git.scottworley.com Git - auto-upgrade-with-pinch/blob - overlays/keyedgit.nix

   1 # Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
   2
   3 self: super: {
   4   keyedgit = keys:
   5     let
   6       keyfile = if builtins.isList keys then
   7         super.runCommand "keyfile" { } ''
   8           cat ${super.lib.escapeShellArgs keys} > $out
   9         ''
  10       else
  11         keys;
  12       homelessGPG = super.writeShellScript "homeless-gpg" ''
  13         export GNUPGHOME=$(mktemp -d)
  14         trap 'rm -r "$GNUPGHOME"' EXIT
  15         ${self.gnupg}/bin/gpg "$@"
  16       '';
  17       keyring = super.runCommand "keyedkeyring.gpg" { } ''
  18         ${homelessGPG} --no-default-keyring --keyring=$out --import ${keyfile}
  19       '';
  20       keyids = super.runCommand "keyids" { } ''
  21         ${homelessGPG} --no-default-keyring --with-colons --show-keys ${keyfile} |
  22           ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }' > $out
  23       '';
  24       keyedGPG = super.writeShellScript "keyed-gpg" ''
  25         trusted_key_args=()
  26         while read keyid;do
  27           trusted_key_args+=( --trusted-key "$keyid" )
  28         done < ${keyids}
  29         ${homelessGPG} --no-default-keyring --keyring=${keyring} "''${trusted_key_args[@]}" "$@"
  30       '';
  31     in super.symlinkJoin {
  32       name = "keyedgit";
  33       paths = [ self.git ];
  34       buildInputs = [ super.makeWrapper ];
  35       postBuild = ''
  36         wrapProgram "$out/bin/git" \
  37           --add-flags '-c gpg.program=${keyedGPG}'
  38       '';
  39     };
  40 }