mirror of https://github.com/ansible/ansible.git
Only use `git verify-tag` when verifying annotated tags (#26414)
* Only use `git verify-tag` when verifying annotated tags The command `git verify-tag` only applies to annotated tags. When verifying lightweight tags, which are more similar to non-moving branches, one has to use `git verify-commit` instead. Using ':' as a separator is appropriate since that is one of the characters not allowed in a Git reference name. See also https://www.kernel.org/pub/software/scm/git/docs/git-check-ref-format.html * Improve testing of the Git module's gpg verificationpull/26842/head
parent
779d05aec4
commit
593297d7a2
@ -0,0 +1,187 @@
|
|||||||
|
---
|
||||||
|
# Test for verification of GnuPG signatures
|
||||||
|
|
||||||
|
- name: Create GnuPG verification workdir
|
||||||
|
tempfile:
|
||||||
|
state: directory
|
||||||
|
register: git_gpg_workdir
|
||||||
|
|
||||||
|
- name: Define variables based on workdir
|
||||||
|
set_fact:
|
||||||
|
git_gpg_keyfile: "{{ git_gpg_workdir.path }}/testkey.asc"
|
||||||
|
git_gpg_source: "{{ git_gpg_workdir.path }}/source"
|
||||||
|
git_gpg_dest: "{{ git_gpg_workdir.path }}/dest"
|
||||||
|
git_gpg_gpghome: "{{ git_gpg_workdir.path }}/gpg"
|
||||||
|
|
||||||
|
- name: Temporary store GnuPG test key
|
||||||
|
copy:
|
||||||
|
content: "{{ git_gpg_testkey }}"
|
||||||
|
dest: "{{ git_gpg_keyfile }}"
|
||||||
|
|
||||||
|
- name: Create temporary GNUPGHOME directory
|
||||||
|
file:
|
||||||
|
path: "{{ git_gpg_gpghome }}"
|
||||||
|
state: directory
|
||||||
|
mode: 0700
|
||||||
|
|
||||||
|
- name: Import GnuPG test key
|
||||||
|
environment:
|
||||||
|
- GNUPGHOME: "{{ git_gpg_gpghome }}"
|
||||||
|
command: gpg --import {{ git_gpg_keyfile }}
|
||||||
|
|
||||||
|
- name: Create local GnuPG signed repository directory
|
||||||
|
file:
|
||||||
|
path: "{{ git_gpg_source }}"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Generate local GnuPG signed repository
|
||||||
|
environment:
|
||||||
|
- GNUPGHOME: "{{ git_gpg_gpghome }}"
|
||||||
|
shell: |
|
||||||
|
set -e
|
||||||
|
git init
|
||||||
|
touch an_empty_file
|
||||||
|
git add an_empty_file
|
||||||
|
git commit --no-gpg-sign --message "Commit, and don't sign"
|
||||||
|
git tag lightweight_tag/unsigned_commit HEAD
|
||||||
|
git commit --allow-empty --gpg-sign --message "Commit, and sign"
|
||||||
|
git tag lightweight_tag/signed_commit HEAD
|
||||||
|
git tag --annotate --message "This is not a signed tag" unsigned_annotated_tag HEAD
|
||||||
|
git commit --allow-empty --gpg-sign --message "Commit, and sign"
|
||||||
|
git tag --sign --message "This is a signed tag" signed_annotated_tag HEAD
|
||||||
|
git checkout -b some_branch/signed_tip master
|
||||||
|
git commit --allow-empty --gpg-sign --message "Commit, and sign"
|
||||||
|
git checkout -b another_branch/unsigned_tip master
|
||||||
|
git commit --allow-empty --no-gpg-sign --message "Commit, and don't sign"
|
||||||
|
git checkout master
|
||||||
|
args:
|
||||||
|
chdir: "{{ git_gpg_source }}"
|
||||||
|
|
||||||
|
- name: Get hash of an unsigned commit
|
||||||
|
command: git show-ref --hash --verify refs/tags/lightweight_tag/unsigned_commit
|
||||||
|
args:
|
||||||
|
chdir: "{{ git_gpg_source }}"
|
||||||
|
register: git_gpg_unsigned_commit
|
||||||
|
|
||||||
|
- name: Get hash of a signed commit
|
||||||
|
