]> git.scottworley.com Git - auto-upgrade-with-pinch/commitdiff
Make signingKeys static again
authorScott Worley <scottworley@scottworley.com>
Wed, 10 Jun 2020 23:12:27 +0000 (16:12 -0700)
committerScott Worley <scottworley@scottworley.com>
Wed, 10 Jun 2020 23:12:27 +0000 (16:12 -0700)
git -c gpg.program= cannot pass arguments.

Another possibility from here to keep this dynamic would be to pass the
list of signing keys through the environment.

modules/auto-upgrade.nix
overlays/keyedgpg.nix
upgrade-config.nix

index 7e48c40d137bc978adffa38651f42b64f48ef41d..56d15d9202bfa8c783c5bec5a0ef03e02c0a3b30 100644 (file)
@@ -51,7 +51,7 @@ let
 
       if [[ "$(prop requireSignature)" == true ]]; then
         ${pkgs.polite-merge}/bin/polite-merge \
 
       if [[ "$(prop requireSignature)" == true ]]; then
         ${pkgs.polite-merge}/bin/polite-merge \
-          -c gpg.program='${pkgs.keyedgpg} '"$(prop 'signingKeys[]' | tr \\n ' ')"' --' \
+          -c gpg.program=${escapeShellArg (pkgs.keyedgpg cfg.signingKeys)} \
           merge --ff-only --verify-signatures
       else
         ${pkgs.polite-merge}/bin/polite-merge merge --ff-only
           merge --ff-only --verify-signatures
       else
         ${pkgs.polite-merge}/bin/polite-merge merge --ff-only
@@ -218,6 +218,15 @@ in {
         '';
       };
 
         '';
       };
 
+      signingKeys = mkOption {
+        type = types.listOf types.path;
+        description = ''
+          Files containing GPG keys that are authorized to sign updates.
+          Updates are only merged if the commit at the tip of the remote
+          ref is signed with one of these keys.
+        '';
+      };
+
       upgradeConfig = mkOption {
         type = types.listOf types.path;
         description = ''
       upgradeConfig = mkOption {
         type = types.listOf types.path;
         description = ''
index 202abb380f2637d6a9e74277b7bf9a0b943681e8..a78062ffae92acf0a14ee88e3033ccdc0c232bfc 100644 (file)
@@ -11,42 +11,19 @@ let
     ${self.gnupg}/bin/gpg --no-default-keyring "$@"
   '';
 in {
     ${self.gnupg}/bin/gpg --no-default-keyring "$@"
   '';
 in {
-  keyedgpg = super.writeShellScript "keyed-gpg" ''
+  keyedgpg = keyfiles: super.writeShellScript "keyed-gpg" ''
     set -eo pipefail
 
     set -eo pipefail
 
-    usage() {
-      echo "usage: keyed-gpg /path/to/keyfile1.asc ... -- gpg-command..." >&2
-      exit 1
-    }
-
-    incomplete=true
-    keyfiles=()
-    while (( $# > 0 ));do
-      if [[ "$1" == -- ]];then
-        shift
-        incomplete=false
-        break
-      fi
-      if [[ ! -r "$1" ]];then
-        usage
-      fi
-      keyfiles+=$1
-      shift
-    done
-    if "$incomplete";then
-      usage
-    fi
-
     keyring=$(${self.coreutils}/bin/mktemp)
     cleanup() { ${self.coreutils}/bin/rm "$keyring"; }
     trap cleanup EXIT
     keyring=$(${self.coreutils}/bin/mktemp)
     cleanup() { ${self.coreutils}/bin/rm "$keyring"; }
     trap cleanup EXIT
-    ${homelessGPG} --keyring="$keyring" --import "''${keyfiles[@]}"
+    ${homelessGPG} --keyring="$keyring" --import ${self.lib.escapeShellArgs keyfiles}
 
     trusted_key_args=()
     while read keyid;do
       trusted_key_args+=( --trusted-key "$keyid" )
     done < <(
 
     trusted_key_args=()
     while read keyid;do
       trusted_key_args+=( --trusted-key "$keyid" )
     done < <(
-      ${homelessGPG} --with-colons --show-keys "''${keyfiles[@]}" |
+      ${homelessGPG} --with-colons --show-keys ${self.lib.escapeShellArgs keyfiles} |
         ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }')
 
     ${homelessGPG} --keyring="$keyring" "''${trusted_key_args[@]}" "$@"
         ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }')
 
     ${homelessGPG} --keyring="$keyring" "''${trusted_key_args[@]}" "$@"
index e9962ebbee18662ac1fd902ffd71e3f466cc7c92..2ce8829a007e7e36a3cfd84572b5640106229220 100644 (file)
@@ -84,14 +84,6 @@ evalModules {
                 specifed in <literal>signingKeys</literal>.
               '';
             };
                 specifed in <literal>signingKeys</literal>.
               '';
             };
-            signingKeys = mkOption {
-              type = types.listOf types.path;
-              description = ''
-                Files containing GPG keys that are authorized to sign updates.
-                Updates are only merged if the commit at the tip of the remote
-                ref is signed with one of these keys.
-              '';
-            };
           };
         });
         example = {
           };
         });
         example = {