# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys

self: super: {
  keyedgit = key:
    let
      keyring = super.runCommand "keyedkeyring.gpg" {} ''
        export GNUPGHOME=$(mktemp -d)
        ${self.gnupg}/bin/gpg --no-default-keyring --keyring=$out --import ${key}
      '';
      keyedgpg = super.symlinkJoin {
        name = "keyedgpg";
        buildInputs = [ super.makeWrapper ];
        paths = [ self.gnupg ];
        postBuild = ''
          wrapProgram "$out/bin/gpg" \
            --add-flags '--no-default-keyring --keyring=${keyring}'
        '';
      };
    in super.symlinkJoin {
      name = "keyedgit";
      paths = [ self.git ];
      buildInputs = [ super.makeWrapper ];
      postBuild = ''
        wrapProgram "$out/bin/git" \
          --add-flags '-c gpg.program=${keyedgpg}/bin/gpg'
      '';
    };
}