On Monday 07 June 2021 at 12:44:23, Vladimir Botka wrote:
> shell> cat test-003.yml
> - hosts: all
> gather_facts: false
> vars:
> my_filename: test-003.yml
> my_path: "{{ playbook_dir }}/{{ my_filename }}"
> my_hash_path: "{{ my_path }}.sha1"
> my_hash: "{{ (lookup('file', my_hash_path).split()).0 }}"
> tasks:
> - name: Test integrity of the playbook
> block:
> - stat:
> path: "{{ my_path }}"
> checksum_algorithm: sha1
> register: result
> - assert:
> that: result.stat.checksum == my_hash
> delegate_to: localhost
> run_once: true
That's a good enough way of checking that the hash of the playbook in question
does match the stored hash, but...
> shell> sha1sum test-003.yml > test-003.yml.sha1
> shell> cat test-003.yml.sha1
> 9762fde5aa52f72dfcf064fa3062fd41540573af test-003.yml
...means that it's trivial for someone to take a playbook, modify it, and
create a new hash file.
I interpret "signed" in the original question to mean something that cannot be
falsified by someone who is running the ansible commands.
Antony.
--
The more 'success' you get, the easier it is to be disappointed by not getting
things.
The only difference is that now no-one feels sorry for you.
- Matt Haig
Please reply to the list;
please *don't* CC me.
