1# Test for verification of GnuPG signatures 2 3- name: GPG-VERIFICATION | Create GnuPG verification workdir 4 tempfile: 5 state: directory 6 register: git_gpg_workdir 7 8- name: GPG-VERIFICATION | Define variables based on workdir 9 set_fact: 10 git_gpg_keyfile: "{{ git_gpg_workdir.path }}/testkey.asc" 11 git_gpg_source: "{{ git_gpg_workdir.path }}/source" 12 git_gpg_dest: "{{ git_gpg_workdir.path }}/dest" 13 git_gpg_gpghome: "{{ git_gpg_workdir.path }}/gpg" 14 15- name: GPG-VERIFICATION | Temporary store GnuPG test key 16 copy: 17 content: "{{ git_gpg_testkey }}" 18 dest: "{{ git_gpg_keyfile }}" 19 20- name: GPG-VERIFICATION | Create temporary GNUPGHOME directory 21 file: 22 path: "{{ git_gpg_gpghome }}" 23 state: directory 24 mode: 0700 25 26- name: GPG-VERIFICATION | Import GnuPG test key 27 environment: 28 - GNUPGHOME: "{{ git_gpg_gpghome }}" 29 command: gpg --import {{ git_gpg_keyfile }} 30 31- name: GPG-VERIFICATION | Create local GnuPG signed repository directory 32 file: 33 path: "{{ git_gpg_source }}" 34 state: directory 35 36- name: GPG-VERIFICATION | Generate local GnuPG signed repository 37 environment: 38 - GNUPGHOME: "{{ git_gpg_gpghome }}" 39 shell: | 40 set -e 41 git init 42 touch an_empty_file 43 git add an_empty_file 44 git commit --no-gpg-sign --message "Commit, and don't sign" 45 git tag lightweight_tag/unsigned_commit HEAD 46 git commit --allow-empty --gpg-sign --message "Commit, and sign" 47 git tag lightweight_tag/signed_commit HEAD 48 git tag --annotate --message "This is not a signed tag" unsigned_annotated_tag HEAD 49 git commit --allow-empty --gpg-sign --message "Commit, and sign" 50 git tag --sign --message "This is a signed tag" signed_annotated_tag HEAD 51 git checkout -b some_branch/signed_tip master 52 git commit --allow-empty --gpg-sign --message "Commit, and sign" 53 git checkout -b another_branch/unsigned_tip master 54 git commit --allow-empty --no-gpg-sign --message "Commit, and don't sign" 55 git checkout master 56 args: 57 chdir: "{{ git_gpg_source }}" 58 59- name: GPG-VERIFICATION | Get hash of an unsigned commit 60 command: git show-ref --hash --verify refs/tags/lightweight_tag/unsigned_commit 61 args: 62 chdir: "{{ git_gpg_source }}" 63 register: git_gpg_unsigned_commit 64 65- name: GPG-VERIFICATION | Get hash of a signed commit 66 command: git show-ref --hash --verify refs/tags/lightweight_tag/signed_commit 67 args: 68 chdir: "{{ git_gpg_source }}" 69 register: git_gpg_signed_commit 70 71- name: GPG-VERIFICATION | Clone repo and verify signed HEAD 72 environment: 73 - GNUPGHOME: "{{ git_gpg_gpghome }}" 74 git: 75 repo: "{{ git_gpg_source }}" 76 dest: "{{ git_gpg_dest }}" 77 verify_commit: yes 78 79- name: GPG-VERIFICATION | Clone repo and verify a signed lightweight tag 80 environment: 81 - GNUPGHOME: "{{ git_gpg_gpghome }}" 82 git: 83 repo: "{{ git_gpg_source }}" 84 dest: "{{ git_gpg_dest }}" 85 version: lightweight_tag/signed_commit 86 verify_commit: yes 87 88- name: GPG-VERIFICATION | Clone repo and verify an unsigned lightweight tag (should fail) 89 environment: 90 - GNUPGHOME: "{{ git_gpg_gpghome }}" 91 git: 92 repo: "{{ git_gpg_source }}" 93 dest: "{{ git_gpg_dest }}" 94 version: lightweight_tag/unsigned_commit 95 verify_commit: yes 96 register: git_verify 97 ignore_errors: yes 98 99- name: GPG-VERIFICATION | Check that unsigned lightweight tag verification failed 100 assert: 101 that: 102 - git_verify is failed 103 - git_verify.msg is match("Failed to verify GPG signature of commit/tag.+") 104 105- name: GPG-VERIFICATION | Clone repo and verify a signed commit 106 environment: 107 - GNUPGHOME: "{{ git_gpg_gpghome }}" 108 git: 109 repo: "{{ git_gpg_source }}" 110 dest: "{{ git_gpg_dest }}" 111 version: "{{ git_gpg_signed_commit.stdout }}" 112 verify_commit: yes 113 114- name: GPG-VERIFICATION | Clone repo and verify an unsigned commit 115 environment: 116 - GNUPGHOME: "{{ git_gpg_gpghome }}" 117 git: 118 repo: "{{ git_gpg_source }}" 119 dest: "{{ git_gpg_dest }}" 120 version: "{{ git_gpg_unsigned_commit.stdout }}" 121 verify_commit: yes 122 register: git_verify 123 ignore_errors: yes 124 125- name: GPG-VERIFICATION | Check that unsigned commit verification failed 126 assert: 127 that: 128 - git_verify is failed 129 - git_verify.msg is match("Failed to verify GPG signature of commit/tag.+") 130 131- name: GPG-VERIFICATION | Clone repo and verify a signed annotated tag 132 environment: 133 - GNUPGHOME: "{{ git_gpg_gpghome }}" 134 git: 135 repo: "{{ git_gpg_source }}" 136 dest: "{{ git_gpg_dest }}" 137 version: signed_annotated_tag 138 verify_commit: yes 139 140- name: GPG-VERIFICATION | Clone repo and verify an unsigned annotated tag (should fail) 141 environment: 142 - GNUPGHOME: "{{ git_gpg_gpghome }}" 143 git: 144 repo: "{{ git_gpg_source }}" 145 dest: "{{ git_gpg_dest }}" 146 version: unsigned_annotated_tag 147 verify_commit: yes 148 register: git_verify 149 ignore_errors: yes 150 151- name: GPG-VERIFICATION | Check that unsigned annotated tag verification failed 152 assert: 153 that: 154 - git_verify is failed 155 - git_verify.msg is match("Failed to verify GPG signature of commit/tag.+") 156 157- name: GPG-VERIFICATION | Clone repo and verify a signed branch 158 environment: 159 - GNUPGHOME: "{{ git_gpg_gpghome }}" 160 git: 161 repo: "{{ git_gpg_source }}" 162 dest: "{{ git_gpg_dest }}" 163 version: some_branch/signed_tip 164 verify_commit: yes 165 166- name: GPG-VERIFICATION | Clone repo and verify an unsigned branch (should fail) 167 environment: 168 - GNUPGHOME: "{{ git_gpg_gpghome }}" 169 git: 170 repo: "{{ git_gpg_source }}" 171 dest: "{{ git_gpg_dest }}" 172 version: another_branch/unsigned_tip 173 verify_commit: yes 174 register: git_verify 175 ignore_errors: yes 176 177- name: GPG-VERIFICATION | Check that unsigned branch verification failed 178 assert: 179 that: 180 - git_verify is failed 181 - git_verify.msg is match("Failed to verify GPG signature of commit/tag.+") 182 183- name: GPG-VERIFICATION | Stop gpg-agent so we can remove any locks on the GnuPG dir 184 command: gpgconf --kill gpg-agent 185 when: ansible_os_family != 'Suse' or ansible_distribution_version != '42.3' # OpenSUSE 42.3 ships with an older version of gpg-agent that doesn't support this 186 environment: 187 GNUPGHOME: "{{ git_gpg_gpghome }}" 188 189- name: GPG-VERIFICATION | Remove GnuPG verification workdir 190 file: 191 path: "{{ git_gpg_workdir.path }}" 192 state: absent 193