From 39c667d73c5b7e749fa044d984b2106c09157dce Mon Sep 17 00:00:00 2001
From: Fabrizio Romano Genovese <fabrizio.romano.genovese@gmail.com>
Date: Tue, 16 Dec 2025 14:40:39 +0100
Subject: [PATCH 1/3] gnupg: add package option to allow custom gnupg versions

Add sops.gnupg.package option to NixOS, home-manager, and nix-darwin
modules, allowing users to specify a custom gnupg package instead of
the default pkgs.gnupg.

This enables use of bleeding-edge GPG versions with post-quantum
encryption algorithms like Kyber, addressing "store now, decrypt
later" threat models.
---
 modules/home-manager/sops.nix  | 11 ++++++++++-
 modules/nix-darwin/default.nix | 11 ++++++++++-
 modules/sops/default.nix       | 12 +++++++++++-
 3 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/modules/home-manager/sops.nix b/modules/home-manager/sops.nix
index 4906b4c..5c7a0a3 100644
--- a/modules/home-manager/sops.nix
+++ b/modules/home-manager/sops.nix
@@ -269,6 +269,15 @@ in
     };
 
     gnupg = {
+      package = lib.mkOption {
+        type = lib.types.package;
+        default = pkgs.gnupg;
+        defaultText = lib.literalExpression "pkgs.gnupg";
+        description = ''
+          The gnupg package to use for sops operations.
+        '';
+      };
+
       home = lib.mkOption {
         type = lib.types.nullOr lib.types.str;
         default = null;
@@ -341,7 +350,7 @@ in
     sops.environment = {
       SOPS_GPG_EXEC = lib.mkMerge [
         (lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != [ ]) (
-          lib.mkDefault "${pkgs.gnupg}/bin/gpg"
+          lib.mkDefault "${cfg.gnupg.package}/bin/gpg"
         ))
         (lib.mkIf cfg.gnupg.qubes-split-gpg.enable (
           lib.mkDefault config.home.sessionVariables.SOPS_GPG_EXEC
diff --git a/modules/nix-darwin/default.nix b/modules/nix-darwin/default.nix
index f169a30..fffd5b5 100644
--- a/modules/nix-darwin/default.nix
+++ b/modules/nix-darwin/default.nix
@@ -320,6 +320,15 @@ in
         '';
       };
 
+      package = lib.mkOption {
+        type = lib.types.package;
+        default = pkgs.gnupg;
+        defaultText = lib.literalExpression "pkgs.gnupg";
+        description = ''
+          The gnupg package to use for sops operations.
+        '';
+      };
+
       sshKeyPaths = lib.mkOption {
         type = lib.types.listOf lib.types.path;
         default = defaultImportKeys "rsa";
@@ -384,7 +393,7 @@ in
 
     {
       sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != [ ]) (
-        lib.mkDefault "${pkgs.gnupg}/bin/gpg"
+        lib.mkDefault "${cfg.gnupg.package}/bin/gpg"
       );
     }
   ];
diff --git a/modules/sops/default.nix b/modules/sops/default.nix
index 0c236d5..f80c5a2 100644
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@@ -381,6 +381,16 @@ in
           This option must be explicitly unset if <literal>config.sops.gnupg.home</literal> is set.
         '';
       };
+
+      package = lib.mkOption {
+        type = lib.types.package;
+        default = pkgs.gnupg;
+        defaultText = lib.literalExpression "pkgs.gnupg";
+        description = ''
+          The gnupg package to use for sops operations.
+        '';
+      };
+
     };
   };
   imports = [
@@ -442,7 +452,7 @@ in
         );
 
       sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != [ ]) (
-        lib.mkDefault "${pkgs.gnupg}/bin/gpg"
+        lib.mkDefault "${cfg.gnupg.package}/bin/gpg"
       );
 
       # When using sysusers we no longer are started as an activation script because those are started in initrd while sysusers is started later.

