From 9d0c0d71309239cfdc6c19996d2b730fdf06a692 Mon Sep 17 00:00:00 2001 From: Scott Worley Date: Tue, 19 May 2020 21:05:08 -0700 Subject: [PATCH] Accept multiple signing keys --- modules/auto-upgrade.nix | 9 +++++---- overlays/keyedgit.nix | 15 ++++++++++----- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix index 8bf21aa..66d857f 100644 --- a/modules/auto-upgrade.nix +++ b/modules/auto-upgrade.nix @@ -28,7 +28,7 @@ let # Update channels ( cd /etc/nixos - ${pkgs.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures + ${pkgs.keyedgit cfg.keys}/bin/git pull --ff-only --verify-signatures ${pkgs.pinch}/bin/pinch update channels ) @@ -71,11 +71,12 @@ in { ''; }; - key = mkOption { + keys = mkOption { type = types.path; description = '' - GPG key that signs updates. Updates are only merged if the commit - at the tip of the remote branch is signed with this key. + File containing GPG keys that sign updates. Updates are only merged + if the commit at the tip of the remote branch is signed with one of + these keys. ''; }; diff --git a/overlays/keyedgit.nix b/overlays/keyedgit.nix index bf260e7..a4465dc 100644 --- a/overlays/keyedgit.nix +++ b/overlays/keyedgit.nix @@ -1,7 +1,7 @@ # Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys self: super: { - keyedgit = key: + keyedgit = keys: let homelessGPG = super.writeShellScript "homeless-gpg" '' export GNUPGHOME=$(mktemp -d) @@ -9,13 +9,18 @@ self: super: { ${self.gnupg}/bin/gpg "$@" ''; keyring = super.runCommand "keyedkeyring.gpg" {} '' - ${homelessGPG} --no-default-keyring --keyring=$out --import ${key} + ${homelessGPG} --no-default-keyring --keyring=$out --import ${keys} ''; - keyid = super.runCommand "keyid" {} '' - ${homelessGPG} --with-colons --show-keys ${key} | awk -F: '{ print $5; exit }' > $out + keyids = super.runCommand "keyids" {} '' + ${homelessGPG} --no-default-keyring --with-colons --show-keys ${keys} | + ${self.gawk}/bin/awk -F: 'prev == "pub" && $1 == "fpr" { print $10 } { prev = $1 }' > $out ''; keyedGPG = super.writeShellScript "keyed-gpg" '' - ${homelessGPG} --no-default-keyring --keyring=${keyring} --trusted-key "$(< ${keyid} )" "$@" + trusted_key_args=() + while read keyid;do + trusted_key_args+=( --trusted-key "$keyid" ) + done < ${keyids} + ${homelessGPG} --no-default-keyring --keyring=${keyring} "''${trusted_key_args[@]}" "$@" ''; in super.symlinkJoin { name = "keyedgit"; -- 2.44.1