git: support not configuring signing.format (#6478)

2025-03-06 16:57:03 +00:00 · 2025-02-17 03:00:03 -08:00 · 2025-02-17 03:00:03 -08:00 · 5c5697b82a
commit 5c5697b82a
parent 30b9cd6f1a
9 changed files with 52 additions and 47 deletions
--- a/modules/programs/git.nix
+++ b/modules/programs/git.nix
@ -118,7 +118,7 @@ in {
        };

        format = mkOption {
-          type = types.enum [ "openpgp" "ssh" "x509" ];
+          type = types.nullOr (types.enum [ "openpgp" "ssh" "x509" ]);
          defaultText = literalExpression ''
            "openpgp" for state version < 25.05,
            undefined for state version ≥ 25.05
@ -130,13 +130,13 @@ in {
        };

        signByDefault = mkOption {
-          type = types.bool;
-          default = false;
+          type = types.nullOr types.bool;
+          default = null;
          description = "Whether commits and tags should be signed by default.";
        };

        signer = mkOption {
-          type = types.str;
+          type = types.nullOr types.str;
          description = "Path to signer binary to use.";
        };
      };
@ -493,25 +493,35 @@ in {
    (mkIf (cfg.signing != { }) {
      programs.git = {
        signing = {
-          format = mkIf (versionOlder config.home.stateVersion "25.05")
-            (mkOptionDefault "openpgp");
-          signer = mkIf (cfg.signing.format != null) (mkOptionDefault {
-            openpgp = getExe config.programs.gpg.package;
-            ssh = getExe' pkgs.openssh "ssh-keygen";
-            x509 = getExe' config.programs.gpg.package "gpgsm";
-          }.${cfg.signing.format});
+          format = if (versionOlder config.home.stateVersion "25.05") then
+            (mkOptionDefault "openpgp")
+          else
+            null;
+          signer = let
+            defaultSigners = {
+              openpgp = getExe config.programs.gpg.package;
+              ssh = getExe' pkgs.openssh "ssh-keygen";
+              x509 = getExe' config.programs.gpg.package "gpgsm";
+            };
+          in mkIf (cfg.signing.format != null)
+          (mkOptionDefault defaultSigners.${cfg.signing.format});
        };

-        iniContent = let inherit (cfg.signing) format;
-        in {
-          user.signingKey = mkIf (cfg.signing.key != null) cfg.signing.key;
-          commit.gpgSign = mkDefault cfg.signing.signByDefault;
-          tag.gpgSign = mkDefault cfg.signing.signByDefault;
-          gpg = {
-            format = mkDefault format;
-            ${format}.program = cfg.signing.signer;
-          };
-        };
+        iniContent = mkMerge [
+          (mkIf (cfg.signing.key != null) {
+            user.signingKey = mkDefault cfg.signing.key;
+          })
+          (mkIf (cfg.signing.signByDefault != null) {
+            commit.gpgSign = mkDefault cfg.signing.signByDefault;
+            tag.gpgSign = mkDefault cfg.signing.signByDefault;
+          })
+          (mkIf (cfg.signing.format != null) {
+            gpg = {
+              format = mkDefault cfg.signing.format;
+              ${cfg.signing.format}.program = mkDefault cfg.signing.signer;
+            };
+          })
+        ];
      };
    })

--- a/tests/modules/programs/gh/credential-helper.git.conf
+++ b/tests/modules/programs/gh/credential-helper.git.conf
@ -1,6 +1,3 @@
-[commit]
-	gpgSign = false
-
 [credential "https://github.com"]
 	helper = "@gh@/bin/gh auth git-credential"

@ -12,6 +9,3 @@

 [gpg "openpgp"]
 	program = "path-to-gpg"
-
-[tag]
-	gpgSign = false
--- a/tests/modules/programs/git/default.nix
+++ b/tests/modules/programs/git/default.nix
@ -6,5 +6,6 @@
  git-with-signing-key-id-legacy = ./git-with-signing-key-id-legacy.nix;
  git-with-signing-key-id = ./git-with-signing-key-id.nix;
  git-without-signing-key-id = ./git-without-signing-key-id.nix;
+  git-without-signing = ./git-without-signing.nix;
  git-with-hooks = ./git-with-hooks.nix;
 }
--- a/tests/modules/programs/git/git-with-email-expected.conf
+++ b/tests/modules/programs/git/git-with-email-expected.conf
@ -1,11 +1,8 @@
-[commit]
-	gpgSign = false
-
 [gpg]
 	format = "openpgp"

 [gpg "openpgp"]
-	program = "path-to-gpg"
+	program = "@gnupg@/bin/gpg"

 [sendemail "hm-account"]
 	from = "H. M. Test Jr. <hm@example.org>"
@ -21,9 +18,6 @@
 	smtpSslCertPath = "/etc/ssl/certs/ca-certificates.crt"
 	smtpUser = "home.manager"

-[tag]
-	gpgSign = false
-
 [user]
 	email = "hm@example.com"
 	name = "H. M. Test"
--- a/tests/modules/programs/git/git-with-email.nix
+++ b/tests/modules/programs/git/git-with-email.nix
@ -8,7 +8,6 @@

  programs.git = {
    enable = true;
-    signing.signer = "path-to-gpg";
    userEmail = "hm@example.com";
    userName = "H. M. Test";
  };
--- a/tests/modules/programs/git/git-with-msmtp-expected.conf
+++ b/tests/modules/programs/git/git-with-msmtp-expected.conf
@ -1,6 +1,3 @@
-[commit]
-	gpgSign = false
-
 [gpg]
 	format = "openpgp"

@ -19,9 +16,6 @@
 	from = "H. M. Test <hm@example.com>"
 	smtpServer = "@msmtp@/bin/msmtp"

-[tag]
-	gpgSign = false
-
 [user]
 	email = "hm@example.com"
 	name = "H. M. Test"
--- a/tests/modules/programs/git/git-with-str-extra-config-expected.conf
+++ b/tests/modules/programs/git/git-with-str-extra-config-expected.conf
@ -1,17 +1,11 @@
 This can be anything.

-[commit]
-	gpgSign = false
-
 [gpg]
 	format = "openpgp"

 [gpg "openpgp"]
 	program = "path-to-gpg"

-[tag]
-	gpgSign = false
-
 [user]
 	email = "user@example.org"
 	name = "John Doe"
--- a/tests/modules/programs/git/git-without-signing.conf
+++ b/tests/modules/programs/git/git-without-signing.conf
@ -0,0 +1,3 @@
+[user]
+	email = "user@example.org"
+	name = "John Doe"
--- a/tests/modules/programs/git/git-without-signing.nix
+++ b/tests/modules/programs/git/git-without-signing.nix
@ -0,0 +1,16 @@
+{
+  programs.git = {
+    enable = true;
+    userName = "John Doe";
+    userEmail = "user@example.org";
+  };
+
+  home.stateVersion = "25.05";
+
+  nmt.script = ''
+    assertFileExists home-files/.config/git/config
+    assertFileContent home-files/.config/git/config ${
+      ./git-without-signing.conf
+    }
+  '';
+}