Merge 9837165d5f
into 6d3b6dc922
This commit is contained in:
commit
ce3a74f87e
|
@ -1299,6 +1299,22 @@ in {
|
|||
'';
|
||||
}
|
||||
|
||||
{
|
||||
time = "2023-11-13T12:13:04+00:00";
|
||||
condition = config.programs.git.signing != {};
|
||||
message = ''
|
||||
The Git module now supports signing via SSH and X.509 keys, in addition to OpenPGP/GnuPG,
|
||||
via the `programs.git.signing.format` option.
|
||||
|
||||
The format defaults to `openpgp` for now, due to backwards compatibility reasons — this is
|
||||
not guaranteed to last! GPG users should manually set `programs.git.signing.format` to
|
||||
`openpgp` as soon as possible.
|
||||
|
||||
Accordingly, `programs.git.signing.gpgPath` has been renamed to the more generic option
|
||||
`programs.git.signing.signer` as not everyone uses GPG.
|
||||
Please migrate to the new option to suppress the generated warning.
|
||||
'';
|
||||
}
|
||||
{
|
||||
time = "2023-11-22T22:42:16+00:00";
|
||||
message = ''
|
||||
|
|
|
@ -14,33 +14,6 @@ let
|
|||
supersectionType = attrsOf (either multipleType sectionType);
|
||||
in attrsOf supersectionType;
|
||||
|
||||
signModule = types.submodule {
|
||||
options = {
|
||||
key = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
description = ''
|
||||
The default GPG signing key fingerprint.
|
||||
|
||||
Set to `null` to let GnuPG decide what signing key
|
||||
to use depending on commit’s author.
|
||||
'';
|
||||
};
|
||||
|
||||
signByDefault = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Whether commits and tags should be signed by default.";
|
||||
};
|
||||
|
||||
gpgPath = mkOption {
|
||||
type = types.str;
|
||||
default = "${pkgs.gnupg}/bin/gpg2";
|
||||
defaultText = "\${pkgs.gnupg}/bin/gpg2";
|
||||
description = "Path to GnuPG binary to use.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
includeModule = types.submodule ({ config, ... }: {
|
||||
options = {
|
||||
condition = mkOption {
|
||||
|
@ -132,10 +105,46 @@ in {
|
|||
description = "Git aliases to define.";
|
||||
};
|
||||
|
||||
signing = mkOption {
|
||||
type = types.nullOr signModule;
|
||||
default = null;
|
||||
description = "Options related to signing commits using GnuPG.";
|
||||
signing = {
|
||||
key = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
description = ''
|
||||
The default signing key fingerprint.
|
||||
|
||||
Set to `null` to let the signer decide what signing key
|
||||
to use depending on commit’s author.
|
||||
'';
|
||||
};
|
||||
|
||||
format = mkOption ({
|
||||
type = types.enum [ "openpgp" "ssh" "x509" ];
|
||||
description = ''
|
||||
The signing method to use when signing commits and tags.
|
||||
Valid values are `openpgp` (OpenPGP/GnuPG), `ssh`, (SSH) and `x509` (X.509 certificates).
|
||||
|
||||
Defaults to `openpgp` until state version 23.11 for backwards compatibility reasons.
|
||||
'';
|
||||
} // optionalAttrs (versionOlder config.home.stateVersion "23.11") {
|
||||
default = "openpgp";
|
||||
});
|
||||
|
||||
signByDefault = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Whether commits and tags should be signed by default.";
|
||||
};
|
||||
|
||||
signer = mkOption {
|
||||
type = types.str;
|
||||
|
||||
default = {
|
||||
openpgp = getExe' pkgs.gnupg "gpg2";
|
||||
ssh = getExe pkgs.ssh;
|
||||
x509 = getExe' pkgs.gnupg "gpgsm";
|
||||
}.${cfg.signing.format};
|
||||
|
||||
description = "Path to signer binary to use.";
|
||||
};
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
|
@ -353,9 +362,19 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
imports = [
|
||||
(mkRenamedOptionModule [ "programs" "git" "signing" "gpgPath" ] [
|
||||
"programs"
|
||||
"git"
|
||||
"signing"
|
||||
"signer"
|
||||
])
|
||||
