Ian Wienand 8e7d5e0404 add-gpgkey: trust incoming key
Add the incoming key to the trustdb with ultimate trust.  I noticed
this when using this role in a job that rechecks the signatures made
with an imported key (c.f Id624aa1ec6213be70809a8f911ab4aadc8a6ed53
and related changes).

Remove "--allow-secret-key-import" as it doesn't do anything any more,
per the man page.

Change-Id: I5fce163bce5c68342a444c36d9ba4af6e4af362c
2022-05-05 14:40:00 +10:00

33 lines
1.0 KiB
YAML

- name: Create GPG private key tempfile
tempfile:
state: file
register: gpg_private_key_tmp
- name: Stage GPG private key for importing
copy:
content: "{{ gpg_key.private }}"
dest: "{{ gpg_private_key_tmp.path }}"
mode: 0400
- name: Import GPG private key
command: "gpg --import {{ gpg_private_key_tmp.path }}"
- name: Trust the imported key
# Strip all whitespace and take the second line of output, which
# is the fingerprint, then import this at "I trust fully" level.
# This was a pain to figure out as gpg really wants to communicate
# with a tty if you do something obvious like "gpg --edit-key <id>
# ...". And what is menu option number "5" is actually "6" in the
# ownertrust db (ultimate trust)!
shell: |
set -o pipefail
echo $(gpg --show-keys {{ gpg_private_key_tmp.path }} \
| sed -n "s/ //g;2 p"):6: | gpg --import-ownertrust
args:
executable: '/bin/bash'
- name: Delete staged GPG private key
file:
path: "{{ gpg_private_key_tmp.path }}"
state: absent