X-Git-Url: http://git.scottworley.com/auto-upgrade-with-pinch/blobdiff_plain/3953b1663d82333958ea74bae17ba167360db226..c1430067aa042d9dd6e3b1e103d336094135eb97:/overlays/keyedgit.nix diff --git a/overlays/keyedgit.nix b/overlays/keyedgit.nix index bbc156b..6cce6fe 100644 --- a/overlays/keyedgit.nix +++ b/overlays/keyedgit.nix @@ -1,28 +1,40 @@ # Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys self: super: { - keyedgit = key: + keyedgit = keys: let - keyring = super.runCommand "keyedkeyring.gpg" {} '' + keyfile = if builtins.isList keys then + super.runCommand "keyfile" { } '' + cat ${super.lib.escapeShellArgs keys} > $out + '' + else + keys; + homelessGPG = super.writeShellScript "homeless-gpg" '' export GNUPGHOME=$(mktemp -d) - ${self.gnupg}/bin/gpg --no-default-keyring --keyring=$out --import ${key} + trap 'rm -r "$GNUPGHOME"' EXIT + ${self.gnupg}/bin/gpg "$@" + ''; + keyring = super.runCommand "keyedkeyring.gpg" { } '' + ${homelessGPG} --no-default-keyring --keyring=$out --import ${keyfile} + ''; + keyids = super.runCommand "keyids" { } '' + ${homelessGPG} --no-default-keyring --with-colons --show-keys ${keyfile} | + ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }' > $out + ''; + keyedGPG = super.writeShellScript "keyed-gpg" '' + trusted_key_args=() + while read keyid;do + trusted_key_args+=( --trusted-key "$keyid" ) + done < ${keyids} + ${homelessGPG} --no-default-keyring --keyring=${keyring} "''${trusted_key_args[@]}" "$@" ''; - keyedgpg = super.symlinkJoin { - name = "keyedgpg"; - buildInputs = [ super.makeWrapper ]; - paths = [ self.gnupg ]; - postBuild = '' - wrapProgram "$out/bin/gpg" \ - --add-flags '--no-default-keyring --keyring=${keyring}' - ''; - }; in super.symlinkJoin { name = "keyedgit"; paths = [ self.git ]; buildInputs = [ super.makeWrapper ]; postBuild = '' wrapProgram "$out/bin/git" \ - --add-flags '-c gpg.program=${keyedgpg}/bin/gpg' + --add-flags '-c gpg.program=${keyedGPG}' ''; }; }