2017-07-19 17:30:12 +02:00
# Test for verification of GnuPG signatures
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Create GnuPG verification workdir
2017-07-19 17:30:12 +02:00
tempfile :
state : directory
register : git_gpg_workdir
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Define variables based on workdir
2017-07-19 17:30:12 +02:00
set_fact :
git_gpg_keyfile : "{{ git_gpg_workdir.path }}/testkey.asc"
git_gpg_source : "{{ git_gpg_workdir.path }}/source"
git_gpg_dest : "{{ git_gpg_workdir.path }}/dest"
git_gpg_gpghome : "{{ git_gpg_workdir.path }}/gpg"
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Temporary store GnuPG test key
2017-07-19 17:30:12 +02:00
copy :
content : "{{ git_gpg_testkey }}"
dest : "{{ git_gpg_keyfile }}"
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Create temporary GNUPGHOME directory
2017-07-19 17:30:12 +02:00
file :
path : "{{ git_gpg_gpghome }}"
state : directory
mode : 0700
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Import GnuPG test key
2017-07-19 17:30:12 +02:00
environment :
- GNUPGHOME : "{{ git_gpg_gpghome }}"
command : gpg --import {{ git_gpg_keyfile }}
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Create local GnuPG signed repository directory
2017-07-19 17:30:12 +02:00
file :
path : "{{ git_gpg_source }}"
state : directory
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Generate local GnuPG signed repository
2017-07-19 17:30:12 +02:00
environment :
- GNUPGHOME : "{{ git_gpg_gpghome }}"
shell : |
set -e
git init
touch an_empty_file
git add an_empty_file
git commit --no-gpg-sign --message "Commit, and don't sign"
git tag lightweight_tag/unsigned_commit HEAD
git commit --allow-empty --gpg-sign --message "Commit, and sign"
git tag lightweight_tag/signed_commit HEAD
git tag --annotate --message "This is not a signed tag" unsigned_annotated_tag HEAD
git commit --allow-empty --gpg-sign --message "Commit, and sign"
git tag --sign --message "This is a signed tag" signed_annotated_tag HEAD
git checkout -b some_branch/signed_tip master
git commit --allow-empty --gpg-sign --message "Commit, and sign"
git checkout -b another_branch/unsigned_tip master
git commit --allow-empty --no-gpg-sign --message "Commit, and don't sign"
git checkout master
args :
chdir : "{{ git_gpg_source }}"
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Get hash of an unsigned commit
2017-07-19 17:30:12 +02:00
command : git show-ref --hash --verify refs/tags/lightweight_tag/unsigned_commit
args :
chdir : "{{ git_gpg_source }}"
register : git_gpg_unsigned_commit
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Get hash of a signed commit
2017-07-19 17:30:12 +02:00
command : git show-ref --hash --verify refs/tags/lightweight_tag/signed_commit
args :
chdir : "{{ git_gpg_source }}"
register : git_gpg_signed_commit
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Clone repo and verify signed HEAD
2017-07-19 17:30:12 +02:00
environment :
- GNUPGHOME : "{{ git_gpg_gpghome }}"
git :
repo : "{{ git_gpg_source }}"
dest : "{{ git_gpg_dest }}"
verify_commit : yes
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Clone repo and verify a signed lightweight tag
2017-07-19 17:30:12 +02:00
environment :
- GNUPGHOME : "{{ git_gpg_gpghome }}"
git :
repo : "{{ git_gpg_source }}"
dest : "{{ git_gpg_dest }}"
version : lightweight_tag/signed_commit
verify_commit : yes
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Clone repo and verify an unsigned lightweight tag (should fail)
2017-07-19 17:30:12 +02:00
environment :
- GNUPGHOME : "{{ git_gpg_gpghome }}"
git :
repo : "{{ git_gpg_source }}"
dest : "{{ git_gpg_dest }}"
version : lightweight_tag/unsigned_commit
verify_commit : yes
register : git_verify
ignore_errors : yes
