# Update channels
(
cd /etc/nixos
- ${pkgs.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures
+ ${pkgs.keyedgit cfg.keys}/bin/git pull --ff-only --verify-signatures
${pkgs.pinch}/bin/pinch update channels
)
'';
};
- key = mkOption {
+ keys = mkOption {
type = types.path;
description = ''
- GPG key that signs updates. Updates are only merged if the commit
- at the tip of the remote branch is signed with this key.
+ File containing GPG keys that sign updates. Updates are only merged
+ if the commit at the tip of the remote branch is signed with one of
+ these keys.
'';
};
# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
self: super: {
- keyedgit = key:
+ keyedgit = keys:
let
homelessGPG = super.writeShellScript "homeless-gpg" ''
export GNUPGHOME=$(mktemp -d)
${self.gnupg}/bin/gpg "$@"
'';
keyring = super.runCommand "keyedkeyring.gpg" {} ''
- ${homelessGPG} --no-default-keyring --keyring=$out --import ${key}
+ ${homelessGPG} --no-default-keyring --keyring=$out --import ${keys}
'';
- keyid = super.runCommand "keyid" {} ''
- ${homelessGPG} --with-colons --show-keys ${key} | awk -F: '{ print $5; exit }' > $out
+ keyids = super.runCommand "keyids" {} ''
+ ${homelessGPG} --no-default-keyring --with-colons --show-keys ${keys} |
+ ${self.gawk}/bin/awk -F: 'prev == "pub" && $1 == "fpr" { print $10 } { prev = $1 }' > $out
'';
keyedGPG = super.writeShellScript "keyed-gpg" ''
- ${homelessGPG} --no-default-keyring --keyring=${keyring} --trusted-key "$(< ${keyid} )" "$@"
+ trusted_key_args=()
+ while read keyid;do
+ trusted_key_args+=( --trusted-key "$keyid" )
+ done < ${keyids}
+ ${homelessGPG} --no-default-keyring --keyring=${keyring} "''${trusted_key_args[@]}" "$@"
'';
in super.symlinkJoin {
name = "keyedgit";
projects / auto-upgrade-with-pinch / commitdiff