From 5ea02587f16178dc303d33338abfa8bf306328be Mon Sep 17 00:00:00 2001 From: Scott Worley Date: Wed, 10 Jun 2020 16:12:27 -0700 Subject: [PATCH] Make signingKeys static again git -c gpg.program= cannot pass arguments. Another possibility from here to keep this dynamic would be to pass the list of signing keys through the environment. --- modules/auto-upgrade.nix | 11 ++++++++++- overlays/keyedgpg.nix | 29 +++-------------------------- upgrade-config.nix | 8 -------- 3 files changed, 13 insertions(+), 35 deletions(-) diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix index 7e48c40..56d15d9 100644 --- a/modules/auto-upgrade.nix +++ b/modules/auto-upgrade.nix @@ -51,7 +51,7 @@ let if [[ "$(prop requireSignature)" == true ]]; then ${pkgs.polite-merge}/bin/polite-merge \ - -c gpg.program='${pkgs.keyedgpg} '"$(prop 'signingKeys[]' | tr \\n ' ')"' --' \ + -c gpg.program=${escapeShellArg (pkgs.keyedgpg cfg.signingKeys)} \ merge --ff-only --verify-signatures else ${pkgs.polite-merge}/bin/polite-merge merge --ff-only @@ -218,6 +218,15 @@ in { ''; }; + signingKeys = mkOption { + type = types.listOf types.path; + description = '' + Files containing GPG keys that are authorized to sign updates. + Updates are only merged if the commit at the tip of the remote + ref is signed with one of these keys. + ''; + }; + upgradeConfig = mkOption { type = types.listOf types.path; description = '' diff --git a/overlays/keyedgpg.nix b/overlays/keyedgpg.nix index 202abb3..a78062f 100644 --- a/overlays/keyedgpg.nix +++ b/overlays/keyedgpg.nix @@ -11,42 +11,19 @@ let ${self.gnupg}/bin/gpg --no-default-keyring "$@" ''; in { - keyedgpg = super.writeShellScript "keyed-gpg" '' + keyedgpg = keyfiles: super.writeShellScript "keyed-gpg" '' set -eo pipefail - usage() { - echo "usage: keyed-gpg /path/to/keyfile1.asc ... -- gpg-command..." >&2 - exit 1 - } - - incomplete=true - keyfiles=() - while (( $# > 0 ));do - if [[ "$1" == -- ]];then - shift - incomplete=false - break - fi - if [[ ! -r "$1" ]];then - usage - fi - keyfiles+=$1 - shift - done - if "$incomplete";then - usage - fi - keyring=$(${self.coreutils}/bin/mktemp) cleanup() { ${self.coreutils}/bin/rm "$keyring"; } trap cleanup EXIT - ${homelessGPG} --keyring="$keyring" --import "''${keyfiles[@]}" + ${homelessGPG} --keyring="$keyring" --import ${self.lib.escapeShellArgs keyfiles} trusted_key_args=() while read keyid;do trusted_key_args+=( --trusted-key "$keyid" ) done < <( - ${homelessGPG} --with-colons --show-keys "''${keyfiles[@]}" | + ${homelessGPG} --with-colons --show-keys ${self.lib.escapeShellArgs keyfiles} | ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }') ${homelessGPG} --keyring="$keyring" "''${trusted_key_args[@]}" "$@" diff --git a/upgrade-config.nix b/upgrade-config.nix index e9962eb..2ce8829 100644 --- a/upgrade-config.nix +++ b/upgrade-config.nix @@ -84,14 +84,6 @@ evalModules { specifed in signingKeys. ''; }; - signingKeys = mkOption { - type = types.listOf types.path; - description = '' - Files containing GPG keys that are authorized to sign updates. - Updates are only merged if the commit at the tip of the remote - ref is signed with one of these keys. - ''; - }; }; }); example = { -- 2.44.1