# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
# Use with git with -c gpg.program='keyedgpg /path/to/keyfile.asc'

self: super:
let
  homelessGPG = super.writeShellScript "homeless-gpg" ''
    set -eo pipefail

    export GNUPGHOME=$(${self.coreutils}/bin/mktemp -d)
    trap '${self.coreutils}/bin/rm -r "$GNUPGHOME"' EXIT
    ${self.gnupg}/bin/gpg --no-default-keyring "$@"
  '';
in {
  keyedgpg = super.writeShellScript "keyed-gpg" ''
    set -eo pipefail

    usage() {
      echo "usage: keyed-gpg /path/to/keyfile1.asc ... -- gpg-command..." >&2
      exit 1
    }

    incomplete=true
    keyfiles=()
    while (( $# > 0 ));do
      if [[ "$1" == -- ]];then
        shift
        incomplete=false
        break
      fi
      if [[ ! -r "$1" ]];then
        usage
      fi
      keyfiles+=$1
      shift
    done
    if "$incomplete";then
      usage
    fi

    keyring=$(${self.coreutils}/bin/mktemp)
    cleanup() { ${self.coreutils}/bin/rm "$keyring"; }
    trap cleanup EXIT
    ${homelessGPG} --keyring="$keyring" --import "''${keyfiles[@]}"

    trusted_key_args=()
    while read keyid;do
      trusted_key_args+=( --trusted-key "$keyid" )
    done < <(
      ${homelessGPG} --with-colons --show-keys "''${keyfiles[@]}" |
        ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }')

    ${homelessGPG} --keyring="$keyring" "''${trusted_key_args[@]}" "$@"
  '';
}