1# Test for verification of GnuPG signatures 2 3- name: GPG-VERIFICATION | Create GnuPG verification workdir 4 tempfile: 5 state: directory 6 register: git_gpg_workdir 7 8- name: GPG-VERIFICATION | Define variables based on workdir 9 set_fact: 10 git_gpg_keyfile: "{{ git_gpg_workdir.path }}/testkey.asc" 11 git_gpg_source: "{{ git_gpg_workdir.path }}/source" 12 git_gpg_dest: "{{ git_gpg_workdir.path }}/dest" 13 git_gpg_gpghome: "{{ git_gpg_workdir.path }}/gpg" 14 15- name: GPG-VERIFICATION | Temporary store GnuPG test key 16 copy: 17 content: "{{ git_gpg_testkey }}" 18 dest: "{{ git_gpg_keyfile }}" 19 20- name: GPG-VERIFICATION | Create temporary GNUPGHOME directory 21 file: 22 path: "{{ git_gpg_gpghome }}" 23 state: directory 24 mode: 0700 25 26- name: GPG-VERIFICATION | Import GnuPG test key 27 environment: 28 - GNUPGHOME: "{{ git_gpg_gpghome }}" 29 command: gpg --import {{ git_gpg_keyfile }} 30 31- name: GPG-VERIFICATION | Create local GnuPG signed repository directory 32 file: 33 path: "{{ git_gpg_source }}" 34 state: directory 35 36- name: GPG-VERIFICATION | Generate local GnuPG signed repository 37 environment: 38 - GNUPGHOME: "{{ git_gpg_gpghome }}" 39 shell: | 40 set -e 41 git init 42 touch an_empty_file 43 git add an_empty_file 44 git commit --no-gpg-sign --message "Commit, and don't sign" 45 git tag lightweight_tag/unsigned_commit HEAD 46 git commit --allow-empty --gpg-sign --message "Commit, and sign" 47 git tag lightweight_tag/signed_commit HEAD 48 git tag --annotate --message "This is not a signed tag" unsigned_annotated_tag HEAD 49 git commit --allow-empty --gpg-sign --message "Commit, and sign" 50 git tag --sign --message "This is a signed tag" signed_annotated_tag HEAD 51 git checkout -b some_branch/signed_tip master 52 git commit --allow-empty --gpg-sign --message "Commit, and sign" 53 git checkout -b another_branch/unsigned_tip master 54 git commit --allow-empty --no-gpg-sign --message "Commit, and don't sign" 55 git checkout master 56 args: 57 chdir: "{{ git_gpg_source }}" 58 59- name: GPG-VERIFICATION | Get hash of an unsigned commit 60 command: git show-ref --hash --verify refs/tags/lightweight_tag/unsigned_commit 61 args: 62 chdir: "{{ git_gpg_source }}" 63 register: git_gpg_unsigned_commit 64 65- name: GPG-VERIFICATION | Get hash of a signed commit 66 command: git show-ref --hash --verify refs/tags/lightweight_tag/signed_commit 67 args: 68 chdir: "{{ git_gpg_source }}" 69 register: git_gpg_signed_commit 70 71- name: GPG-VERIFICATION | Clone repo and verify signed HEAD 72 environment: 73 - GNUPGHOME: "{{ git_gpg_gpghome }}" 74 git: 75 repo: "{{ git_gpg_source }}" 76 dest: "{{ git_gpg_dest }}" 77 verify_commit: yes 78 when: 79 - git_version.stdout is version("2.1.0", '>=') 80 81- name: GPG-VERIFICATION | Clone repo and verify a signed lightweight tag 82 environment: 83 - GNUPGHOME: "{{ git_gpg_gpghome }}" 84 git: 85 repo: "{{ git_gpg_source }}" 86 dest: "{{ git_gpg_dest }}" 87 version: lightweight_tag/signed_commit 88 verify_commit: yes 89 when: 90 - git_version.stdout is version("2.1.0", '>=') 91 92- name: GPG-VERIFICATION | Clone repo and verify an unsigned lightweight tag (should fail) 93 environment: 94 - GNUPGHOME: "{{ git_gpg_gpghome }}" 95 git: 96 repo: "{{ git_gpg_source }}" 97 dest: "{{ git_gpg_dest }}" 98 version: lightweight_tag/unsigned_commit 99 verify_commit: yes 100 register: git_verify 101 ignore_errors: yes 102 when: 103 - git_version.stdout is version("2.1.0", '>=') 104 105- name: GPG-VERIFICATION | Check that unsigned lightweight tag verification failed 106 assert: 107 that: 108 - git_verify is failed 109 - git_verify.msg is match("Failed to verify GPG signature of commit/tag.