Dynamic config

[auto-upgrade-with-pinch] / overlays / keyedgpg.nix

diff --git a/overlays/keyedgpg.nix b/overlays/keyedgpg.nix
new file mode 100644 (file)
index 0000000..202abb3
--- /dev/null
+++ b/overlays/keyedgpg.nix
@@ -0,0 +1,54 @@
+# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
+# Use with git with -c gpg.program='keyedgpg /path/to/keyfile.asc'
+
+self: super:
+let
+  homelessGPG = super.writeShellScript "homeless-gpg" ''
+    set -eo pipefail
+
+    export GNUPGHOME=$(${self.coreutils}/bin/mktemp -d)
+    trap '${self.coreutils}/bin/rm -r "$GNUPGHOME"' EXIT
+    ${self.gnupg}/bin/gpg --no-default-keyring "$@"
+  '';
+in {
+  keyedgpg = super.writeShellScript "keyed-gpg" ''
+    set -eo pipefail
+
+    usage() {
+      echo "usage: keyed-gpg /path/to/keyfile1.asc ... -- gpg-command..." >&2
+      exit 1
+    }
+
+    incomplete=true
+    keyfiles=()
+    while (( $# > 0 ));do
+      if [[ "$1" == -- ]];then
+        shift
+        incomplete=false
+        break
+      fi
+      if [[ ! -r "$1" ]];then
+        usage
+      fi
+      keyfiles+=$1
+      shift
+    done
+    if "$incomplete";then
+      usage
+    fi
+
+    keyring=$(${self.coreutils}/bin/mktemp)
+    cleanup() { ${self.coreutils}/bin/rm "$keyring"; }
+    trap cleanup EXIT
+    ${homelessGPG} --keyring="$keyring" --import "''${keyfiles[@]}"
+
+    trusted_key_args=()
+    while read keyid;do
+      trusted_key_args+=( --trusted-key "$keyid" )
+    done < <(
+      ${homelessGPG} --with-colons --show-keys "''${keyfiles[@]}" |
+        ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }')
+
+    ${homelessGPG} --keyring="$keyring" "''${trusted_key_args[@]}" "$@"
+  '';
+}