemp)
  41     cleanup() { ${self.coreutils}/bin/rm "$keyring"; }
  42     trap cleanup EXIT
  43     ${homelessGPG} --keyring="$keyring" --import "''${keyfiles[@]}"
  44
  45     trusted_key_args=()
  46     while read keyid;do
  47       trusted_key_args+=( --trusted-key "$keyid" )
  48     done < <(
  49       ${homelessGPG} --with-colons --show-keys "''${keyfiles[@]}" |
  50         ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }')
  51
  52     ${homelessGPG} --keyring="$keyring" "''${trusted_key_args[@]}" "$@"
  53   '';
  54 }