# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
self: super: {
- keyedgit = key:
+ keyedgit = keys:
let
- keyring = super.runCommand "keyedkeyring.gpg" {} ''
+ keyfile = if builtins.isList keys then
+ super.runCommand "keyfile" { } ''
+ cat ${super.lib.escapeShellArgs keys} > $out
+ ''
+ else
+ keys;
+ homelessGPG = super.writeShellScript "homeless-gpg" ''
export GNUPGHOME=$(mktemp -d)
- ${self.gnupg}/bin/gpg --no-default-keyring --keyring=$out --import ${key}
+ trap 'rm -r "$GNUPGHOME"' EXIT
+ ${self.gnupg}/bin/gpg "$@"
+ '';
+ keyring = super.runCommand "keyedkeyring.gpg" { } ''
+ ${homelessGPG} --no-default-keyring --keyring=$out --import ${keyfile}
+ '';
+ keyids = super.runCommand "keyids" { } ''
+ ${homelessGPG} --no-default-keyring --with-colons --show-keys ${keyfile} |
+ ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }' > $out
+ '';
+ keyedGPG = super.writeShellScript "keyed-gpg" ''
+ trusted_key_args=()
+ while read keyid;do
+ trusted_key_args+=( --trusted-key "$keyid" )
+ done < ${keyids}
+ ${homelessGPG} --no-default-keyring --keyring=${keyring} "''${trusted_key_args[@]}" "$@"
'';
- keyedgpg = super.symlinkJoin {
- name = "keyedgpg";
- buildInputs = [ super.makeWrapper ];
- paths = [ self.gnupg ];
- postBuild = ''
- wrapProgram "$out/bin/gpg" \
- --add-flags '--no-default-keyring --keyring=${keyring}'
- '';
- };
in super.symlinkJoin {
name = "keyedgit";
paths = [ self.git ];
buildInputs = [ super.makeWrapper ];
postBuild = ''
wrapProgram "$out/bin/git" \
- --add-flags '-c gpg.program=${keyedgpg}/bin/gpg'
+ --add-flags '-c gpg.program=${keyedGPG}'
'';
};
}
projects / auto-upgrade-with-pinch / blobdiff