# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
# Use with git with -c gpg.program='keyedgpg /path/to/keyfile.asc'

{ coreutils, gawk, homeless-gpg, lib, writeShellScript, }:
keyfiles:
writeShellScript "keyed-gpg" ''
  set -eo pipefail

  keyring=$(${coreutils}/bin/mktemp)
  cleanup() { ${coreutils}/bin/rm "$keyring"; }
  trap cleanup EXIT
  ${homeless-gpg} --keyring="$keyring" --import ${lib.escapeShellArgs keyfiles}

  trusted_key_args=()
  while read keyid;do
    trusted_key_args+=( --trusted-key "$keyid" )
  done < <(
    ${homeless-gpg} --with-colons --show-keys ${lib.escapeShellArgs keyfiles} |
      ${gawk}/bin/awk -F: '$1 == "pub" { print $5 }')

  ${homeless-gpg} --keyring="$keyring" "''${trusted_key_args[@]}" "$@"
''