On 12/22/21 18:07, Nico Kadel-Garcia wrote:
On Wed, Dec 22, 2021 at 12:00 PM 'Michael Ströder' via Ansible Project
<[email protected]> wrote:
On 12/22/21 17:33, Michael Ströder wrote:
Is it possible to make ansible-galaxy invoke 'git verify-tag' with a
locally configured GPG public key on tags specified as version: in
requirements.yml?
Hmm, seems there is no such thing yet:
https://github.com/ansible/proposals/issues/36
How does ansible users here deal with ansible collections/roles pulled
from remote resources? Just trust that nobody tampered with the software
repos?
For Red Hat based systems, I use RPMs. Fedora publishes some of them
as SRPMs, and I've built up some wrappers to build them alongside the
oversized bundle that is now "ansible".
Maybe my posting was not clear enough:
I was not asking about GPG signatures of ansible itself or other
software artefacts.
I was asking about how to check the git tag signature of ansible
roles/collections specified in requirements.yml and retrieved by
ansible-galaxy tool.
For example I tell users of Æ-DIR to invoke [1]:
ansible-galaxy install -r requirements.yml
The requirements.yml contains something like [2]:
- src: git+https://code.stroeder.com/AE-DIR/ansible-ae-dir-server.git
version: v0.32.3
name: aedir_server
The git tags defined by version: are all signed locally. Thus it would
be nice if ansible-galaxy could check the GPG signature against my GPG
key installed before on the ansible controller.
I'd like to provide additional protection because the ansible roles run
as root on the target. (Yes, I know very well that trusted distribution
of GPG public keys used for signature verification is hard at scale.)
Ciao, Michael.
[1] https://www.ae-dir.com/install.html#install
[2]
https://code.stroeder.com/AE-DIR/ansible-example-site/src/branch/master/requirements.yml
--
You received this message because you are subscribed to the Google Groups "Ansible
Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/2ae1f460-4928-2f85-630d-c44f1d148069%40stroeder.com.
