On Monday 07 June 2021 at 12:44:23, Vladimir Botka wrote: > shell> cat test-003.yml > - hosts: all > gather_facts: false > vars: > my_filename: test-003.yml > my_path: "{{ playbook_dir }}/{{ my_filename }}" > my_hash_path: "{{ my_path }}.sha1" > my_hash: "{{ (lookup('file', my_hash_path).split()).0 }}" > tasks: > - name: Test integrity of the playbook > block: > - stat: > path: "{{ my_path }}" > checksum_algorithm: sha1 > register: result > - assert: > that: result.stat.checksum == my_hash > delegate_to: localhost > run_once: true
That's a good enough way of checking that the hash of the playbook in question does match the stored hash, but... > shell> sha1sum test-003.yml > test-003.yml.sha1 > shell> cat test-003.yml.sha1 > 9762fde5aa52f72dfcf064fa3062fd41540573af test-003.yml ...means that it's trivial for someone to take a playbook, modify it, and create a new hash file. I interpret "signed" in the original question to mean something that cannot be falsified by someone who is running the ansible commands. Antony. -- The more 'success' you get, the easier it is to be disappointed by not getting things. The only difference is that now no-one feels sorry for you. - Matt Haig Please reply to the list; please *don't* CC me.