ansible-galaxy and git verify-tag
20 views
Skip to first unread message
Michael Ströder
Dec 22, 2021, 11:33:33 AM12/22/21
to ansible...@googlegroups.com
HI!
Is it possible to make ansible-galaxy invoke 'git verify-tag' with a
locally configured GPG public key on tags specified as version: in
requirements.yml?
Thx in advance for any hint.
Ciao, Michael.
Is it possible to make ansible-galaxy invoke 'git verify-tag' with a
locally configured GPG public key on tags specified as version: in
requirements.yml?
Thx in advance for any hint.
Ciao, Michael.
Michael Ströder
Dec 22, 2021, 12:00:57 PM12/22/21
to ansible...@googlegroups.com
On 12/22/21 17:33, Michael Ströder wrote:
> Is it possible to make ansible-galaxy invoke 'git verify-tag' with a
> locally configured GPG public key on tags specified as version: in
> requirements.yml?
Hmm, seems there is no such thing yet:
> Is it possible to make ansible-galaxy invoke 'git verify-tag' with a
> locally configured GPG public key on tags specified as version: in
> requirements.yml?
https://github.com/ansible/proposals/issues/36
How does ansible users here deal with ansible collections/roles pulled
from remote resources? Just trust that nobody tampered with the software
repos?
As a work-around it would be possible for git-based resources to use
git clone ...
git verify-tag ...
and then let ansible-galaxy load collections/roles from the locally
pulled git repo.
Opinions?
Ciao, Michael.
Nico Kadel-Garcia
Dec 22, 2021, 12:07:27 PM12/22/21
to ansible...@googlegroups.com
On Wed, Dec 22, 2021 at 12:00 PM 'Michael Ströder' via Ansible Project
<ansible...@googlegroups.com> wrote:
>
> On 12/22/21 17:33, Michael Ströder wrote:
> > Is it possible to make ansible-galaxy invoke 'git verify-tag' with a
> > locally configured GPG public key on tags specified as version: in
> > requirements.yml?
>
> Hmm, seems there is no such thing yet:
>
> https://github.com/ansible/proposals/issues/36
>
> How does ansible users here deal with ansible collections/roles pulled
> from remote resources? Just trust that nobody tampered with the software
> repos?
For Red Hat based systems, I use RPMs. Fedora publishes some of them
<ansible...@googlegroups.com> wrote:
>
> On 12/22/21 17:33, Michael Ströder wrote:
> > Is it possible to make ansible-galaxy invoke 'git verify-tag' with a
> > locally configured GPG public key on tags specified as version: in
> > requirements.yml?
>
> Hmm, seems there is no such thing yet:
>
> https://github.com/ansible/proposals/issues/36
>
> How does ansible users here deal with ansible collections/roles pulled
> from remote resources? Just trust that nobody tampered with the software
> repos?
as SRPMs, and I've built up some wrappers to build them alongside the
oversized bundle that is now "ansible". Bundling them individually
allows some flexibility not available with the oversized "ansible"
bundle: see https://github.com/nkadel/ansiblerepo/ for my work.
> As a work-around it would be possible for git-based resources to use
>
> git clone ...
> git verify-tag ...
>
> and then let ansible-galaxy load collections/roles from the locally
> pulled git repo.
>
> Opinions?
>
> Ciao, Michael.
>
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/ce9a45f0-458e-32aa-5b5b-c03e3de68c6d%40stroeder.com.
Michael Ströder
Dec 22, 2021, 12:43:33 PM12/22/21
to ansible...@googlegroups.com
On 12/22/21 18:07, Nico Kadel-Garcia wrote:
> On Wed, Dec 22, 2021 at 12:00 PM 'Michael Ströder' via Ansible Project
> <ansible...@googlegroups.com> wrote:
>>
>> On 12/22/21 17:33, Michael Ströder wrote:
>>> Is it possible to make ansible-galaxy invoke 'git verify-tag' with a
>>> locally configured GPG public key on tags specified as version: in
>>> requirements.yml?
>>
>> Hmm, seems there is no such thing yet:
>>
>> https://github.com/ansible/proposals/issues/36
>>
>> How does ansible users here deal with ansible collections/roles pulled
>> from remote resources? Just trust that nobody tampered with the software
>> repos?
>
> For Red Hat based systems, I use RPMs. Fedora publishes some of them
> as SRPMs, and I've built up some wrappers to build them alongside the
> oversized bundle that is now "ansible".
Maybe my posting was not clear enough:
> On Wed, Dec 22, 2021 at 12:00 PM 'Michael Ströder' via Ansible Project
> <ansible...@googlegroups.com> wrote:
>>
>> On 12/22/21 17:33, Michael Ströder wrote:
>>> Is it possible to make ansible-galaxy invoke 'git verify-tag' with a
>>> locally configured GPG public key on tags specified as version: in
>>> requirements.yml?
>>
>> Hmm, seems there is no such thing yet:
>>
>> https://github.com/ansible/proposals/issues/36
>>
>> How does ansible users here deal with ansible collections/roles pulled
>> from remote resources? Just trust that nobody tampered with the software
>> repos?
>
> For Red Hat based systems, I use RPMs. Fedora publishes some of them
> as SRPMs, and I've built up some wrappers to build them alongside the
> oversized bundle that is now "ansible".
I was not asking about GPG signatures of ansible itself or other
software artefacts.
I was asking about how to check the git tag signature of ansible
roles/collections specified in requirements.yml and retrieved by
ansible-galaxy tool.
For example I tell users of Æ-DIR to invoke [1]:
ansible-galaxy install -r requirements.yml
The requirements.yml contains something like [2]:
- src: git+https://code.stroeder.com/AE-DIR/ansible-ae-dir-server.git
version: v0.32.3
name: aedir_server
The git tags defined by version: are all signed locally. Thus it would
be nice if ansible-galaxy could check the GPG signature against my GPG
key installed before on the ansible controller.
I'd like to provide additional protection because the ansible roles run
as root on the target. (Yes, I know very well that trusted distribution
of GPG public keys used for signature verification is hard at scale.)
Ciao, Michael.
[1] https://www.ae-dir.com/install.html#install
[2]
https://code.stroeder.com/AE-DIR/ansible-example-site/src/branch/master/requirements.yml
Reply all
Reply to author
Forward
0 new messages