command: git show-ref --hash --verify refs/tags/lightweight_tag/signed_commit
|
||||||
|
args:
|
||||||
|
chdir: "{{ git_gpg_source }}"
|
||||||
|
register: git_gpg_signed_commit
|
||||||
|
|
||||||
|
- name: Clone repo and verify signed HEAD
|
||||||
|
environment:
|
||||||
|
- GNUPGHOME: "{{ git_gpg_gpghome }}"
|
||||||
|
git:
|
||||||
|
repo: "{{ git_gpg_source }}"
|
||||||
|
dest: "{{ git_gpg_dest }}"
|
||||||
|
verify_commit: yes
|
||||||
|
|
||||||
|
- name: Clone repo and verify a signed lightweight tag
|
||||||
|
environment:
|
||||||
|
- GNUPGHOME: "{{ git_gpg_gpghome }}"
|
||||||
|
git:
|
||||||
|
repo: "{{ git_gpg_source }}"
|
||||||
|
dest: "{{ git_gpg_dest }}"
|
||||||
|
version: lightweight_tag/signed_commit
|
||||||
|
verify_commit: yes
|
||||||
|
|
||||||
|
- name: Clone repo and verify an unsigned lightweight tag (should fail)
|
||||||
|
environment:
|
||||||
|
- GNUPGHOME: "{{ git_gpg_gpghome }}"
|
||||||
|
git:
|
||||||
|
repo: "{{ git_gpg_source }}"
|
||||||
|
dest: "{{ git_gpg_dest }}"
|
||||||
|
version: lightweight_tag/unsigned_commit
|
||||||
|
verify_commit: yes
|
||||||
|
register: git_verify
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
|
- name: Check that unsigned lightweight tag verification failed
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- git_verify|failed
|
||||||
|
- git_verify.msg|match("Failed to verify GPG signature of commit/tag.+")
|
||||||
|
|
||||||
|
- name: Clone repo and verify a signed commit
|
||||||
|
environment:
|
||||||
|
- GNUPGHOME: "{{ git_gpg_gpghome }}"
|
||||||
|
git:
|
||||||
|
repo: "{{ git_gpg_source }}"
|
||||||
|
dest: "{{ git_gpg_dest }}"
|
||||||
|
version: "{{ git_gpg_signed_commit.stdout }}"
|
||||||
|
verify_commit: yes
|
||||||
|
|
||||||
|
- name: Clone repo and verify an unsigned commit
|
||||||
|
environment:
|
||||||
|
- GNUPGHOME: "{{ git_gpg_gpghome }}"
|
||||||
|
git:
|
||||||
|
repo: "{{ git_gpg_source }}"
|
||||||
|
dest: "{{ git_gpg_dest }}"
|
||||||
|
version: "{{ git_gpg_unsigned_commit.stdout }}"
|
||||||
|
verify_commit: yes
|
||||||
|
register: git_verify
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
|
- name: Check that unsigned commit verification failed
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- git_verify|failed
|
||||||
|
- git_verify.msg|match("Failed to verify GPG signature of commit/tag.+")
|
||||||
|
|
||||||
|
- name: Clone repo and verify a signed annotated tag
|
||||||
|
environment:
|
||||||
|
- GNUPGHOME: "{{ git_gpg_gpghome }}"
|
||||||
|
git:
|
||||||
|
repo: "{{ git_gpg_source }}"
|
||||||
|
dest: "{{ git_gpg_dest }}"
|
||||||
|
version: signed_annotated_tag
|
||||||
|
verify_commit: yes
|
||||||
|
|
||||||
|
- name: Clone repo and verify an unsigned annotated tag (should fail)
|
||||||
|
environment:
|
||||||
|
- GNUPGHOME: "{{ git_gpg_gpghome }}"
|
||||||
|
git:
|
||||||
|
repo: "{{ git_gpg_source }}"
|
||||||
|
dest: "{{ git_gpg_dest }}"
|
||||||
|
version: unsigned_annotated_tag
|
||||||
|
verify_commit: yes
|
||||||
|
register: git_verify
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
|
- name: Check that unsigned annotated tag verification failed
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- git_verify|failed
|
||||||
|
- git_verify.msg|match("Failed to verify GPG signature of commit/tag.+")
|
||||||
|
|
||||||
|
- name: Clone repo and verify a signed branch
|
||||||
|
environment:
|
||||||
|
- GNUPGHOME: "{{ git_gpg_gpghome }}"
