+++ /dev/null
-# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
-
-self: super: {
- keyedgit = keys:
- let
- keyfile = if builtins.isList keys then
- super.runCommand "keyfile" { } ''
- cat ${super.lib.escapeShellArgs keys} > $out
- ''
- else
- keys;
- homelessGPG = super.writeShellScript "homeless-gpg" ''
- export GNUPGHOME=$(mktemp -d)
- trap 'rm -r "$GNUPGHOME"' EXIT
- ${self.gnupg}/bin/gpg "$@"
- '';
- keyring = super.runCommand "keyedkeyring.gpg" { } ''
- ${homelessGPG} --no-default-keyring --keyring=$out --import ${keyfile}
- '';
- keyids = super.runCommand "keyids" { } ''
- ${homelessGPG} --no-default-keyring --with-colons --show-keys ${keyfile} |
- ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }' > $out
- '';
- keyedGPG = super.writeShellScript "keyed-gpg" ''
- trusted_key_args=()
- while read keyid;do
- trusted_key_args+=( --trusted-key "$keyid" )
- done < ${keyids}
- ${homelessGPG} --no-default-keyring --keyring=${keyring} "''${trusted_key_args[@]}" "$@"
- '';
- in super.symlinkJoin {
- name = "keyedgit";
- paths = [ self.git ];
- buildInputs = [ super.makeWrapper ];
- postBuild = ''
- wrapProgram "$out/bin/git" \
- --add-flags '-c gpg.program=${keyedGPG}'
- '';
- };
-}
projects / auto-upgrade-with-pinch / blobdiff