git -c gpg.program= cannot pass arguments.
Another possibility from here to keep this dynamic would be to pass the
list of signing keys through the environment.
if [[ "$(prop requireSignature)" == true ]]; then
${pkgs.polite-merge}/bin/polite-merge \
- -c gpg.program='${pkgs.keyedgpg} '"$(prop 'signingKeys[]' | tr \\n ' ')"' --' \
+ -c gpg.program=${escapeShellArg (pkgs.keyedgpg cfg.signingKeys)} \
merge --ff-only --verify-signatures
else
${pkgs.polite-merge}/bin/polite-merge merge --ff-only
'';
};
+ signingKeys = mkOption {
+ type = types.listOf types.path;
+ description = ''
+ Files containing GPG keys that are authorized to sign updates.
+ Updates are only merged if the commit at the tip of the remote
+ ref is signed with one of these keys.
+ '';
+ };
+
upgradeConfig = mkOption {
type = types.listOf types.path;
description = ''
${self.gnupg}/bin/gpg --no-default-keyring "$@"
'';
in {
- keyedgpg = super.writeShellScript "keyed-gpg" ''
+ keyedgpg = keyfiles: super.writeShellScript "keyed-gpg" ''
set -eo pipefail
- usage() {
- echo "usage: keyed-gpg /path/to/keyfile1.asc ... -- gpg-command..." >&2
- exit 1
- }
-
- incomplete=true
- keyfiles=()
- while (( $# > 0 ));do
- if [[ "$1" == -- ]];then
- shift
- incomplete=false
- break
- fi
- if [[ ! -r "$1" ]];then
- usage
- fi
- keyfiles+=$1
- shift
- done
- if "$incomplete";then
- usage
- fi
-
keyring=$(${self.coreutils}/bin/mktemp)
cleanup() { ${self.coreutils}/bin/rm "$keyring"; }
trap cleanup EXIT
- ${homelessGPG} --keyring="$keyring" --import "''${keyfiles[@]}"
+ ${homelessGPG} --keyring="$keyring" --import ${self.lib.escapeShellArgs keyfiles}
trusted_key_args=()
while read keyid;do
trusted_key_args+=( --trusted-key "$keyid" )
done < <(
- ${homelessGPG} --with-colons --show-keys "''${keyfiles[@]}" |
+ ${homelessGPG} --with-colons --show-keys ${self.lib.escapeShellArgs keyfiles} |
${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }')
${homelessGPG} --keyring="$keyring" "''${trusted_key_args[@]}" "$@"
specifed in <literal>signingKeys</literal>.
'';
};
- signingKeys = mkOption {
- type = types.listOf types.path;
- description = ''
- Files containing GPG keys that are authorized to sign updates.
- Updates are only merged if the commit at the tip of the remote
- ref is signed with one of these keys.
- '';
- };
};
});
example = {
projects / auto-upgrade-with-pinch / commitdiff