Add role to GPG sign artifacts in a directory

This will sign everything in the artifacts directory.

Change-Id: I1f07b1b05ff4336e32469f85ff2c09fb72c0b51c
This commit is contained in:
Monty Taylor 2017-08-22 17:42:18 -04:00
parent 80ec023985
commit 6271966f10
No known key found for this signature in database
GPG Key ID: 7BAE94BC7141A594
3 changed files with 49 additions and 0 deletions

View File

@ -0,0 +1,22 @@
Sign artifacts
**Role Variables**
.. zuul:rolevar:: gpg_key
Complex argument which contains the GPG public and secret keyrings
for signing the artifacts. It is expected that this argument comes
from a `Secret`.
.. zuul:rolevar:: pubring
The binary contents of the GPG pubring.
.. zuul:rolevar:: secring
The binary contents of the GPG secring.
.. zuul:rolevar:: gpg_artifact_path
:default: "{{ zuul.executor.work_root }}/artifacts/"
Path to a directory containing artifacts to sign.

View File

@ -0,0 +1 @@
gpg_sign_path: "{{ zuul.executor.work_root }}/artifacts/"

View File

@ -0,0 +1,26 @@
- name: Make GPG directory
tempfile:
state: directory
register: gnupg_tmpdir
- name: Create GPG pubring
copy:
content: "{{ gpg_key.pubring }}"
dest: "{{ gnupg_tmpdir.path }}/pubring.gpg"
mode: 0400
- name: Create GPG secring
copy:
content: "{{ gpg_key.secring }}"
dest: "{{ gnupg_tmpdir.path }}/secring.gpg"
mode: 0400
- name: Find files to sign
find:
paths: "{{ gpg_sign_path }}"
register: artifacts
- name: Sign artifacts
command: "gpg --homedir {{ gnupg_tmpdir.path }} --armor --detach-sign {{ item.path }}"
with_items: "{{ artifacts.files }}"
when: artifacts.matched|bool