zuul/zuul-jobs
Code Issues Proposed changes

Use gpg import for sign-artifacts tasks

Browse Source 
Because we used binary data, and it seems ansible had some issues with
that. Switch to asscii-armored versions and gpg import.

Change-Id: Ide400a2163c8fc08de0a28947ada7e9448d7675d
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
This commit is contained in:
Paul Belanger 2017-08-25 10:52:01 -04:00
parent ccbce75fce
commit 08448dee4b
No known key found for this signature in database
GPG Key ID: 611A80832067AF38
2 changed files with 35 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
roles/sign-artifacts/README.rst
View File

@ -8,13 +8,13 @@ Sign artifacts
for signing the artifacts. It is expected that this argument comes for signing the artifacts. It is expected that this argument comes
from a `Secret`. from a `Secret`.
.. zuul:rolevar:: pubring .. zuul:rolevar:: public
The binary contents of the GPG pubring. The ascii-armored contents of the GPG public key.
.. zuul:rolevar:: secring .. zuul:rolevar:: private
The binary contents of the GPG secring. The ascii-armored contents of the GPG private key.
.. zuul:rolevar:: gpg_artifact_path .. zuul:rolevar:: gpg_artifact_path
:default: "{{ zuul.executor.work_root }}/artifacts/" :default: "{{ zuul.executor.work_root }}/artifacts/"

42
roles/sign-artifacts/tasks/main.yaml
View File

@ -3,23 +3,43 @@
state: directory state: directory
register: gnupg_tmpdir register: gnupg_tmpdir
- name: Create GPG pubring - name: Create GPG private key tempfile
tempfile:
state: file
register: gpg_private_key_tmp
- name: Create GPG private key
copy: copy:
content: "{{ gpg_key.pubring }}" content: "{{ gpg_key.private }}"
dest: "{{ gnupg_tmpdir.path }}/pubring.gpg" dest: "{{ gpg_private_key_tmp.path }}"
mode: 0400 mode: 0400
- name: Create GPG secring - name: Import GPG private key
command: "gpg --homedir {{ gnupg_tmpdir.path }} --allow-secret-key-import --import {{ gpg_private_key_tmp.path }}"
- name: Delete GPG private key
file:
path: "{{ gpg_private_key_tmp.path }}"
state: absent
- name: Create GPG public key tempfile
tempfile:
state: file
register: gpg_public_key_tmp
- name: Create GPG public key
copy: copy:
content: "{{ gpg_key.secring }}" content: "{{ gpg_key.public }}"
dest: "{{ gnupg_tmpdir.path }}/secring.gpg" dest: "{{ gpg_public_key_tmp.path }}"
mode: 0400 mode: 0400
- name: Display sha1sum for GPG pubring / secring - name: Import GPG public key
command: "sha1sum {{ item }}" command: "gpg --homedir {{ gnugp_tmpdir.path }} --import {{ gpg_public_key_tmp.path }}"
with_items:
- "{{ gnupg_tmpdir.path }}/pubring.gpg" - name: Delete GPG public key
- "{{ gnupg_tmpdir.path }}/secring.gpg" file:
path: "{{ gpg_public_key_tmp.path }}"
state: absent
- name: Find files to sign - name: Find files to sign
find: find: