zuul-jobs/roles/encrypt-file/tasks/import-key.yaml
Ian Wienand f2cfa6c356 encrypt-file: always import expiring keys
If a key is in our existing keyring has an expiry date (or, has
expired), always import the provided value again as it may be
refreshing the value.

Add an expiring key to test the matching; although on an ephemeral
node we're importing always anyway.

Also update the file test to a stat -- this is better than a weird
error from gpg later.

Change-Id: I8e7bc38c68c224795630b90a1b989098a7661491
2022-02-19 08:05:50 +11:00

51 lines
1.7 KiB
YAML

# On a static node, this saves us having to re-import the key
# constantly
- name: Check for existing key
command: |
gpg --list-keys {{ zj_encrypt_file.key_id }}
register: _key_exists
# A found key returns 0, a missing key returns 2
failed_when: _key_exists.rc != 0 and _key_exists.rc != 2
# If the key may expire, we need to always import it because we can't
# be sure if the key hasn't changed to have a new expiration date.
# GPG outputs this in a string:
# [expires: YYYY-DD-MM] or [expired: YYYY-DD-MM]
- name: Check for expiry string
set_fact:
_key_has_expiry: "{{ _key_exists.stdout | regex_search(regexp) }}"
vars:
regexp: '\[expire[sd]: '
- name: Install key
when: _key_exists.rc != 0 or _key_has_expiry != ''
block:
- name: Create temporary keyfile
tempfile:
state: file
register: _keyfile
- name: Copy keyfile material # noqa risky-file-permissions
copy:
content: '{{ zj_encrypt_file.gpg_asc }}'
dest: '{{ _keyfile.path }}'
- name: Import key
command: |
gpg --import {{ _keyfile.path }}
# Strip all whitespace and take the second line of output, which
# is the fingerprint, then import this at "I trust fully" level.
# This was a pain to figure out as gpg really wants to communicate
# with a tty if you do something obvious like "gpg --edit-key <id>
# ...". And what is menu option number "5" is actually "6" in the
# ownertrust db!
- name: Trust key
shell: |
echo $(gpg --fingerprint {{ zj_encrypt_file.key_id }} | sed -n "s/ //g;2 p"):6: | gpg --import-ownertrust
- name: Remove temporary keyfile
file:
path: '{{ _keyfile.path }}'
state: absent