]> git.scottworley.com Git - auto-upgrade-with-pinch/commitdiff
projects / auto-upgrade-with-pinch / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4ed6fe1)
Keyed git - check signatures with a specified key
authorScott Worley <scottworley@scottworley.com>
Tue, 14 Apr 2020 22:53:08 +0000 (15:53 -0700)
committerScott Worley <scottworley@scottworley.com>
Mon, 18 May 2020 18:35:06 +0000 (11:35 -0700)
overlays/keyedgit.nix [new file with mode: 0644] patch | blob

diff --git a/overlays/keyedgit.nix b/overlays/keyedgit.nix
new file mode 100644 (file)
index 0000000..bbc156b
--- /dev/null
+++ b/overlays/keyedgit.nix
@@ -0,0 +1,28 @@
+# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
+
+self: super: {
+  keyedgit = key:
+    let
+      keyring = super.runCommand "keyedkeyring.gpg" {} ''
+        export GNUPGHOME=$(mktemp -d)
+        ${self.gnupg}/bin/gpg --no-default-keyring --keyring=$out --import ${key}
+      '';
+      keyedgpg = super.symlinkJoin {
+        name = "keyedgpg";
+        buildInputs = [ super.makeWrapper ];
+        paths = [ self.gnupg ];
+        postBuild = ''
+          wrapProgram "$out/bin/gpg" \
+            --add-flags '--no-default-keyring --keyring=${keyring}'
+        '';
+      };
+    in super.symlinkJoin {
+      name = "keyedgit";
+      paths = [ self.git ];
+      buildInputs = [ super.makeWrapper ];
+      postBuild = ''
+        wrapProgram "$out/bin/git" \
+          --add-flags '-c gpg.program=${keyedgpg}/bin/gpg'
+      '';
+    };
+}
Automatic NixOS upgrades with pinch