1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
community.general/test/integration/targets/git/tasks/gpg-verification.yml
Andreas Olsson 593297d7a2 Only use git verify-tag when verifying annotated tags (#26414)
* Only use `git verify-tag` when verifying annotated tags

The command `git verify-tag` only applies to annotated tags. When
verifying lightweight tags, which are more similar to non-moving
branches, one has to use `git verify-commit` instead.

Using ':' as a separator is appropriate since that is one of the
characters not allowed in a Git reference name.

See also https://www.kernel.org/pub/software/scm/git/docs/git-check-ref-format.html

* Improve testing of the Git module's gpg verification
2017-07-19 11:30:12 -04:00

187 lines
5.4 KiB
YAML

---
# Test for verification of GnuPG signatures
- name: Create GnuPG verification workdir
tempfile:
state: directory
register: git_gpg_workdir
- name: Define variables based on workdir
set_fact:
git_gpg_keyfile: "{{ git_gpg_workdir.path }}/testkey.asc"
git_gpg_source: "{{ git_gpg_workdir.path }}/source"
git_gpg_dest: "{{ git_gpg_workdir.path }}/dest"
git_gpg_gpghome: "{{ git_gpg_workdir.path }}/gpg"
- name: Temporary store GnuPG test key
copy:
content: "{{ git_gpg_testkey }}"
dest: "{{ git_gpg_keyfile }}"
- name: Create temporary GNUPGHOME directory
file:
path: "{{ git_gpg_gpghome }}"
state: directory
mode: 0700
- name: Import GnuPG test key
environment:
- GNUPGHOME: "{{ git_gpg_gpghome }}"
command: gpg --import {{ git_gpg_keyfile }}
- name: Create local GnuPG signed repository directory
file:
path: "{{ git_gpg_source }}"
state: directory
- name: Generate local GnuPG signed repository
environment:
- GNUPGHOME: "{{ git_gpg_gpghome }}"
shell: |
set -e
git init
touch an_empty_file
git add an_empty_file
git commit --no-gpg-sign --message "Commit, and don't sign"
git tag lightweight_tag/unsigned_commit HEAD
git commit --allow-empty --gpg-sign --message "Commit, and sign"
git tag lightweight_tag/signed_commit HEAD
git tag --annotate --message "This is not a signed tag" unsigned_annotated_tag HEAD
git commit --allow-empty --gpg-sign --message "Commit, and sign"
git tag --sign --message "This is a signed tag" signed_annotated_tag HEAD
git checkout -b some_branch/signed_tip master
git commit --allow-empty --gpg-sign --message "Commit, and sign"
git checkout -b another_branch/unsigned_tip master
git commit --allow-empty --no-gpg-sign --message "Commit, and don't sign"
git checkout master
args:
chdir: "{{ git_gpg_source }}"
- name: Get hash of an unsigned commit
command: git show-ref --hash --verify refs/tags/lightweight_tag/unsigned_commit
args:
chdir: "{{ git_gpg_source }}"
register: git_gpg_unsigned_commit
- name: Get hash of a signed commit
command: git show-ref --hash --verify refs/tags/lightweight_tag/signed_commit
args:
chdir: "{{ git_gpg_source }}"
register: git_gpg_signed_commit
- name: Clone repo and verify signed HEAD
environment:
- GNUPGHOME: "{{ git_gpg_gpghome }}"
git:
repo: "{{ git_gpg_source }}"
dest: "{{ git_gpg_dest }}"
verify_commit: yes
- name: Clone repo and verify a signed lightweight tag
environment:
- GNUPGHOME: "{{ git_gpg_gpghome }}"
git:
repo: "{{ git_gpg_source }}"
dest: "{{ git_gpg_dest }}"
version: lightweight_tag/signed_commit
verify_commit: yes
- name: Clone repo and verify an unsigned lightweight tag (should fail)
environment:
- GNUPGHOME: "{{ git_gpg_gpghome }}"
git:
repo: "{{ git_gpg_source }}"
dest: "{{ git_gpg_dest }}"
version: lightweight_tag/unsigned_commit
verify_commit: yes
register: git_verify
ignore_errors: yes
- name: Check that unsigned lightweight tag verification failed
assert:
that:
- git_verify|failed
- git_verify.msg|match("Failed to verify GPG signature of commit/tag.+")
- name: Clone repo and verify a signed commit
environment:
- GNUPGHOME: "{{ git_gpg_gpghome }}"
git:
repo: "{{ git_gpg_source }}"
dest: "{{ git_gpg_dest }}"
version: "{{ git_gpg_signed_commit.stdout }}"
verify_commit: yes
- name: Clone repo and verify an unsigned commit
environment:
- GNUPGHOME: "{{ git_gpg_gpghome }}"
git:
repo: "{{ git_gpg_source }}"
dest: "{{ git_gpg_dest }}"
version: "{{ git_gpg_unsigned_commit.stdout }}"
verify_commit: yes
register: git_verify
ignore_errors: yes
- name: Check that unsigned commit verification failed
assert:
that:
- git_verify|failed
- git_verify.msg|match("Failed to verify GPG signature of commit/tag.+")
- name: Clone repo and verify a signed annotated tag
environment:
- GNUPGHOME: "{{ git_gpg_gpghome }}"
git:
repo: "{{ git_gpg_source }}"
dest: "{{ git_gpg_dest }}"
version: signed_annotated_tag
verify_commit: yes
- name: Clone repo and verify an unsigned annotated tag (should fail)
environment:
- GNUPGHOME: "{{ git_gpg_gpghome }}"
git:
repo: "{{ git_gpg_source }}"
dest: "{{ git_gpg_dest }}"
version: unsigned_annotated_tag
verify_commit: yes
register: git_verify
ignore_errors: yes
- name: Check that unsigned annotated tag verification failed
assert:
that:
- git_verify|failed
- git_verify.msg|match("Failed to verify GPG signature of commit/tag.+")
- name: Clone repo and verify a signed branch
environment:
- GNUPGHOME: "{{ git_gpg_gpghome }}"
git:
repo: "{{ git_gpg_source }}"
dest: "{{ git_gpg_dest }}"
version: some_branch/signed_tip
verify_commit: yes
- name: Clone repo and verify an unsigned branch (should fail)
environment:
- GNUPGHOME: "{{ git_gpg_gpghome }}"
git:
repo: "{{ git_gpg_source }}"
dest: "{{ git_gpg_dest }}"
version: another_branch/unsigned_tip
verify_commit: yes
register: git_verify
ignore_errors: yes
- name: Check that unsigned branch verification failed
assert:
that:
- git_verify|failed
- git_verify.msg|match("Failed to verify GPG signature of commit/tag.+")
- name: Remove GnuPG verification workdir
file:
path: "{{ git_gpg_workdir.path }}"
state: absent