From: Scott Worley Date: Tue, 14 Apr 2020 22:53:08 +0000 (-0700) Subject: Keyed git - check signatures with a specified key X-Git-Url: http://git.scottworley.com/auto-upgrade-with-pinch/commitdiff_plain/3953b1663d82333958ea74bae17ba167360db226 Keyed git - check signatures with a specified key --- diff --git a/overlays/keyedgit.nix b/overlays/keyedgit.nix new file mode 100644 index 0000000..bbc156b --- /dev/null +++ b/overlays/keyedgit.nix @@ -0,0 +1,28 @@ +# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys + +self: super: { + keyedgit = key: + let + keyring = super.runCommand "keyedkeyring.gpg" {} '' + export GNUPGHOME=$(mktemp -d) + ${self.gnupg}/bin/gpg --no-default-keyring --keyring=$out --import ${key} + ''; + keyedgpg = super.symlinkJoin { + name = "keyedgpg"; + buildInputs = [ super.makeWrapper ]; + paths = [ self.gnupg ]; + postBuild = '' + wrapProgram "$out/bin/gpg" \ + --add-flags '--no-default-keyring --keyring=${keyring}' + ''; + }; + in super.symlinkJoin { + name = "keyedgit"; + paths = [ self.git ]; + buildInputs = [ super.makeWrapper ]; + postBuild = '' + wrapProgram "$out/bin/git" \ + --add-flags '-c gpg.program=${keyedgpg}/bin/gpg' + ''; + }; +}