ansible-galaxy and git verify-tag

Archives Ansible Project
1

HI!

Is it possible to make ansible-galaxy invoke 'git verify-tag' with a locally configured GPG public key on tags specified as version: in requirements.yml?

Thx in advance for any hint.

Ciao, Michael.

2

Hmm, seems there is no such thing yet:

https://github.com/ansible/proposals/issues/36

How does ansible users here deal with ansible collections/roles pulled from remote resources? Just trust that nobody tampered with the software repos?

As a work-around it would be possible for git-based resources to use

git clone ...
git verify-tag ...

and then let ansible-galaxy load collections/roles from the locally pulled git repo.

Opinions?

Ciao, Michael.

3

> Is it possible to make ansible-galaxy invoke 'git verify-tag' with a
> locally configured GPG public key on tags specified as version: in
> requirements.yml?

Hmm, seems there is no such thing yet:

https://github.com/ansible/proposals/issues/36

How does ansible users here deal with ansible collections/roles pulled
from remote resources? Just trust that nobody tampered with the software
repos?

For Red Hat based systems, I use RPMs. Fedora publishes some of them
as SRPMs, and I've built up some wrappers to build them alongside the
oversized bundle that is now "ansible". Bundling them individually
allows some flexibility not available with the oversized "ansible"
bundle: see https://github.com/nkadel/ansiblerepo/ for my work.

4

Maybe my posting was not clear enough:
I was not asking about GPG signatures of ansible itself or other software artefacts.

I was asking about how to check the git tag signature of ansible roles/collections specified in requirements.yml and retrieved by ansible-galaxy tool.

For example I tell users of Æ-DIR to invoke [1]:

ansible-galaxy install -r requirements.yml

The requirements.yml contains something like [2]:

- src: git+https://code.stroeder.com/AE-DIR/ansible-ae-dir-server.git
   version: v0.32.3
   name: aedir_server

The git tags defined by version: are all signed locally. Thus it would be nice if ansible-galaxy could check the GPG signature against my GPG key installed before on the ansible controller.

I'd like to provide additional protection because the ansible roles run as root on the target. (Yes, I know very well that trusted distribution of GPG public keys used for signature verification is hard at scale.)

Ciao, Michael.

[1] https://www.ae-dir.com/install.html#install

[2] https://code.stroeder.com/AE-DIR/ansible-example-site/src/branch/master/requirements.yml