|
||||||
|
git:
|
||||||
|
repo: "{{ git_gpg_source }}"
|
||||||
|
dest: "{{ git_gpg_dest }}"
|
||||||
|
version: some_branch/signed_tip
|
||||||
|
verify_commit: yes
|
||||||
|
|
||||||
|
- name: Clone repo and verify an unsigned branch (should fail)
|
||||||
|
environment:
|
||||||
|
- GNUPGHOME: "{{ git_gpg_gpghome }}"
|
||||||
|
git:
|
||||||
|
repo: "{{ git_gpg_source }}"
|
||||||
|
dest: "{{ git_gpg_dest }}"
|
||||||
|
version: another_branch/unsigned_tip
|
||||||
|
verify_commit: yes
|
||||||
|
register: git_verify
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
|
- name: Check that unsigned branch verification failed
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- git_verify|failed
|
||||||
|
- git_verify.msg|match("Failed to verify GPG signature of commit/tag.+")
|
||||||
|
|
||||||
|
- name: Remove GnuPG verification workdir
|
||||||
|
file:
|
||||||
|
path: "{{ git_gpg_workdir.path }}"
|
||||||
|
state: absent
|
@ -1,57 +0,0 @@
|
|||||||
---
|
|
||||||
# Test for tag verification
|
|
||||||
# clone a repo checkout signed tag, verify tag
|
|
||||||
|
|
||||||
- name: Import Jamie Evans GPG key
|
|
||||||
command: gpg --keyserver keyserver.ubuntu.com --recv-key 61107C8E
|
|
||||||
when: >
|
|
||||||
not gpg_version.stderr and
|
|
||||||
gpg_version.stdout and
|
|
||||||
(git_version.stdout | version_compare("2.1.0", '>=') or
|
|
||||||
gpg_version.stdout | version_compare("1.4.16", '>='))
|
|
||||||
|
|
||||||
- name: Copy ownertrust
|
|
||||||
copy: "content='2D55902D66FEEBCEA4447C93E79A36DA61107C8E:6:\n' dest=/tmp/ownertrust-git.txt"
|
|
||||||
when: >
|
|
||||||
not gpg_version.stderr and
|
|
||||||
gpg_version.stdout and
|
|
||||||
(git_version.stdout | version_compare("2.1.0", '>=') or
|
|
||||||
gpg_version.stdout | version_compare("1.4.16", '>='))
|
|
||||||
|
|
||||||
- name: Import ownertrust
|
|
||||||
command: gpg --import-ownertrust /tmp/ownertrust-git.txt
|
|
||||||
when: >
|
|
||||||
not gpg_version.stderr and
|
|
||||||
gpg_version.stdout and
|
|
||||||
(git_version.stdout | version_compare("2.1.0", '>=') or
|
|
||||||
gpg_version.stdout | version_compare("1.4.16", '>='))
|
|
||||||
|
|
||||||
- name: Clone signed repo and verify tag
|
|
||||||
git: repo={{ repo_verify }} dest={{ checkout_dir }} version=v0.0 verify_commit=yes
|
|
||||||
when: >
|
|
||||||
not gpg_version.stderr and
|
|
||||||
gpg_version.stdout and
|
|
||||||
(git_version.stdout | version_compare("2.1.0", '>=') or
|
|
||||||
gpg_version.stdout | version_compare("1.4.16", '>='))
|
|
||||||
|
|
||||||
- name: Remove Jamie Evans GPG key
|
|
||||||
command: gpg --batch --yes --delete-key 61107C8E
|
|
||||||
when: >
|
|
||||||
not gpg_version.stderr and
|
|
||||||
gpg_version.stdout and
|
|
||||||
(git_version.stdout | version_compare("2.1.0", '>=') or
|
|
||||||
gpg_version.stdout | version_compare("1.4.16", '>='))
|
|
||||||
|
|
||||||
- name: Clean up files
|
|
||||||
file: path="{{ item }}" state=absent
|
|
||||||
with_items:
|
|
||||||
- "{{ checkout_dir }}"
|
|
||||||
- /tmp/ownertrust-git.txt
|
|
||||||
when: >
|
|
||||||
not gpg_version.stderr and
|
|
||||||
gpg_version.stdout and
|
|
||||||
(git_version.stdout | version_compare("2.1.0", '>=') or
|
|
||||||
gpg_version.stdout | version_compare("1.4.16", '>='))
|
|
||||||
|
|
||||||
- name: clear checkout_dir
|
|
||||||
file: state=absent path={{ checkout_dir }}
|
|
Loading…
Reference in New Issue