+") 110 when: 111 - git_version.stdout is version("2.1.0", '>=') 112 113- name: GPG-VERIFICATION | Clone repo and verify a signed commit 114 environment: 115 - GNUPGHOME: "{{ git_gpg_gpghome }}" 116 git: 117 repo: "{{ git_gpg_source }}" 118 dest: "{{ git_gpg_dest }}" 119 version: "{{ git_gpg_signed_commit.stdout }}" 120 verify_commit: yes 121 when: 122 - git_version.stdout is version("2.1.0", '>=') 123 124- name: GPG-VERIFICATION | Clone repo and verify an unsigned commit 125 environment: 126 - GNUPGHOME: "{{ git_gpg_gpghome }}" 127 git: 128 repo: "{{ git_gpg_source }}" 129 dest: "{{ git_gpg_dest }}" 130 version: "{{ git_gpg_unsigned_commit.stdout }}" 131 verify_commit: yes 132 register: git_verify 133 ignore_errors: yes 134 when: 135 - git_version.stdout is version("2.1.0", '>=') 136 137- name: GPG-VERIFICATION | Check that unsigned commit verification failed 138 assert: 139 that: 140 - git_verify is failed 141 - git_verify.msg is match("Failed to verify GPG signature of commit/tag.+") 142 when: 143 - git_version.stdout is version("2.1.0", '>=') 144 145- name: GPG-VERIFICATION | Clone repo and verify a signed annotated tag 146 environment: 147 - GNUPGHOME: "{{ git_gpg_gpghome }}" 148 git: 149 repo: "{{ git_gpg_source }}" 150 dest: "{{ git_gpg_dest }}" 151 version: signed_annotated_tag 152 verify_commit: yes 153 154- name: GPG-VERIFICATION | Clone repo and verify an unsigned annotated tag (should fail) 155 environment: 156 - GNUPGHOME: "{{ git_gpg_gpghome }}" 157 git: 158 repo: "{{ git_gpg_source }}" 159 dest: "{{ git_gpg_dest }}" 160 version: unsigned_annotated_tag 161 verify_commit: yes 162 register: git_verify 163 ignore_errors: yes 164 165- name: GPG-VERIFICATION | Check that unsigned annotated tag verification failed 166 assert: 167 that: 168 - git_verify is failed 169 - git_verify.msg is match("Failed to verify GPG signature of commit/tag.+") 170 171- name: GPG-VERIFICATION | Clone repo and verify a signed branch 172 environment: 173 - GNUPGHOME: "{{ git_gpg_gpghome }}" 174 git: 175 repo: "{{ git_gpg_source }}" 176 dest: "{{ git_gpg_dest }}" 177 version: some_branch/signed_tip 178 verify_commit: yes 179 when: 180 - git_version.stdout is version("2.1.0", '>=') 181 182- name: GPG-VERIFICATION | Clone repo and verify an unsigned branch (should fail) 183 environment: 184 - GNUPGHOME: "{{ git_gpg_gpghome }}" 185 git: 186 repo: "{{ git_gpg_source }}" 187 dest: "{{ git_gpg_dest }}" 188 version: another_branch/unsigned_tip 189 verify_commit: yes 190 register: git_verify 191 ignore_errors: yes 192 when: 193 - git_version.stdout is version("2.1.0", '>=') 194 195- name: GPG-VERIFICATION | Check that unsigned branch verification failed 196 assert: 197 that: 198 - git_verify is failed 199 - git_verify.msg is match("Failed to verify GPG signature of commit/tag.+") 200 when: 201 - git_version.stdout is version("2.1.0", '>=') 202 203- name: GPG-VERIFICATION | Stop gpg-agent so we can remove any locks on the GnuPG dir 204 command: gpgconf --kill gpg-agent 205 environment: 206 GNUPGHOME: "{{ git_gpg_gpghome }}" 207 ignore_errors: yes 208 209- name: GPG-VERIFICATION | Remove GnuPG verification workdir 210 file: 211 path: "{{ git_gpg_workdir.path }}" 212 state: absent 213