[BREAKING] Update wp-cli to 2.0.0 and verify its PGP signature

[tangrufus]

• PGP public keys not being added into the keyring, see: https://stackoverflow.com/a/19016152
• wp_cli_pgp_public_key must be in binary format, ASCII-armored version wont work
• tab completions are not verified

Breaking!

wp_cli_version must be 2.0.0 or later because wp cli release page only provides detached signatures since v2.0.0

FAQs

Where does roles/wp-cli/templates/wp-cli.pgp.gpg come from?

The wp cli release team only provides their PGP public keys in ASCII-armored version. We have to "dearmor" it.

➜ wget https://raw.githubusercontent.com/wp-cli/builds/gh-pages/wp-cli.pgp
➜ gpg --dearmor wp-cli.pgp

See: https://stackoverflow.com/questions/22544441/how-to-convert-a-binary-key-pgp-file-to-an-ascii-armored-file

Why not use a URL as wp_cli_pgp_public_key OR keep using checksum hashes?

See:

• Sign releases via GPG wp-cli/wp-cli#2121
• Check downloaded archive with GPG. jchaney/owncloud#12 (comment)

[swalkinshaw]

Just tried this and got:

TASK [wp-cli : Verify WP-CLI Phar Signature] ***********************************
System info:
  Ansible 2.5.3; Vagrant 2.0.2; Darwin
  Trellis version (per changelog): "Update wp-cli to 2.0.0 and verify its PGP signature"
---------------------------------------------------
non-zero return code
gpg: Signature made Wed 08 Aug 2018 09:13:40 PM UTC using RSA key ID 26F0BC06
gpg: failed to create temporary file
'/root/.gnupg/.#lk0x000055e90fd40b50.example.8737': No such file or directory
gpg: Fatal: can't create lock for '/root/.gnupg/trustdb.gpg'
fatal: [default]: FAILED! => {"changed": false, "cmd": ["gpg2", "--no-default-keyring", "--keyring", "/tmp/wp-cli.pgp.gpg", "--verify", "/tmp/wp-cli-2.0.0.phar.asc", "/tmp/wp-cli-2.0.0.phar"], "delta": "0:00:00.036512", "end": "2018-08-12 17:13:25.450247", "rc": 2, "start": "2018-08-12 17:13:25.413735", "stderr_lines": ["gpg: Signature made Wed 08 Aug 2018 09:13:40 PM UTC using RSA key ID 26F0BC06", "gpg: failed to create temporary file '/root/.gnupg/.#lk0x000055e90fd40b50.example.8737': No such file or directory", "gpg: Fatal: can't create lock for '/root/.gnupg/trustdb.gpg'"], "stdout": "", "stdout_lines": []}

[swalkinshaw]

I'm assuming this is "breaking" since it's a new major version for WP-CLI?

[tangrufus]

Fixed by adding --lock-never to gpg verify command.
Also changed synchronize to copy so that sudo is not required.

I'm assuming this is "breaking" since it's a new major version for WP-CLI?

Correct. You might need to change wp_cli_packages when upgrading wp cli to v2

Besides, with this pull request, you can't "downgrade" to wp cli v1.x because wp_cli_phar_asc_url will break (in fact, 2.0.0 is the only release that comes with a .asc file)

[swalkinshaw]

Makes sense. Thanks it's working for me too 👍