# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys

self: super: {
  keyedgit = key:
    let
      homelessGPG = super.writeShellScript "homeless-gpg" ''
        export GNUPGHOME=$(mktemp -d)
        trap 'rm -r "$GNUPGHOME"' EXIT
        ${self.gnupg}/bin/gpg "$@"
      '';
      keyring = super.runCommand "keyedkeyring.gpg" {} ''
        ${homelessGPG} --no-default-keyring --keyring=$out --import ${key}
      '';
      keyid = super.runCommand "keyid" {} ''
        ${homelessGPG} --with-colons --show-keys ${key} | awk -F: '{ print $5; exit }' > $out
      '';
      keyedGPG = super.writeShellScript "keyed-gpg" ''
        ${homelessGPG} --no-default-keyring --keyring=${keyring} --trusted-key "$(< ${keyid} )" "$@"
      '';
    in super.symlinkJoin {
      name = "keyedgit";
      paths = [ self.git ];
      buildInputs = [ super.makeWrapper ];
      postBuild = ''
        wrapProgram "$out/bin/git" \
          --add-flags '-c gpg.program=${keyedGPG}'
      '';
    };
}