8e7d5e0404
Add the incoming key to the trustdb with ultimate trust. I noticed this when using this role in a job that rechecks the signatures made with an imported key (c.f Id624aa1ec6213be70809a8f911ab4aadc8a6ed53 and related changes). Remove "--allow-secret-key-import" as it doesn't do anything any more, per the man page. Change-Id: I5fce163bce5c68342a444c36d9ba4af6e4af362c
33 lines
1.0 KiB
YAML
33 lines
1.0 KiB
YAML
- name: Create GPG private key tempfile
|
|
tempfile:
|
|
state: file
|
|
register: gpg_private_key_tmp
|
|
|
|
- name: Stage GPG private key for importing
|
|
copy:
|
|
content: "{{ gpg_key.private }}"
|
|
dest: "{{ gpg_private_key_tmp.path }}"
|
|
mode: 0400
|
|
|
|
- name: Import GPG private key
|
|
command: "gpg --import {{ gpg_private_key_tmp.path }}"
|
|
|
|
- name: Trust the imported key
|
|
# Strip all whitespace and take the second line of output, which
|
|
# is the fingerprint, then import this at "I trust fully" level.
|
|
# This was a pain to figure out as gpg really wants to communicate
|
|
# with a tty if you do something obvious like "gpg --edit-key <id>
|
|
# ...". And what is menu option number "5" is actually "6" in the
|
|
# ownertrust db (ultimate trust)!
|
|
shell: |
|
|
set -o pipefail
|
|
echo $(gpg --show-keys {{ gpg_private_key_tmp.path }} \
|
|
| sed -n "s/ //g;2 p"):6: | gpg --import-ownertrust
|
|
args:
|
|
executable: '/bin/bash'
|
|
|
|
- name: Delete staged GPG private key
|
|
file:
|
|
path: "{{ gpg_private_key_tmp.path }}"
|
|
state: absent
|