# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys

self: super: {
  keyedgit = keys:
    let
      keyfile = if builtins.isList keys then
        super.runCommand "keyfile" { } ''
          cat ${super.lib.escapeShellArgs keys} > $out
        ''
      else
        keys;
      homelessGPG = super.writeShellScript "homeless-gpg" ''
        export GNUPGHOME=$(mktemp -d)
        trap 'rm -r "$GNUPGHOME"' EXIT
        ${self.gnupg}/bin/gpg "$@"
      '';
      keyring = super.runCommand "keyedkeyring.gpg" { } ''
        ${homelessGPG} --no-default-keyring --keyring=$out --import ${keyfile}
      '';
      keyids = super.runCommand "keyids" { } ''
        ${homelessGPG} --no-default-keyring --with-colons --show-keys ${keyfile} |
          ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }' > $out
      '';
      keyedGPG = super.writeShellScript "keyed-gpg" ''
        trusted_key_args=()
        while read keyid;do
          trusted_key_args+=( --trusted-key "$keyid" )
        done < ${keyids}
        ${homelessGPG} --no-default-keyring --keyring=${keyring} "''${trusted_key_args[@]}" "$@"
      '';
    in super.symlinkJoin {
      name = "keyedgit";
      paths = [ self.git ];
      buildInputs = [ super.makeWrapper ];
      postBuild = ''
        wrapProgram "$out/bin/git" \
          --add-flags '-c gpg.program=${keyedGPG}'
      '';
    };
}