X-Git-Url: http://git.scottworley.com/auto-upgrade-with-pinch/blobdiff_plain/eff66a9c0a291e1760e04912a03b3548a7d2e40f..edaaa0c0ab2761711c3b9217a2c7396a56d6a54e:/pkgs/keyed-gpg.nix

diff --git a/pkgs/keyed-gpg.nix b/pkgs/keyed-gpg.nix
new file mode 100644
index 0000000..b675822
--- /dev/null
+++ b/pkgs/keyed-gpg.nix
@@ -0,0 +1,23 @@
+# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
+# Use with git with -c gpg.program='keyedgpg /path/to/keyfile.asc'
+
+{ coreutils, gawk, homeless-gpg, lib, writeShellScript, }:
+keyfiles:
+writeShellScript "keyed-gpg" ''
+  set -eo pipefail
+
+  keyring=$(${coreutils}/bin/mktemp)
+  cleanup() { ${coreutils}/bin/rm "$keyring"; }
+  trap cleanup EXIT
+  ${homeless-gpg} --keyring="$keyring" --import ${lib.escapeShellArgs keyfiles}
+
+  trusted_key_args=()
+  while read keyid;do
+    trusted_key_args+=( --trusted-key "$keyid" )
+  done < <(
+    ${homeless-gpg} --with-colons --show-keys ${lib.escapeShellArgs keyfiles} |
+      ${gawk}/bin/awk -F: '$1 == "pub" { print $5 }')
+
+  ${homeless-gpg} --keyring="$keyring" "''${trusted_key_args[@]}" "$@"
+''
+