]> git.scottworley.com Git - auto-upgrade-with-pinch/blobdiff - pkgs/keyed-gpg.nix
projects / auto-upgrade-with-pinch / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Use local pkgs instead of overlays
[auto-upgrade-with-pinch] / pkgs / keyed-gpg.nix
diff --git a/pkgs/keyed-gpg.nix b/pkgs/keyed-gpg.nix
new file mode 100644 (file)
index 0000000..b675822
--- /dev/null
+++ b/pkgs/keyed-gpg.nix
@@ -0,0 +1,23 @@
+# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
+# Use with git with -c gpg.program='keyedgpg /path/to/keyfile.asc'
+
+{ coreutils, gawk, homeless-gpg, lib, writeShellScript, }:
+keyfiles:
+writeShellScript "keyed-gpg" ''
+  set -eo pipefail
+
+  keyring=$(${coreutils}/bin/mktemp)
+  cleanup() { ${coreutils}/bin/rm "$keyring"; }
+  trap cleanup EXIT
+  ${homeless-gpg} --keyring="$keyring" --import ${lib.escapeShellArgs keyfiles}
+
+  trusted_key_args=()
+  while read keyid;do
+    trusted_key_args+=( --trusted-key "$keyid" )
+  done < <(
+    ${homeless-gpg} --with-colons --show-keys ${lib.escapeShellArgs keyfiles} |
+      ${gawk}/bin/awk -F: '$1 == "pub" { print $5 }')
+
+  ${homeless-gpg} --keyring="$keyring" "''${trusted_key_args[@]}" "$@"
+''
+
Automatic NixOS upgrades with pinch