Use gpg import for sign-artifacts tasks

Because we used binary data, and it seems ansible had some issues with that. Switch to asscii-armored versions and gpg import. Change-Id: Ide400a2163c8fc08de0a28947ada7e9448d7675d Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-08-25 10:52:01 -04:00 · 2017-08-25 10:52:01 -04:00 · 08448dee4b
commit 08448dee4b
parent ccbce75fce
2 changed files with 35 additions and 15 deletions
--- a/roles/sign-artifacts/README.rst
+++ b/roles/sign-artifacts/README.rst
@ -8,13 +8,13 @@ Sign artifacts
   for signing the artifacts. It is expected that this argument comes
   from a `Secret`.

-  .. zuul:rolevar:: pubring
+  .. zuul:rolevar:: public

-     The binary contents of the GPG pubring.
+     The ascii-armored contents of the GPG public key.

-  .. zuul:rolevar:: secring
+  .. zuul:rolevar:: private

-     The binary contents of the GPG secring.
+     The ascii-armored contents of the GPG private key.

 .. zuul:rolevar:: gpg_artifact_path
   :default: "{{ zuul.executor.work_root }}/artifacts/"
--- a/roles/sign-artifacts/tasks/main.yaml
+++ b/roles/sign-artifacts/tasks/main.yaml
@ -3,23 +3,43 @@
    state: directory
  register: gnupg_tmpdir

- name: Create GPG pubring
+- name: Create GPG private key tempfile
+  tempfile:
+    state: file
+  register: gpg_private_key_tmp
+
+- name: Create GPG private key
  copy:
-    content: "{{ gpg_key.pubring }}"
-    dest: "{{ gnupg_tmpdir.path }}/pubring.gpg"
+    content: "{{ gpg_key.private }}"
+    dest: "{{ gpg_private_key_tmp.path }}"
    mode: 0400

- name: Create GPG secring
+- name: Import GPG private key
+  command: "gpg --homedir {{ gnupg_tmpdir.path }} --allow-secret-key-import --import {{ gpg_private_key_tmp.path }}"
+
+- name: Delete GPG private key
+  file:
+    path: "{{ gpg_private_key_tmp.path }}"
+    state: absent
+
+- name: Create GPG public key tempfile
+  tempfile:
+    state: file
+  register: gpg_public_key_tmp
+
+- name: Create GPG public key
  copy:
-    content: "{{ gpg_key.secring }}"
-    dest: "{{ gnupg_tmpdir.path }}/secring.gpg"
+    content: "{{ gpg_key.public }}"
+    dest: "{{ gpg_public_key_tmp.path }}"
    mode: 0400

- name: Display sha1sum for GPG pubring / secring
-  command: "sha1sum {{ item }}"
-  with_items:
-    - "{{ gnupg_tmpdir.path }}/pubring.gpg"
-    - "{{ gnupg_tmpdir.path }}/secring.gpg"
+- name: Import GPG public key
+  command: "gpg --homedir {{ gnugp_tmpdir.path }} --import {{ gpg_public_key_tmp.path }}"
+
+- name: Delete GPG public key
+  file:
+    path: "{{ gpg_public_key_tmp.path }}"
+    state: absent

 - name: Find files to sign
  find: