From: Scott Worley Date: Tue, 14 Apr 2020 23:14:28 +0000 (-0700) Subject: Trust the specified key X-Git-Url: http://git.scottworley.com/auto-upgrade-with-pinch/commitdiff_plain/00a79ae1cc6cdc2791545c0b0aa9dc55e9c95ec5?hp=3953b1663d82333958ea74bae17ba167360db226 Trust the specified key --- diff --git a/overlays/keyedgit.nix b/overlays/keyedgit.nix index bbc156b..bf260e7 100644 --- a/overlays/keyedgit.nix +++ b/overlays/keyedgit.nix @@ -3,26 +3,27 @@ self: super: { keyedgit = key: let - keyring = super.runCommand "keyedkeyring.gpg" {} '' + homelessGPG = super.writeShellScript "homeless-gpg" '' export GNUPGHOME=$(mktemp -d) - ${self.gnupg}/bin/gpg --no-default-keyring --keyring=$out --import ${key} + trap 'rm -r "$GNUPGHOME"' EXIT + ${self.gnupg}/bin/gpg "$@" + ''; + keyring = super.runCommand "keyedkeyring.gpg" {} '' + ${homelessGPG} --no-default-keyring --keyring=$out --import ${key} + ''; + keyid = super.runCommand "keyid" {} '' + ${homelessGPG} --with-colons --show-keys ${key} | awk -F: '{ print $5; exit }' > $out + ''; + keyedGPG = super.writeShellScript "keyed-gpg" '' + ${homelessGPG} --no-default-keyring --keyring=${keyring} --trusted-key "$(< ${keyid} )" "$@" ''; - keyedgpg = super.symlinkJoin { - name = "keyedgpg"; - buildInputs = [ super.makeWrapper ]; - paths = [ self.gnupg ]; - postBuild = '' - wrapProgram "$out/bin/gpg" \ - --add-flags '--no-default-keyring --keyring=${keyring}' - ''; - }; in super.symlinkJoin { name = "keyedgit"; paths = [ self.git ]; buildInputs = [ super.makeWrapper ]; postBuild = '' wrapProgram "$out/bin/git" \ - --add-flags '-c gpg.program=${keyedgpg}/bin/gpg' + --add-flags '-c gpg.program=${keyedGPG}' ''; }; }