Checking OpenPGP Signatures in Nix Builds

OpenPGP signatures should be checked when projects provide them. To do this in a publicly-verifiable way, the signature check can be done as part of the build process. An example:

{ fetchurl, gnupg, runCommand, }:
let version = "5.4";
in rec {

  tails-signing-key = fetchurl {
    url = "https://tails.boum.org/tails-signing.key";
    sha256 = "1sa6kc1icwf8y1smfqfy3zxh9z687zrm59whn2xj4s98wqg39wbh";
  };

  unverified-tails-iso = fetchurl {
    url = "https://ftp.nluug.nl/os/Linux/distr/tails/tails/stable/tails-amd64-${version}/tails-amd64-${version}.iso";
    sha256 = "142nw4gp24pn1ndx6rk78bbam78pbmwgnzfs0zmb9vv1s4lp15wa";
  };

  tails-iso-signature = fetchurl {
    url = "https://tails.boum.org/torrents/files/tails-amd64-${version}.iso.sig";
    sha256 = "1f0l6mwy6nw8817a5p5a798arqklbv3fkv3d3p45pzinr57ny6dc";
  };

  verified-tails-iso = runCommand "verified-tails-iso" { } ''
    set -euo pipefail
    GNUPGHOME=$(mktemp -d)
    export GNUPGHOME
    ${gnupg}/bin/gpg --import ${tails-signing-key}
    ${gnupg}/bin/gpg --verify ${tails-iso-signature} ${unverified-tails-iso} && ln -s ${unverified-tails-iso} $out
  '';

}

Version bumps change the fetch hashes of the signed resource and the signature, but not the signing key:

@@ -1,6 +1,6 @@
 { fetchurl, gawk, gnupg, gnused, qemu_kvm, runCommand, socat, stdenvNoCC, wmctrl
 , writeShellScriptBin, }:
-let version = "5.3.1";
+let version = "5.4";
 in rec {

   tails-signing-key = fetchurl {
@@ -11,11 +11,11 @@
   unverified-tails-iso = fetchurl {
     url = "https://ftp.nluug.nl/os/Linux/distr/tails/tails/stable/tails-amd64-${version}/tails-amd64-${version}.iso";
-    sha256 = "12riynxzwv0f6cl5jkp8z1zszxxzfrk2kmf4f9g118ypwjzy352p";
+    sha256 = "142nw4gp24pn1ndx6rk78bbam78pbmwgnzfs0zmb9vv1s4lp15wa";
   };

   tails-iso-signature = fetchurl {
     url = "https://tails.boum.org/torrents/files/tails-amd64-${version}.iso.sig";
-    sha256 = "0s50m12g6lsrwwrvm79wrq7lyvwgha12ajc1qi6sr1dxn48zvxp7";
+    sha256 = "1f0l6mwy6nw8817a5p5a798arqklbv3fkv3d3p45pzinr57ny6dc";
   };

   verified-tails-iso = runCommand "verified-tails-iso" { } ''