f2cfa6c356
If a key is in our existing keyring has an expiry date (or, has expired), always import the provided value again as it may be refreshing the value. Add an expiring key to test the matching; although on an ephemeral node we're importing always anyway. Also update the file test to a stat -- this is better than a weird error from gpg later. Change-Id: I8e7bc38c68c224795630b90a1b989098a7661491
51 lines
1.7 KiB
YAML
51 lines
1.7 KiB
YAML
# On a static node, this saves us having to re-import the key
|
|
# constantly
|
|
- name: Check for existing key
|
|
command: |
|
|
gpg --list-keys {{ zj_encrypt_file.key_id }}
|
|
register: _key_exists
|
|
# A found key returns 0, a missing key returns 2
|
|
failed_when: _key_exists.rc != 0 and _key_exists.rc != 2
|
|
|
|
# If the key may expire, we need to always import it because we can't
|
|
# be sure if the key hasn't changed to have a new expiration date.
|
|
# GPG outputs this in a string:
|
|
# [expires: YYYY-DD-MM] or [expired: YYYY-DD-MM]
|
|
- name: Check for expiry string
|
|
set_fact:
|
|
_key_has_expiry: "{{ _key_exists.stdout | regex_search(regexp) }}"
|
|
vars:
|
|
regexp: '\[expire[sd]: '
|
|
|
|
- name: Install key
|
|
when: _key_exists.rc != 0 or _key_has_expiry != ''
|
|
block:
|
|
- name: Create temporary keyfile
|
|
tempfile:
|
|
state: file
|
|
register: _keyfile
|
|
|
|
- name: Copy keyfile material # noqa risky-file-permissions
|
|
copy:
|
|
content: '{{ zj_encrypt_file.gpg_asc }}'
|
|
dest: '{{ _keyfile.path }}'
|
|
|
|
- name: Import key
|
|
command: |
|
|
gpg --import {{ _keyfile.path }}
|
|
|
|
# Strip all whitespace and take the second line of output, which
|
|
# is the fingerprint, then import this at "I trust fully" level.
|
|
# This was a pain to figure out as gpg really wants to communicate
|
|
# with a tty if you do something obvious like "gpg --edit-key <id>
|
|
# ...". And what is menu option number "5" is actually "6" in the
|
|
# ownertrust db!
|
|
- name: Trust key
|
|
shell: |
|
|
echo $(gpg --fingerprint {{ zj_encrypt_file.key_id }} | sed -n "s/ //g;2 p"):6: | gpg --import-ownertrust
|
|
|
|
- name: Remove temporary keyfile
|
|
file:
|
|
path: '{{ _keyfile.path }}'
|
|
state: absent
|