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Check that unsigned lightweight tag verification failed
2017-07-19 17:30:12 +02:00
assert :
that :
2017-11-27 23:58:08 +01:00
- git_verify is failed
- git_verify.msg is match("Failed to verify GPG signature of commit/tag.+")
2017-07-19 17:30:12 +02:00
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Clone repo and verify a signed commit
2017-07-19 17:30:12 +02:00
environment :
- GNUPGHOME : "{{ git_gpg_gpghome }}"
git :
repo : "{{ git_gpg_source }}"
dest : "{{ git_gpg_dest }}"
version : "{{ git_gpg_signed_commit.stdout }}"
verify_commit : yes
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Clone repo and verify an unsigned commit
2017-07-19 17:30:12 +02:00
environment :
- GNUPGHOME : "{{ git_gpg_gpghome }}"
git :
repo : "{{ git_gpg_source }}"
dest : "{{ git_gpg_dest }}"
version : "{{ git_gpg_unsigned_commit.stdout }}"
verify_commit : yes
register : git_verify
ignore_errors : yes
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Check that unsigned commit verification failed
2017-07-19 17:30:12 +02:00
assert :
that :
2017-11-27 23:58:08 +01:00
- git_verify is failed
- git_verify.msg is match("Failed to verify GPG signature of commit/tag.+")
2017-07-19 17:30:12 +02:00
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Clone repo and verify a signed annotated tag
2017-07-19 17:30:12 +02:00
environment :
- GNUPGHOME : "{{ git_gpg_gpghome }}"
git :
repo : "{{ git_gpg_source }}"
dest : "{{ git_gpg_dest }}"
version : signed_annotated_tag
verify_commit : yes
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Clone repo and verify an unsigned annotated tag (should fail)
2017-07-19 17:30:12 +02:00
environment :
- GNUPGHOME : "{{ git_gpg_gpghome }}"
git :
repo : "{{ git_gpg_source }}"
dest : "{{ git_gpg_dest }}"
version : unsigned_annotated_tag
verify_commit : yes
register : git_verify
ignore_errors : yes
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Check that unsigned annotated tag verification failed
2017-07-19 17:30:12 +02:00
assert :
that :
2017-11-27 23:58:08 +01:00
- git_verify is failed
- git_verify.msg is match("Failed to verify GPG signature of commit/tag.+")
2017-07-19 17:30:12 +02:00
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Clone repo and verify a signed branch
2017-07-19 17:30:12 +02:00
environment :
- GNUPGHOME : "{{ git_gpg_gpghome }}"
git :
repo : "{{ git_gpg_source }}"
dest : "{{ git_gpg_dest }}"
version : some_branch/signed_tip
verify_commit : yes
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Clone repo and verify an unsigned branch (should fail)
2017-07-19 17:30:12 +02:00
environment :
- GNUPGHOME : "{{ git_gpg_gpghome }}"
git :
repo : "{{ git_gpg_source }}"
dest : "{{ git_gpg_dest }}"
version : another_branch/unsigned_tip
verify_commit : yes
register : git_verify
ignore_errors : yes
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Check that unsigned branch verification failed
2017-07-19 17:30:12 +02:00
assert :
that :
2017-11-27 23:58:08 +01:00
- git_verify is failed
- git_verify.msg is match("Failed to verify GPG signature of commit/tag.+")
2017-07-19 17:30:12 +02:00
2019-01-15 08:26:03 +01:00
- name : GPG-VERIFICATION | Stop gpg-agent so we can remove any locks on the GnuPG dir
command : gpgconf --kill gpg-agent
2019-02-18 12:30:31 +01:00
when : ansible_os_family != 'Suse' or ansible_distribution_version != '42.3' # OpenSUSE 42.3 ships with an older version of gpg-agent that doesn't support this
2019-01-22 01:30:35 +01:00
environment :
GNUPGHOME : "{{ git_gpg_gpghome }}"
2019-01-15 08:26:03 +01:00
2017-10-13 16:30:15 +02:00
- name : GPG-VERIFICATION | Remove GnuPG verification workdir
2017-07-19 17:30:12 +02:00
file :
path : "{{ git_gpg_workdir.path }}"
state : absent