]> git.scottworley.com Git - auto-upgrade-with-pinch/commitdiff
Accept multiple signing keys
authorScott Worley <scottworley@scottworley.com>
Wed, 20 May 2020 04:05:08 +0000 (21:05 -0700)
committerScott Worley <scottworley@scottworley.com>
Wed, 20 May 2020 04:05:08 +0000 (21:05 -0700)
modules/auto-upgrade.nix
overlays/keyedgit.nix

index 8bf21aaaf988c5d3b0b5d6648ca403785276d05f..66d857f74a1d1f9ce7e21750a7ba3f84abceafe2 100644 (file)
@@ -28,7 +28,7 @@ let
         # Update channels
         (
           cd /etc/nixos
-          ${pkgs.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures
+          ${pkgs.keyedgit cfg.keys}/bin/git pull --ff-only --verify-signatures
           ${pkgs.pinch}/bin/pinch update channels
         )
 
@@ -71,11 +71,12 @@ in {
         '';
       };
 
-      key = mkOption {
+      keys = mkOption {
         type = types.path;
         description = ''
-          GPG key that signs updates.  Updates are only merged if the commit
-          at the tip of the remote branch is signed with this key.
+          File containing GPG keys that sign updates.  Updates are only merged
+          if the commit at the tip of the remote branch is signed with one of
+          these keys.
         '';
       };
 
index bf260e7d9abf34f8dedc1142eb6cf28312522f0a..a4465dcf493328d12f3b53b33b5f18ecfa8de3ff 100644 (file)
@@ -1,7 +1,7 @@
 # Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
 
 self: super: {
-  keyedgit = key:
+  keyedgit = keys:
     let
       homelessGPG = super.writeShellScript "homeless-gpg" ''
         export GNUPGHOME=$(mktemp -d)
@@ -9,13 +9,18 @@ self: super: {
         ${self.gnupg}/bin/gpg "$@"
       '';
       keyring = super.runCommand "keyedkeyring.gpg" {} ''
-        ${homelessGPG} --no-default-keyring --keyring=$out --import ${key}
+        ${homelessGPG} --no-default-keyring --keyring=$out --import ${keys}
       '';
-      keyid = super.runCommand "keyid" {} ''
-        ${homelessGPG} --with-colons --show-keys ${key} | awk -F: '{ print $5; exit }' > $out
+      keyids = super.runCommand "keyids" {} ''
+        ${homelessGPG} --no-default-keyring --with-colons --show-keys ${keys} |
+          ${self.gawk}/bin/awk -F: 'prev == "pub" && $1 == "fpr" { print $10 } { prev = $1 }' > $out
       '';
       keyedGPG = super.writeShellScript "keyed-gpg" ''
-        ${homelessGPG} --no-default-keyring --keyring=${keyring} --trusted-key "$(< ${keyid} )" "$@"
+        trusted_key_args=()
+        while read keyid;do
+          trusted_key_args+=( --trusted-key "$keyid" )
+        done < ${keyids}
+        ${homelessGPG} --no-default-keyring --keyring=${keyring} "''${trusted_key_args[@]}" "$@"
       '';
     in super.symlinkJoin {
       name = "keyedgit";