Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support `--valid_pgpkeys` option in Git module #55396

Open
wants to merge 1 commit into
base: devel
from

Conversation

Projects
None yet
4 participants
@jelly
Copy link

commented Apr 16, 2019

Make Git module support --valid-pgpkeys option, which allows
configuring a list of valid PGP fingerprints which are compared with the
used PGP fingerprint if verify_commit is true. This requires
verify_commit to be set to 'yes'.

Signed-off-by: Jelle van der Waa jelle@vdwaa.nl

SUMMARY

Add an option to specify allows PGP fingerprints from which signed commits are excepted this adds an extra verification requirement when verify_commit is set. Basically this prevents a trusted repository with a malicious signed commit to be seen as a valid commit. This is comparable with Arch Linux's pacman's PKGBUILD which allows the same sort of syntax to specify valid PGP keys.

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

Git module

ADDITIONAL INFORMATION

Adds a new option to the Git module called valid_pgpkeys with an array of valid PGP keys to be used to verify the signed commit.

- name: test my new module
  hosts: localhost
  tasks:
  - name: 
    git:
      repo: 'https://github.com/archlinux/archweb.git'
      dest: /tmp/archweb
      verify_commit: yes
      version: release_2019-04-15
      valid_pgpkeys:
        - 'E499C79F53C96A54E572FEE1C06086337C50773F'

On error:

fatal: [localhost]: FAILED! => {"changed": false, "msg": "Invalid public key \"E499C79F53C96A54E572FEE1C06086337C50773E\"", "rc": 0, ...
Support `--valid_pgpkeys` option in Git module
Make Git module support `--valid-pgpkeys` option, which allows
configuring a list of valid PGP fingerprints which are compared with the
used PGP fingerprint if verify_commit is true. This requires
verify_commit to be set to 'yes'.

Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl>

@jelly jelly force-pushed the jelly:valid_pgpkeys branch from 67668c8 to 1e212d1 Apr 17, 2019

@ansibot ansibot removed the ci_verified label Apr 17, 2019

@jelly

This comment has been minimized.

Copy link
Author

commented May 6, 2019

Any update?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.