];
|
||||
|
||||
config = mkIf cfg.enable (mkMerge [
|
||||
{
|
||||
home.packages = [ cfg.package ];
|
||||
|
||||
assertions = [{
|
||||
assertion = let
|
||||
enabled =
|
||||
|
@ -415,12 +434,16 @@ in {
|
|||
(filterAttrs hasSmtp config.accounts.email.accounts);
|
||||
}
|
||||
|
||||
(mkIf (cfg.signing != null) {
|
||||
programs.git.iniContent = {
|
||||
(mkIf (cfg.signing != { }) {
|
||||
programs.git.iniContent = let inherit (cfg.signing) format;
|
||||
in {
|
||||
user.signingKey = mkIf (cfg.signing.key != null) cfg.signing.key;
|
||||
commit.gpgSign = mkDefault cfg.signing.signByDefault;
|
||||
tag.gpgSign = mkDefault cfg.signing.signByDefault;
|
||||
gpg.program = cfg.signing.gpgPath;
|
||||
gpg = {
|
||||
inherit format;
|
||||
${format}.program = cfg.signing.signer;
|
||||
};
|
||||
};
|
||||
})
|
||||
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
git-with-most-options = ./git.nix;
|
||||
git-with-msmtp = ./git-with-msmtp.nix;
|
||||
git-with-str-extra-config = ./git-with-str-extra-config.nix;
|
||||
git-with-signing-key-id-legacy = ./git-with-signing-key-id-legacy.nix;
|
||||
git-with-signing-key-id = ./git-with-signing-key-id.nix;
|
||||
git-without-signing-key-id = ./git-without-signing-key-id.nix;
|
||||
git-with-hooks = ./git-with-hooks.nix;
|
||||
|
|
|
@ -38,6 +38,9 @@
|
|||
smudge = "git-lfs smudge -- %f"
|
||||
|
||||
[gpg]
|
||||
format = "openpgp"
|
||||
|
||||
[gpg "openpgp"]
|
||||
program = "path-to-gpg"
|
||||
|
||||
[interactive]
|
||||
|
|
|
@ -2,7 +2,10 @@
|
|||
gpgSign = true
|
||||
|
||||
[gpg]
|
||||
program = "path-to-gpg"
|
||||
format = "ssh"
|
||||
|
||||
[gpg "ssh"]
|
||||
program = "path-to-ssh"
|
||||
|
||||
[tag]
|
||||
gpgSign = true
|
||||
|
@ -10,4 +13,4 @@
|
|||
[user]
|
||||
email = "user@example.org"
|
||||
name = "John Doe"
|
||||
signingKey = "00112233445566778899AABBCCDDEEFF"
|
||||
signingKey = "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
[commit]
|
||||
gpgSign = true
|
||||
|
||||
[gpg]
|
||||
format = "openpgp"
|
||||
|
||||
[gpg "openpgp"]
|
||||
program = "path-to-gpg"
|
||||
|
||||
[tag]
|
||||
gpgSign = true
|
||||
|
||||
[user]
|
||||
email = "user@example.org"
|
||||
name = "John Doe"
|
||||
signingKey = "00112233445566778899AABBCCDDEEFF"
|
|
@ -0,0 +1,28 @@
|
|||
{ lib, options, ... }: {
|
||||
config = {
|
||||
programs.git = {
|
||||
enable = true;
|
||||
userName = "John Doe";
|
||||
userEmail = "user@example.org";
|
||||
|
||||
signing = {
|
||||
gpgPath = "path-to-gpg";
|
||||
key = "00112233445566778899AABBCCDDEEFF";
|
||||
signByDefault = true;
|
||||
};
|
||||
};
|
||||
|
||||
test.asserts.warnings.expected = [
|
||||
"The option `programs.git.signing.gpgPath' defined in ${
|
||||
lib.showFiles options.programs.git.signing.gpgPath.files
|
||||
} has been renamed to `programs.git.signing.signer'."
|
||||
];
|
||||
|
||||
nmt.script = ''
|
||||
assertFileExists home-files/.config/git/config
|
||||
assertFileContent home-files/.config/git/config ${
|
||||
./git-with-signing-key-id-legacy-expected.conf
|
||||
}
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -6,8 +6,10 @@
|
|||
userEmail = "user@example.org";
|
||||
|
||||
signing = {
|
||||
gpgPath = "path-to-gpg";
|
||||
key = "00112233445566778899AABBCCDDEEFF";
|
||||
signer = "path-to-ssh";
|
||||
format = "ssh";
|
||||
key =
|
||||
"ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
|
||||
signByDefault = true;
|
||||
};
|
||||
};
|
||||
|
|
|
@ -55,7 +55,8 @@ in {
|
|||
}
|
||||
];
|
||||
signing = {
|
||||
gpgPath = "path-to-gpg";
|
||||
signer = "path-to-gpg";
|
||||
format = "openpgp";
|
||||
key = "00112233445566778899AABBCCDDEEFF";
|
||||
signByDefault = true;
|
||||
};
|
||||
|
|
Loading…
Reference in New Issue