Change:
- Allow older git to verify tags again
- Enable verification tests everywhere, even if most of them only work
on newer git. Some of them work on older git and they test the --raw
parameter.
Test Plan:
- Re-enabled subset of git tests
Tickets:
- Fixes#64469
Signed-off-by: Rick Elrod <rick@elrod.me>
- git - Only pass ``--raw`` flag to git verify commands (verify-tag, verify-commit) when ``gpg_whitelist`` is in use. Otherwise don't pass it so that non-whitelist GPG validation still works on older Git versions. (https://github.com/ansible/ansible/issues/64469)
- name:GPG-VERIFICATION | Clone repo and verify a signed lightweight tag
- name:GPG-VERIFICATION | Clone repo and verify a signed lightweight tag
environment:
environment:
@ -84,6 +86,8 @@
dest:"{{ git_gpg_dest }}"
dest:"{{ git_gpg_dest }}"
version:lightweight_tag/signed_commit
version:lightweight_tag/signed_commit
verify_commit:yes
verify_commit:yes
when:
- git_version.stdout is version("2.1.0", '>=')
- name:GPG-VERIFICATION | Clone repo and verify an unsigned lightweight tag (should fail)
- name:GPG-VERIFICATION | Clone repo and verify an unsigned lightweight tag (should fail)
environment:
environment:
@ -95,12 +99,16 @@
verify_commit:yes
verify_commit:yes
register:git_verify
register:git_verify
ignore_errors:yes
ignore_errors:yes
when:
- git_version.stdout is version("2.1.0", '>=')
- name:GPG-VERIFICATION | Check that unsigned lightweight tag verification failed
- name:GPG-VERIFICATION | Check that unsigned lightweight tag verification failed
assert:
assert:
that:
that:
- git_verify is failed
- git_verify is failed
- git_verify.msg is match("Failed to verify GPG signature of commit/tag.+")
- git_verify.msg is match("Failed to verify GPG signature of commit/tag.+")
when:
- git_version.stdout is version("2.1.0", '>=')
- name:GPG-VERIFICATION | Clone repo and verify a signed commit
- name:GPG-VERIFICATION | Clone repo and verify a signed commit
environment:
environment:
@ -110,6 +118,8 @@
dest:"{{ git_gpg_dest }}"
dest:"{{ git_gpg_dest }}"
version:"{{ git_gpg_signed_commit.stdout }}"
version:"{{ git_gpg_signed_commit.stdout }}"
verify_commit:yes
verify_commit:yes
when:
- git_version.stdout is version("2.1.0", '>=')
- name:GPG-VERIFICATION | Clone repo and verify an unsigned commit
- name:GPG-VERIFICATION | Clone repo and verify an unsigned commit
environment:
environment:
@ -121,12 +131,16 @@
verify_commit:yes
verify_commit:yes
register:git_verify
register:git_verify
ignore_errors:yes
ignore_errors:yes
when:
- git_version.stdout is version("2.1.0", '>=')
- name:GPG-VERIFICATION | Check that unsigned commit verification failed
- name:GPG-VERIFICATION | Check that unsigned commit verification failed
assert:
assert:
that:
that:
- git_verify is failed
- git_verify is failed
- git_verify.msg is match("Failed to verify GPG signature of commit/tag.+")
- git_verify.msg is match("Failed to verify GPG signature of commit/tag.+")
when:
- git_version.stdout is version("2.1.0", '>=')
- name:GPG-VERIFICATION | Clone repo and verify a signed annotated tag
- name:GPG-VERIFICATION | Clone repo and verify a signed annotated tag
environment:
environment:
@ -162,6 +176,8 @@
dest:"{{ git_gpg_dest }}"
dest:"{{ git_gpg_dest }}"
version:some_branch/signed_tip
version:some_branch/signed_tip
verify_commit:yes
verify_commit:yes
when:
- git_version.stdout is version("2.1.0", '>=')
- name:GPG-VERIFICATION | Clone repo and verify an unsigned branch (should fail)
- name:GPG-VERIFICATION | Clone repo and verify an unsigned branch (should fail)
environment:
environment:
@ -173,18 +189,22 @@
verify_commit:yes
verify_commit:yes
register:git_verify
register:git_verify
ignore_errors:yes
ignore_errors:yes
when:
- git_version.stdout is version("2.1.0", '>=')
- name:GPG-VERIFICATION | Check that unsigned branch verification failed
- name:GPG-VERIFICATION | Check that unsigned branch verification failed
assert:
assert:
that:
that:
- git_verify is failed
- git_verify is failed
- git_verify.msg is match("Failed to verify GPG signature of commit/tag.+")
- git_verify.msg is match("Failed to verify GPG signature of commit/tag.+")
when:
- git_version.stdout is version("2.1.0", '>=')
- name:GPG-VERIFICATION | Stop gpg-agent so we can remove any locks on the GnuPG dir
- name:GPG-VERIFICATION | Stop gpg-agent so we can remove any locks on the GnuPG dir
command:gpgconf --kill gpg-agent
command:gpgconf --kill gpg-agent
when:ansible_os_family != 'Suse' or ansible_distribution_version != '42.3' # OpenSUSE 42.3 ships with an older version of gpg-agent that doesn't support this