WIndowsPb: gpg signature verification for ANT binary (#3018)

* gpg signature verification for ANT binary * fix conditional * Create gnupg dir when doesnt exist Create the home/.gnupg directory within windows/cygwin environment. * Linter fix * Linter fix. * Linter fix * Tweak path to GPG tasks * Linter Fix * Test Regsvr without silent for vs2017 * Undo regsvr test * remove playbooks_dir variable * change import to include --------- Co-authored-by: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Co-authored-by: Martijn Verburg <martijnverburg@gmail.com>
adoptium · May 24, 2023 · d9b705d · d9b705d
1 parent 4d6ef21
commit d9b705d
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 0 deletions.
diff --git a/ansible/playbooks/AdoptOpenJDK_Windows_Playbook/group_vars/all/adoptopenjdk_variables.yml b/ansible/playbooks/AdoptOpenJDK_Windows_Playbook/group_vars/all/adoptopenjdk_variables.yml
@@ -14,3 +14,7 @@ heapsize: normal
 
 ## Nagios Server Details
 Nagios_Master_IP: 78.47.239.96
+
+# GPG Public Keys
+key:
+  apache_ant: CE8075A251547BEE249BC151A2115AE15F6B8B72 # Stefan Bodewig <bodewig@apache.org>
diff --git a/ansible/playbooks/AdoptOpenJDK_Windows_Playbook/roles/ANT/tasks/main.yml b/ansible/playbooks/AdoptOpenJDK_Windows_Playbook/roles/ANT/tasks/main.yml
@@ -26,6 +26,16 @@
   register: ant_download
   tags: ANT
 
+- name: GPG Signature Verification of Binary
+  include_tasks:
+    file: ../../GPG_signature_verification/tasks/main.yml
+  vars:
+    file_path: c:\temp\ant.zip
+    signature_link: "https://archive.apache.org/dist/ant/binaries/apache-ant-1.10.5-bin.zip.asc"
+    GPG_key: "{{ key.apache_ant }}"
+  when: (not ant_installed.stat.exists)
+  tags: ANT
+
 - name: Deploy Apache ANT
   win_unzip:
     src: c:\temp\ant.zip

diff --git a/...e/playbooks/AdoptOpenJDK_Windows_Playbook/roles/GPG_signature_verification/tasks/main.yml b/...e/playbooks/AdoptOpenJDK_Windows_Playbook/roles/GPG_signature_verification/tasks/main.yml
@@ -0,0 +1,27 @@
+---
+# These tasks can only run once cygwin is installed on the remote machine
+
+- name: Check if gnupg directory exists
+  win_stat:
+    path: 'C:\cygwin64\home\%USERNAME%\.gnupg'
+  register: gnupg_check
+
+- name: Create gnupg directory with Cygwin ( if it doesnt exist )
+  win_shell: C:/cygwin64/bin/bash.exe -c "mkdir -p ~/.gnupg"
+  when: (not gnupg_check.stat.exists)
+
+- name: Fix Permissions
+  win_shell: C:/cygwin64/bin/bash.exe -c "chmod og-rwx ~/.gnupg"
+
+- name: Import GPG Key
+  win_command: gpg --keyserver keyserver.ubuntu.com --recv-keys "{{ GPG_key }}"
+
+- name: Get signature file
+  win_command: wget -q "{{ signature_link }}" -O sigfile
+
+- name: Verify binary
+  win_command: gpg --verify sigfile {{ file_path }}
+
+- name: Remove gnupg directory with Cygwin ( when it didnt exist previously )
+  win_shell: C:/cygwin64/bin/bash.exe -c "rm -rf ~/.gnupg"
+  when: (not gnupg_check.stat.exists)