From: Scott Worley <scottworley@scottworley.com>
Date: Tue, 14 Apr 2020 22:53:08 +0000 (-0700)
Subject: Keyed git - check signatures with a specified key
X-Git-Url: http://git.scottworley.com/auto-upgrade-with-pinch/commitdiff_plain/3953b1663d82333958ea74bae17ba167360db226

Keyed git - check signatures with a specified key
---

diff --git a/overlays/keyedgit.nix b/overlays/keyedgit.nix
new file mode 100644
index 0000000..bbc156b
--- /dev/null
+++ b/overlays/keyedgit.nix
@@ -0,0 +1,28 @@
+# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
+
+self: super: {
+  keyedgit = key:
+    let
+      keyring = super.runCommand "keyedkeyring.gpg" {} ''
+        export GNUPGHOME=$(mktemp -d)
+        ${self.gnupg}/bin/gpg --no-default-keyring --keyring=$out --import ${key}
+      '';
+      keyedgpg = super.symlinkJoin {
+        name = "keyedgpg";
+        buildInputs = [ super.makeWrapper ];
+        paths = [ self.gnupg ];
+        postBuild = ''
+          wrapProgram "$out/bin/gpg" \
+            --add-flags '--no-default-keyring --keyring=${keyring}'
+        '';
+      };
+    in super.symlinkJoin {
+      name = "keyedgit";
+      paths = [ self.git ];
+      buildInputs = [ super.makeWrapper ];
+      postBuild = ''
+        wrapProgram "$out/bin/git" \
+          --add-flags '-c gpg.program=${keyedgpg}/bin/gpg'
+      '';
+    };
+}