add-gpgkey: trust incoming key
Add the incoming key to the trustdb with ultimate trust. I noticed this when using this role in a job that rechecks the signatures made with an imported key (c.f Id624aa1ec6213be70809a8f911ab4aadc8a6ed53 and related changes). Remove "--allow-secret-key-import" as it doesn't do anything any more, per the man page. Change-Id: I5fce163bce5c68342a444c36d9ba4af6e4af362c
This commit is contained in:
Ian Wienand
parent
fc133bd165
commit
8e7d5e0404
|
|
@ -10,7 +10,21 @@
|
|||
mode: 0400
|
||||
|
||||
- name: Import GPG private key
|
||||
command: "gpg --allow-secret-key-import --import {{ gpg_private_key_tmp.path }}"
|
||||
command: "gpg --import {{ gpg_private_key_tmp.path }}"
|
||||
|
||||
- name: Trust the imported key
|
||||
# Strip all whitespace and take the second line of output, which
|
||||
# is the fingerprint, then import this at "I trust fully" level.
|
||||
# This was a pain to figure out as gpg really wants to communicate
|
||||
# with a tty if you do something obvious like "gpg --edit-key <id>
|
||||
# ...". And what is menu option number "5" is actually "6" in the
|
||||
# ownertrust db (ultimate trust)!
|
||||
shell: |
|
||||
set -o pipefail
|
||||
echo $(gpg --show-keys {{ gpg_private_key_tmp.path }} \
|
||||
| sed -n "s/ //g;2 p"):6: | gpg --import-ownertrust
|
||||
args:
|
||||
executable: '/bin/bash'
|
||||
|
||||
- name: Delete staged GPG private key
|
||||
file:
|
||||
|
|
|
|||
Loading…
Reference in New Issue