From 6f11896303248b7a167021f5c33502ca4f48af56 Mon Sep 17 00:00:00 2001 From: Dionysis Grigoropoulos Date: Wed, 10 Jun 2015 10:27:25 +0300 Subject: [PATCH] ansible-pull: Add option to verify gpg signature of a commit Add option '--verify-commit' to verify a GPG signature of the checked out commit. As noted in the git module documentantion, this requires git version >= 2.1.0 --- lib/ansible/cli/pull.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/ansible/cli/pull.py b/lib/ansible/cli/pull.py index 0d37568e20..ff8103a1df 100644 --- a/lib/ansible/cli/pull.py +++ b/lib/ansible/cli/pull.py @@ -70,7 +70,9 @@ class PullCLI(CLI): help='adds the hostkey for the repo url if not already added') self.parser.add_option('-m', '--module-name', dest='module_name', default=self.DEFAULT_REPO_TYPE, help='Repository module name, which ansible will use to check out the repo. Default is %s.' % self.DEFAULT_REPO_TYPE) - + self.parser.add_option('--verify-commit', dest='verify', default=False, action='store_true', + help='verify GPG signature of checked out commit, if it fails abort running the playbook.' + ' This needs the corresponding VCS module to support such an operation') self.options, self.args = self.parser.parse_args() @@ -127,6 +129,9 @@ class PullCLI(CLI): if self.options.private_key_file: repo_opts += ' key_file=%s' % self.options.private_key_file + if self.options.verify: + repo_opts += ' verify_commit=yes' + path = module_loader.find_plugin(self.options.module_name) if path is None: raise AnsibleOptionsError(("module '%s' not found.\n" % self.options.module_name))