1# Test for verification of GnuPG signatures
2
3- name: GPG-VERIFICATION | Create GnuPG verification workdir
4  tempfile:
5    state: directory
6  register: git_gpg_workdir
7
8- name: GPG-VERIFICATION | Define variables based on workdir
9  set_fact:
10    git_gpg_keyfile: "{{ git_gpg_workdir.path }}/testkey.asc"
11    git_gpg_source: "{{ git_gpg_workdir.path }}/source"
12    git_gpg_dest: "{{ git_gpg_workdir.path }}/dest"
13    git_gpg_gpghome: "{{ git_gpg_workdir.path }}/gpg"
14
15- name: GPG-VERIFICATION | Temporary store GnuPG test key
16  copy:
17    content: "{{ git_gpg_testkey }}"
18    dest: "{{ git_gpg_keyfile }}"
19
20- name: GPG-VERIFICATION | Create temporary GNUPGHOME directory
21  file:
22    path: "{{ git_gpg_gpghome }}"
23    state: directory
24    mode: 0700
25
26- name: GPG-VERIFICATION | Import GnuPG test key
27  environment:
28    - GNUPGHOME: "{{ git_gpg_gpghome }}"
29  command: gpg --import {{ git_gpg_keyfile }}
30
31- name: GPG-VERIFICATION | Create local GnuPG signed repository directory
32  file:
33    path: "{{ git_gpg_source }}"
34    state: directory
35
36- name: GPG-VERIFICATION | Generate local GnuPG signed repository
37  environment:
38    - GNUPGHOME: "{{ git_gpg_gpghome }}"
39  shell: |
40    set -e
41    git init
42    touch an_empty_file
43    git add an_empty_file
44    git commit --no-gpg-sign --message "Commit, and don't sign"
45    git tag lightweight_tag/unsigned_commit HEAD
46    git commit --allow-empty --gpg-sign --message "Commit, and sign"
47    git tag lightweight_tag/signed_commit HEAD
48    git tag --annotate --message "This is not a signed tag" unsigned_annotated_tag HEAD
49    git commit --allow-empty --gpg-sign --message "Commit, and sign"
50    git tag --sign --message "This is a signed tag" signed_annotated_tag HEAD
51    git checkout -b some_branch/signed_tip master
52    git commit --allow-empty --gpg-sign --message "Commit, and sign"
53    git checkout -b another_branch/unsigned_tip master
54    git commit --allow-empty --no-gpg-sign --message "Commit, and don't sign"
55    git checkout master
56  args:
57    chdir: "{{ git_gpg_source }}"
58
59- name: GPG-VERIFICATION | Get hash of an unsigned commit
60  command: git show-ref --hash --verify refs/tags/lightweight_tag/unsigned_commit
61  args:
62    chdir: "{{ git_gpg_source }}"
63  register: git_gpg_unsigned_commit
64
65- name: GPG-VERIFICATION | Get hash of a signed commit
66  command: git show-ref --hash --verify refs/tags/lightweight_tag/signed_commit
67  args:
68    chdir: "{{ git_gpg_source }}"
69  register: git_gpg_signed_commit
70
71- name: GPG-VERIFICATION | Clone repo and verify signed HEAD
72  environment:
73    - GNUPGHOME: "{{ git_gpg_gpghome }}"
74  git:
75    repo: "{{ git_gpg_source }}"
76    dest: "{{ git_gpg_dest }}"
77    verify_commit: yes
78  when:
79    - git_version.stdout is version("2.1.0", '>=')
80
81- name: GPG-VERIFICATION | Clone repo and verify a signed lightweight tag
82  environment:
83    - GNUPGHOME: "{{ git_gpg_gpghome }}"
84  git:
85    repo: "{{ git_gpg_source }}"
86    dest: "{{ git_gpg_dest }}"
87    version: lightweight_tag/signed_commit
88    verify_commit: yes
89  when:
90    - git_version.stdout is version("2.1.0", '>=')
91
92- name: GPG-VERIFICATION | Clone repo and verify an unsigned lightweight tag (should fail)
93  environment:
94    - GNUPGHOME: "{{ git_gpg_gpghome }}"
95  git:
96    repo: "{{ git_gpg_source }}"
97    dest: "{{ git_gpg_dest }}"
98    version: lightweight_tag/unsigned_commit
99    verify_commit: yes
100  register: git_verify
101  ignore_errors: yes
102  when:
103    - git_version.stdout is version("2.1.0", '>=')
104
105- name: GPG-VERIFICATION | Check that unsigned lightweight tag verification failed
106  assert:
107    that:
108      - git_verify is failed
109      - git_verify.msg is match("Failed to verify GPG signature of commit/tag.+")
110  when:
111    - git_version.stdout is version("2.1.0", '>=')
112
113- name: GPG-VERIFICATION | Clone repo and verify a signed commit
114  environment:
115    - GNUPGHOME: "{{ git_gpg_gpghome }}"
116  git:
117    repo: "{{ git_gpg_source }}"
118    dest: "{{ git_gpg_dest }}"
119    version: "{{ git_gpg_signed_commit.stdout }}"
120    verify_commit: yes
121  when:
122    - git_version.stdout is version("2.1.0", '>=')
123
124- name: GPG-VERIFICATION | Clone repo and verify an unsigned commit
125  environment:
126    - GNUPGHOME: "{{ git_gpg_gpghome }}"
127  git:
128    repo: "{{ git_gpg_source }}"
129    dest: "{{ git_gpg_dest }}"
130    version: "{{ git_gpg_unsigned_commit.stdout }}"
131    verify_commit: yes
132  register: git_verify
133  ignore_errors: yes
134  when:
135    - git_version.stdout is version("2.1.0", '>=')
136
137- name: GPG-VERIFICATION | Check that unsigned commit verification failed
138  assert:
139    that:
140      - git_verify is failed
141      - git_verify.msg is match("Failed to verify GPG signature of commit/tag.+")
142  when:
143    - git_version.stdout is version("2.1.0", '>=')
144
145- name: GPG-VERIFICATION | Clone repo and verify a signed annotated tag
146  environment:
147    - GNUPGHOME: "{{ git_gpg_gpghome }}"
148  git:
149    repo: "{{ git_gpg_source }}"
150    dest: "{{ git_gpg_dest }}"
151    version: signed_annotated_tag
152    verify_commit: yes
153
154- name: GPG-VERIFICATION | Clone repo and verify an unsigned annotated tag (should fail)
155  environment:
156    - GNUPGHOME: "{{ git_gpg_gpghome }}"
157  git:
158    repo: "{{ git_gpg_source }}"
159    dest: "{{ git_gpg_dest }}"
160    version: unsigned_annotated_tag
161    verify_commit: yes
162  register: git_verify
163  ignore_errors: yes
164
165- name: GPG-VERIFICATION | Check that unsigned annotated tag verification failed
166  assert:
167    that:
168      - git_verify is failed
169      - git_verify.msg is match("Failed to verify GPG signature of commit/tag.+")
170
171- name: GPG-VERIFICATION | Clone repo and verify a signed branch
172  environment:
173    - GNUPGHOME: "{{ git_gpg_gpghome }}"
174  git:
175    repo: "{{ git_gpg_source }}"
176    dest: "{{ git_gpg_dest }}"
177    version: some_branch/signed_tip
178    verify_commit: yes
179  when:
180    - git_version.stdout is version("2.1.0", '>=')
181
182- name: GPG-VERIFICATION | Clone repo and verify an unsigned branch (should fail)
183  environment:
184    - GNUPGHOME: "{{ git_gpg_gpghome }}"
185  git:
186    repo: "{{ git_gpg_source }}"
187    dest: "{{ git_gpg_dest }}"
188    version: another_branch/unsigned_tip
189    verify_commit: yes
190  register: git_verify
191  ignore_errors: yes
192  when:
193    - git_version.stdout is version("2.1.0", '>=')
194
195- name: GPG-VERIFICATION | Check that unsigned branch verification failed
196  assert:
197    that:
198      - git_verify is failed
199      - git_verify.msg is match("Failed to verify GPG signature of commit/tag.+")
200  when:
201    - git_version.stdout is version("2.1.0", '>=')
202
203- name: GPG-VERIFICATION | Stop gpg-agent so we can remove any locks on the GnuPG dir
204  command: gpgconf --kill gpg-agent
205  environment:
206    GNUPGHOME: "{{ git_gpg_gpghome }}"
207  ignore_errors: yes
208
209- name: GPG-VERIFICATION | Remove GnuPG verification workdir
210  file:
211    path: "{{ git_gpg_workdir.path }}"
212    state: absent
213