Add role to GPG sign artifacts in a directory

This will sign everything in the artifacts directory.

Change-Id: I1f07b1b05ff4336e32469f85ff2c09fb72c0b51c

roles/sign-artifacts/README.rst

@@ -0,0 +1,22 @@
+Sign artifacts
+
+**Role Variables**
+
+.. zuul:rolevar:: gpg_key
+
+   Complex argument which contains the GPG public and secret keyrings
+   for signing the artifacts. It is expected that this argument comes
+   from a `Secret`.
+
+  .. zuul:rolevar:: pubring
+
+     The binary contents of the GPG pubring.
+
+  .. zuul:rolevar:: secring
+
+     The binary contents of the GPG secring.
+
+.. zuul:rolevar:: gpg_artifact_path
+   :default: "{{ zuul.executor.work_root }}/artifacts/"
+
+   Path to a directory containing artifacts to sign.

roles/sign-artifacts/defaults/main.yaml

@@ -0,0 +1 @@
+gpg_sign_path: "{{ zuul.executor.work_root }}/artifacts/"

roles/sign-artifacts/tasks/main.yaml

@@ -0,0 +1,26 @@
+- name: Make GPG directory
+  tempfile:
+    state: directory
+  register: gnupg_tmpdir
+
+- name: Create GPG pubring
+  copy:
+    content: "{{ gpg_key.pubring }}"
+    dest: "{{ gnupg_tmpdir.path }}/pubring.gpg"
+    mode: 0400
+
+- name: Create GPG secring
+  copy:
+    content: "{{ gpg_key.secring }}"
+    dest: "{{ gnupg_tmpdir.path }}/secring.gpg"
+    mode: 0400
+
+- name: Find files to sign
+  find:
+    paths: "{{ gpg_sign_path }}"
+  register: artifacts
+
+- name: Sign artifacts
+  command: "gpg --homedir {{ gnupg_tmpdir.path }} --armor --detach-sign {{ item.path }}"
+  with_items: "{{ artifacts.files }}"
+  when: artifacts.matched|bool