-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support --valid_pgpkeys
option in Git module ()
#55396
Conversation
Any update? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a nice patch, yet it requires a few bits of polishing.
There's a few style improvements I've suggested and we also 100% need to improve the consistency with the argument naming.
@jelly thanks! Could you please also add a changelog fragment to this folder: https://github.com/ansible/ansible/tree/devel/changelogs/fragments It's explained @ https://docs.ansible.com/ansible/devel/community/development_process.html#creating-a-changelog-fragment |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Waiting for the changelog fragment #55396 (comment) and docs review
Ok, added one, hope I did it correctly! |
This comment has been minimized.
This comment has been minimized.
Make Git module support `--valid-pgpkeys` option, which allows configuring a list of valid PGP fingerprints which are compared with the used PGP fingerprint if verify_commit is true. This requires verify_commit to be set to 'yes'. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl>
I've polished the message a bit |
--valid_pgpkeys
option in Git module--valid_pgpkeys
option in Git module ()
Make Git module support
--valid-pgpkeys
option, which allowsconfiguring a list of valid PGP fingerprints which are compared with the
used PGP fingerprint if verify_commit is true. This requires
verify_commit to be set to 'yes'.
Signed-off-by: Jelle van der Waa jelle@vdwaa.nl
SUMMARY
Add an option to specify allows PGP fingerprints from which signed commits are excepted this adds an extra verification requirement when verify_commit is set. Basically this prevents a trusted repository with a malicious signed commit to be seen as a valid commit. This is comparable with Arch Linux's pacman's PKGBUILD which allows the same sort of syntax to specify valid PGP keys.
ISSUE TYPE
COMPONENT NAME
Git module
ADDITIONAL INFORMATION
Adds a new option to the Git module called valid_pgpkeys with an array of valid PGP keys to be used to verify the signed commit.
On error: