From 3953b1663d82333958ea74bae17ba167360db226 Mon Sep 17 00:00:00 2001
From: Scott Worley <scottworley@scottworley.com>
Date: Tue, 14 Apr 2020 15:53:08 -0700
Subject: [PATCH] Keyed git - check signatures with a specified key

---
 overlays/keyedgit.nix | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 overlays/keyedgit.nix

diff --git a/overlays/keyedgit.nix b/overlays/keyedgit.nix
new file mode 100644
index 0000000..bbc156b
--- /dev/null
+++ b/overlays/keyedgit.nix
@@ -0,0 +1,28 @@
+# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
+
+self: super: {
+  keyedgit = key:
+    let
+      keyring = super.runCommand "keyedkeyring.gpg" {} ''
+        export GNUPGHOME=$(mktemp -d)
+        ${self.gnupg}/bin/gpg --no-default-keyring --keyring=$out --import ${key}
+      '';
+      keyedgpg = super.symlinkJoin {
+        name = "keyedgpg";
+        buildInputs = [ super.makeWrapper ];
+        paths = [ self.gnupg ];
+        postBuild = ''
+          wrapProgram "$out/bin/gpg" \
+            --add-flags '--no-default-keyring --keyring=${keyring}'
+        '';
+      };
+    in super.symlinkJoin {
+      name = "keyedgit";
+      paths = [ self.git ];
+      buildInputs = [ super.makeWrapper ];
+      postBuild = ''
+        wrapProgram "$out/bin/git" \
+          --add-flags '-c gpg.program=${keyedgpg}/bin/gpg'
+      '';
+    };
+}
-- 
2.44.1