1 files changed, 54 insertions, 0 deletions

diff --git a/pkgs/sternenseemann/bundle-signed-release/default.nix b/pkgs/sternenseemann/bundle-signed-release/default.nix
new file mode 100644
index 00000000..5db979b0
--- /dev/null
+++ b/pkgs/sternenseemann/bundle-signed-release/default.nix
@@ -0,0 +1,54 @@
+# Build a directory containing release tarballs and
+# their signatures. Fail if a signature is invalid.
+{ lib
+, getBins
+, signify
+, buildGitTarball
+, runCommandNoCC
+}:
+
+{ # public key to verify against
+  publicKey
+  # directory signature files are located in
+, sigs
+}:
+
+{ # project name:
+  # * tarballs are name ${pname}-${tag}.tar.gz
+  # * signatures are name ${pname}-${tag}.tar.gz.sig
+  pname
+  # information about the git remote to fetch from
+  # must contain an url attribute and may contain
+  # a subDir attribute.
+, git
+  # List of releases which are represented as an
+  # attribute set which contains a sha256 and
+  # either a tag or rev attribute.
+, releases
+}:
+
+let
+  bins = getBins signify [ "signify" ];
+
+  tarballs = builtins.map
+    (args: buildGitTarball (git // args // {
+      inherit pname;
+    })) releases;
+
+  sigFor = tarball: "${sigs}/${tarball.name}.sig";
+in
+
+runCommandNoCC "${pname}-releases" {} (''
+  mkdir -p "$out"
+'' + lib.concatMapStrings (tarball: ''
+  # verify tarball and inform user about what's happening
+  echo -n "${tarball.name}: "
+  ${bins.signify} -V \
+    -p "${publicKey}" \
+    -m "${tarball}" \
+    -x "${sigFor tarball}"
+
+  # succeeded, so copy tarball and signature
+  ln -s "${tarball}" "$out/${tarball.name}"
+  ln -s "${sigFor tarball}" "$out/${baseNameOf (sigFor tarball)}"
+'') tarballs)