Use gpg import for sign-artifacts tasks

Because we used binary data, and it seems ansible had some issues with
that. Switch to asscii-armored versions and gpg import.

Change-Id: Ide400a2163c8fc08de0a28947ada7e9448d7675d
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
This commit is contained in:
Paul Belanger 2017-08-25 10:52:01 -04:00
parent ccbce75fce
commit 08448dee4b
No known key found for this signature in database
GPG Key ID: 611A80832067AF38
2 changed files with 35 additions and 15 deletions

View File

@ -8,13 +8,13 @@ Sign artifacts
for signing the artifacts. It is expected that this argument comes
from a `Secret`.
.. zuul:rolevar:: pubring
.. zuul:rolevar:: public
The binary contents of the GPG pubring.
The ascii-armored contents of the GPG public key.
.. zuul:rolevar:: secring
.. zuul:rolevar:: private
The binary contents of the GPG secring.
The ascii-armored contents of the GPG private key.
.. zuul:rolevar:: gpg_artifact_path
:default: "{{ zuul.executor.work_root }}/artifacts/"

View File

@ -3,23 +3,43 @@
state: directory
register: gnupg_tmpdir
- name: Create GPG pubring
- name: Create GPG private key tempfile
tempfile:
state: file
register: gpg_private_key_tmp
- name: Create GPG private key
copy:
content: "{{ gpg_key.pubring }}"
dest: "{{ gnupg_tmpdir.path }}/pubring.gpg"
content: "{{ gpg_key.private }}"
dest: "{{ gpg_private_key_tmp.path }}"
mode: 0400
- name: Create GPG secring
- name: Import GPG private key
command: "gpg --homedir {{ gnupg_tmpdir.path }} --allow-secret-key-import --import {{ gpg_private_key_tmp.path }}"
- name: Delete GPG private key
file:
path: "{{ gpg_private_key_tmp.path }}"
state: absent
- name: Create GPG public key tempfile
tempfile:
state: file
register: gpg_public_key_tmp
- name: Create GPG public key
copy:
content: "{{ gpg_key.secring }}"
dest: "{{ gnupg_tmpdir.path }}/secring.gpg"
content: "{{ gpg_key.public }}"
dest: "{{ gpg_public_key_tmp.path }}"
mode: 0400
- name: Display sha1sum for GPG pubring / secring
command: "sha1sum {{ item }}"
with_items:
- "{{ gnupg_tmpdir.path }}/pubring.gpg"
- "{{ gnupg_tmpdir.path }}/secring.gpg"
- name: Import GPG public key
command: "gpg --homedir {{ gnugp_tmpdir.path }} --import {{ gpg_public_key_tmp.path }}"
- name: Delete GPG public key
file:
path: "{{ gpg_public_key_tmp.path }}"
state: absent
- name: Find files to sign
find: