Make signingKeys static again

[auto-upgrade-with-pinch] / modules / auto-upgrade.nix

diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix
index 7e48c40d137bc978adffa38651f42b64f48ef41d..56d15d9202bfa8c783c5bec5a0ef03e02c0a3b30 100644 (file)
--- a/modules/auto-upgrade.nix
+++ b/modules/auto-upgrade.nix
@@ -51,7 +51,7 @@ let
 
       if [[ "$(prop requireSignature)" == true ]]; then
         ${pkgs.polite-merge}/bin/polite-merge \
-          -c gpg.program='${pkgs.keyedgpg} '"$(prop 'signingKeys[]' | tr \\n ' ')"' --' \
+          -c gpg.program=${escapeShellArg (pkgs.keyedgpg cfg.signingKeys)} \
           merge --ff-only --verify-signatures
       else
         ${pkgs.polite-merge}/bin/polite-merge merge --ff-only
@@ -218,6 +218,15 @@ in {
         '';
       };
 
+      signingKeys = mkOption {
+        type = types.listOf types.path;
+        description = ''
+          Files containing GPG keys that are authorized to sign updates.
+          Updates are only merged if the commit at the tip of the remote
+          ref is signed with one of these keys.
+        '';
+      };
+
       upgradeConfig = mkOption {
         type = types.listOf types.path;
         description = ''