From 6271966f10af10a93f76e274a166d30ed801bfb8 Mon Sep 17 00:00:00 2001 From: Monty Taylor Date: Tue, 22 Aug 2017 17:42:18 -0400 Subject: [PATCH] Add role to GPG sign artifacts in a directory This will sign everything in the artifacts directory. Change-Id: I1f07b1b05ff4336e32469f85ff2c09fb72c0b51c --- roles/sign-artifacts/README.rst | 22 +++++++++++++++++++++ roles/sign-artifacts/defaults/main.yaml | 1 + roles/sign-artifacts/tasks/main.yaml | 26 +++++++++++++++++++++++++ 3 files changed, 49 insertions(+) create mode 100644 roles/sign-artifacts/README.rst create mode 100644 roles/sign-artifacts/defaults/main.yaml create mode 100644 roles/sign-artifacts/tasks/main.yaml diff --git a/roles/sign-artifacts/README.rst b/roles/sign-artifacts/README.rst new file mode 100644 index 000000000..870516000 --- /dev/null +++ b/roles/sign-artifacts/README.rst @@ -0,0 +1,22 @@ +Sign artifacts + +**Role Variables** + +.. zuul:rolevar:: gpg_key + + Complex argument which contains the GPG public and secret keyrings + for signing the artifacts. It is expected that this argument comes + from a `Secret`. + + .. zuul:rolevar:: pubring + + The binary contents of the GPG pubring. + + .. zuul:rolevar:: secring + + The binary contents of the GPG secring. + +.. zuul:rolevar:: gpg_artifact_path + :default: "{{ zuul.executor.work_root }}/artifacts/" + + Path to a directory containing artifacts to sign. diff --git a/roles/sign-artifacts/defaults/main.yaml b/roles/sign-artifacts/defaults/main.yaml new file mode 100644 index 000000000..13d037980 --- /dev/null +++ b/roles/sign-artifacts/defaults/main.yaml @@ -0,0 +1 @@ +gpg_sign_path: "{{ zuul.executor.work_root }}/artifacts/" diff --git a/roles/sign-artifacts/tasks/main.yaml b/roles/sign-artifacts/tasks/main.yaml new file mode 100644 index 000000000..a83c834cb --- /dev/null +++ b/roles/sign-artifacts/tasks/main.yaml @@ -0,0 +1,26 @@ +- name: Make GPG directory + tempfile: + state: directory + register: gnupg_tmpdir + +- name: Create GPG pubring + copy: + content: "{{ gpg_key.pubring }}" + dest: "{{ gnupg_tmpdir.path }}/pubring.gpg" + mode: 0400 + +- name: Create GPG secring + copy: + content: "{{ gpg_key.secring }}" + dest: "{{ gnupg_tmpdir.path }}/secring.gpg" + mode: 0400 + +- name: Find files to sign + find: + paths: "{{ gpg_sign_path }}" + register: artifacts + +- name: Sign artifacts + command: "gpg --homedir {{ gnupg_tmpdir.path }} --armor --detach-sign {{ item.path }}" + with_items: "{{ artifacts.files }}" + when: artifacts.matched|bool