1# Test for verification of GnuPG signatures
2
3- name: GPG-VERIFICATION | Create GnuPG verification workdir
4  tempfile:
5    state: directory
6  register: git_gpg_workdir
7
8- name: GPG-VERIFICATION | Define variables based on workdir
9  set_fact:
10    git_gpg_keyfile: "{{ git_gpg_workdir.path }}/testkey.asc"
11    git_gpg_source: "{{ git_gpg_workdir.path }}/source"
12    git_gpg_dest: "{{ git_gpg_workdir.path }}/dest"
13    git_gpg_gpghome: "{{ git_gpg_workdir.path }}/gpg"
14
15- name: GPG-VERIFICATION | Temporary store GnuPG test key
16  copy:
17    content: "{{ git_gpg_testkey }}"
18    dest: "{{ git_gpg_keyfile }}"
19
20- name: GPG-VERIFICATION | Create temporary GNUPGHOME directory
21  file:
22    path: "{{ git_gpg_gpghome }}"
23    state: directory
24    mode: 0700
25
26- name: GPG-VERIFICATION | Import GnuPG test key
27  environment:
28    - GNUPGHOME: "{{ git_gpg_gpghome }}"
29  command: gpg --import {{ git_gpg_keyfile }}
30
31- name: GPG-VERIFICATION | Create local GnuPG signed repository directory
32  file:
33    path: "{{ git_gpg_source }}"
34    state: directory
35
36- name: GPG-VERIFICATION | Generate local GnuPG signed repository
37  environment:
38    - GNUPGHOME: "{{ git_gpg_gpghome }}"
39  shell: |
40    set -e
41    git init
42    touch an_empty_file
43    git add an_empty_file
44    git commit --no-gpg-sign --message "Commit, and don't sign"
45    git tag lightweight_tag/unsigned_commit HEAD
46    git commit --allow-empty --gpg-sign --message "Commit, and sign"
47    git tag lightweight_tag/signed_commit HEAD
48    git tag --annotate --message "This is not a signed tag" unsigned_annotated_tag HEAD
49    git commit --allow-empty --gpg-sign --message "Commit, and sign"
50    git tag --sign --message "This is a signed tag" signed_annotated_tag HEAD
51    git checkout -b some_branch/signed_tip master
52    git commit --allow-empty --gpg-sign --message "Commit, and sign"
53    git checkout -b another_branch/unsigned_tip master
54    git commit --allow-empty --no-gpg-sign --message "Commit, and don't sign"
55    git checkout master
56  args:
57    chdir: "{{ git_gpg_source }}"
58
59- name: GPG-VERIFICATION | Get hash of an unsigned commit
60  command: git show-ref --hash --verify refs/tags/lightweight_tag/unsigned_commit
61  args:
62    chdir: "{{ git_gpg_source }}"
63  register: git_gpg_unsigned_commit
64
65- name: GPG-VERIFICATION | Get hash of a signed commit
66  command: git show-ref --hash --verify refs/tags/lightweight_tag/signed_commit
67  args:
68    chdir: "{{ git_gpg_source }}"
69  register: git_gpg_signed_commit
70
71- name: GPG-VERIFICATION | Clone repo and verify signed HEAD
72  environment:
73    - GNUPGHOME: "{{ git_gpg_gpghome }}"
74  git:
75    repo: "{{ git_gpg_source }}"
76    dest: "{{ git_gpg_dest }}"
77    verify_commit: yes
78
79- name: GPG-VERIFICATION | Clone repo and verify a signed lightweight tag
80  environment:
81    - GNUPGHOME: "{{ git_gpg_gpghome }}"
82  git:
83    repo: "{{ git_gpg_source }}"
84    dest: "{{ git_gpg_dest }}"
85    version: lightweight_tag/signed_commit
86    verify_commit: yes
87
88- name: GPG-VERIFICATION | Clone repo and verify an unsigned lightweight tag (should fail)
89  environment:
90    - GNUPGHOME: "{{ git_gpg_gpghome }}"
91  git:
92    repo: "{{ git_gpg_source }}"
93    dest: "{{ git_gpg_dest }}"
94    version: lightweight_tag/unsigned_commit
95    verify_commit: yes
96  register: git_verify
97  ignore_errors: yes
98
99- name: GPG-VERIFICATION | Check that unsigned lightweight tag verification failed
100  assert:
101    that:
102      - git_verify is failed
103      - git_verify.msg is match("Failed to verify GPG signature of commit/tag.+")
104
105- name: GPG-VERIFICATION | Clone repo and verify a signed commit
106  environment:
107    - GNUPGHOME: "{{ git_gpg_gpghome }}"
108  git:
109    repo: "{{ git_gpg_source }}"
110    dest: "{{ git_gpg_dest }}"
111    version: "{{ git_gpg_signed_commit.stdout }}"
112    verify_commit: yes
113
114- name: GPG-VERIFICATION | Clone repo and verify an unsigned commit
115  environment:
116    - GNUPGHOME: "{{ git_gpg_gpghome }}"
117  git:
118    repo: "{{ git_gpg_source }}"
119    dest: "{{ git_gpg_dest }}"
120    version: "{{ git_gpg_unsigned_commit.stdout }}"
121    verify_commit: yes
122  register: git_verify
123  ignore_errors: yes
124
125- name: GPG-VERIFICATION | Check that unsigned commit verification failed
126  assert:
127    that:
128      - git_verify is failed
129      - git_verify.msg is match("Failed to verify GPG signature of commit/tag.+")
130
131- name: GPG-VERIFICATION | Clone repo and verify a signed annotated tag
132  environment:
133    - GNUPGHOME: "{{ git_gpg_gpghome }}"
134  git:
135    repo: "{{ git_gpg_source }}"
136    dest: "{{ git_gpg_dest }}"
137    version: signed_annotated_tag
138    verify_commit: yes
139
140- name: GPG-VERIFICATION | Clone repo and verify an unsigned annotated tag (should fail)
141  environment:
142    - GNUPGHOME: "{{ git_gpg_gpghome }}"
143  git:
144    repo: "{{ git_gpg_source }}"
145    dest: "{{ git_gpg_dest }}"
146    version: unsigned_annotated_tag
147    verify_commit: yes
148  register: git_verify
149  ignore_errors: yes
150
151- name: GPG-VERIFICATION | Check that unsigned annotated tag verification failed
152  assert:
153    that:
154      - git_verify is failed
155      - git_verify.msg is match("Failed to verify GPG signature of commit/tag.+")
156
157- name: GPG-VERIFICATION | Clone repo and verify a signed branch
158  environment:
159    - GNUPGHOME: "{{ git_gpg_gpghome }}"
160  git:
161    repo: "{{ git_gpg_source }}"
162    dest: "{{ git_gpg_dest }}"
163    version: some_branch/signed_tip
164    verify_commit: yes
165
166- name: GPG-VERIFICATION | Clone repo and verify an unsigned branch (should fail)
167  environment:
168    - GNUPGHOME: "{{ git_gpg_gpghome }}"
169  git:
170    repo: "{{ git_gpg_source }}"
171    dest: "{{ git_gpg_dest }}"
172    version: another_branch/unsigned_tip
173    verify_commit: yes
174  register: git_verify
175  ignore_errors: yes
176
177- name: GPG-VERIFICATION | Check that unsigned branch verification failed
178  assert:
179    that:
180      - git_verify is failed
181      - git_verify.msg is match("Failed to verify GPG signature of commit/tag.+")
182
183- name: GPG-VERIFICATION | Stop gpg-agent so we can remove any locks on the GnuPG dir
184  command: gpgconf --kill gpg-agent
185  when: ansible_os_family != 'Suse' or ansible_distribution_version != '42.3'  # OpenSUSE 42.3 ships with an older version of gpg-agent that doesn't support this
186  environment:
187    GNUPGHOME: "{{ git_gpg_gpghome }}"
188
189- name: GPG-VERIFICATION | Remove GnuPG verification workdir
190  file:
191    path: "{{ git_gpg_workdir.path }}"
192    state: absent
193