From 0809aa0ae70f84df0994984c3a7e398c1d5a8af4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sat, 10 Jan 2026 08:46:09 +0100
Subject: [PATCH 2/3] unit-test: convert to shell app

I saw the exit status in ci was actually ignored.
---
 .github/workflows/test.yml |  2 +-
 flake.nix                  |  5 ++++-
 pkgs/unit-tests.nix        | 36 ++++++++++++------------------------
 3 files changed, 17 insertions(+), 26 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 4675465..00d6509 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -15,4 +15,4 @@ jobs:
     - name: Add keys group (needed for go tests)
       run: sudo groupadd keys
     - name: Run unit tests
-      run: nix develop .#unit-tests --command "true"
+      run: nix run .#unit-tests
diff --git a/flake.nix b/flake.nix
index 3ac2f6e..d89bf7b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -147,13 +147,16 @@
                 nix --extra-experimental-features "nix-command flakes" hash path ./dev/private | tr -d '\n' > ./dev/private.narHash
               ''}";
             };
+            unit-tests = {
+              type = "app";
+              program = "${pkgs.callPackage ./pkgs/unit-tests.nix { }}/bin/unit-tests";
+            };
           }
         );
 
         devShells = eachSystem (
           { pkgs, ... }:
           {
-            unit-tests = pkgs.callPackage ./pkgs/unit-tests.nix { };
             default = pkgs.callPackage ./shell.nix { };
           }
         );
diff --git a/pkgs/unit-tests.nix b/pkgs/unit-tests.nix
index f3d3678..a51a6d0 100644
--- a/pkgs/unit-tests.nix
+++ b/pkgs/unit-tests.nix
@@ -4,30 +4,18 @@
 let
   sopsPkgs = import ../. { inherit pkgs; };
 in
-pkgs.stdenv.mkDerivation {
-  name = "env";
-  nativeBuildInputs =
-    with pkgs;
-    [
-      bashInteractive
-      gnupg
-      util-linux
-      nix
-      sopsPkgs.sops-pgp-hook-test
-    ]
-    ++ pkgs.lib.optional (pkgs.stdenv.isLinux) sopsPkgs.sops-install-secrets.unittest;
-  # allow to prefetch shell dependencies in build phase
-  dontUnpack = true;
-  installPhase = ''
-    echo $nativeBuildInputs > $out
-  '';
-  shellHook = ''
-    set -x
-    NIX_PATH=nixpkgs=${toString pkgs.path} TEST_ASSETS=$(realpath ./pkgs/sops-pgp-hook/test-assets) \
-      sops-pgp-hook.test
-    ${pkgs.lib.optionalString (pkgs.stdenv.isLinux) ''
-      sudo TEST_ASSETS=$(realpath ./pkgs/sops-install-secrets/test-assets) \
-        unshare --mount --fork sops-install-secrets.test
+pkgs.writeShellApplication {
+  name = "unit-tests";
+  runtimeInputs = [
+    pkgs.gnupg
+    pkgs.nix
+  ] ++ pkgs.lib.optionals pkgs.stdenv.isLinux [
+    pkgs.util-linux
+  ];
+  text = ''
+    NIX_PATH=nixpkgs=${pkgs.path} TEST_ASSETS="$PWD/pkgs/sops-pgp-hook/test-assets" ${sopsPkgs.sops-pgp-hook-test}/bin/sops-pgp-hook.test -test.v
+    ${pkgs.lib.optionalString pkgs.stdenv.isLinux ''
+      sudo TEST_ASSETS="$PWD/pkgs/sops-install-secrets/test-assets" unshare --mount --fork ${sopsPkgs.sops-install-secrets.unittest}/bin/sops-install-secrets.test -test.v
     ''}
   '';
 }

From 45115f12aedc2efb3822430e228e8e3fc6e884ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sat, 10 Jan 2026 08:48:01 +0100
Subject: [PATCH 3/3] add cache.thalheim.io in ci

---
 .github/workflows/test.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 00d6509..c2ab948 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -12,6 +12,10 @@ jobs:
     steps:
     - uses: actions/checkout@v6
     - uses: cachix/install-nix-action@v31
+      with:
+        extra_nix_config: |
+          extra-substituters = https://cache.thalheim.io
+          extra-trusted-public-keys = cache.thalheim.io-1:R7msbosLEZKrxk/lKxf9BTjOOH7Ax3H0Qj0/6wiHOgc=
     - name: Add keys group (needed for go tests)
       run: sudo groupadd keys
     - name: Run unit tests