Trust the specified key

diff --git a/overlays/keyedgit.nix b/overlays/keyedgit.nix
index bbc156bd2079d08d91f769cc95697f479b58e64e..bf260e7d9abf34f8dedc1142eb6cf28312522f0a 100644 (file)
--- a/overlays/keyedgit.nix
+++ b/overlays/keyedgit.nix
@@ -3,26 +3,27 @@
 self: super: {
   keyedgit = key:
     let
 self: super: {
   keyedgit = key:
     let

-      keyring = super.runCommand "keyedkeyring.gpg" {} ''
+      homelessGPG = super.writeShellScript "homeless-gpg" ''

         export GNUPGHOME=$(mktemp -d)
         export GNUPGHOME=$(mktemp -d)

-        ${self.gnupg}/bin/gpg --no-default-keyring --keyring=$out --import ${key}
+        trap 'rm -r "$GNUPGHOME"' EXIT
+        ${self.gnupg}/bin/gpg "$@"
+      '';
+      keyring = super.runCommand "keyedkeyring.gpg" {} ''
+        ${homelessGPG} --no-default-keyring --keyring=$out --import ${key}
+      '';
+      keyid = super.runCommand "keyid" {} ''
+        ${homelessGPG} --with-colons --show-keys ${key} | awk -F: '{ print $5; exit }' > $out
+      '';
+      keyedGPG = super.writeShellScript "keyed-gpg" ''
+        ${homelessGPG} --no-default-keyring --keyring=${keyring} --trusted-key "$(< ${keyid} )" "$@"

       '';
       '';

-      keyedgpg = super.symlinkJoin {
-        name = "keyedgpg";
-        buildInputs = [ super.makeWrapper ];
-        paths = [ self.gnupg ];
-        postBuild = ''
-          wrapProgram "$out/bin/gpg" \
-            --add-flags '--no-default-keyring --keyring=${keyring}'
-        '';
-      };

     in super.symlinkJoin {
       name = "keyedgit";
       paths = [ self.git ];
       buildInputs = [ super.makeWrapper ];
       postBuild = ''
         wrapProgram "$out/bin/git" \
     in super.symlinkJoin {
       name = "keyedgit";
       paths = [ self.git ];
       buildInputs = [ super.makeWrapper ];
       postBuild = ''
         wrapProgram "$out/bin/git" \

-          --add-flags '-c gpg.program=${keyedgpg}/bin/gpg'
+          --add-flags '-c gpg.program=${keyedGPG}'

       '';
     };
 }
       '';
     };
 }