Import PGP key and verify git commits

2023-10-19 02:56:36 -04:00 · 2023-10-19 02:56:36 -04:00 · 251a7c0dd5
commit 251a7c0dd5
parent 1d8ae8a0b6
2 changed files with 21 additions and 6 deletions
--- a/dev/host_vars/docker.yml
+++ b/dev/host_vars/docker.yml
@ -2,6 +2,10 @@
 allow_reboot: false
 manage_network: false

+root_gpgkeys:
+    # kris@lamoureux.io
+  - id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
+
 # docker
 docker_users:
  - vagrant
@ -17,9 +21,8 @@ docker_compose_deploy:
    version: 31ee724feebc1d5f91cb17ffd6892c352537f194
    enabled: true
    accept_newhostkey: true # Consider verifying manually instead
-    # Must manually add my public GPG key to root's keyring
-    #trusted_keys:
-    #  - FBF673CEEC030F8AECA814E73EDA9C3441EDA925
+    trusted_keys:
+      - FBF673CEEC030F8AECA814E73EDA9C3441EDA925
    env:
      ENABLE: true

@ -29,9 +32,8 @@ docker_compose_deploy:
    version: 31ee724feebc1d5f91cb17ffd6892c352537f194
    enabled: true
    accept_newhostkey: true # Consider verifying manually instead
-    # Must manually add my public GPG key to root's keyring
-    #trusted_keys:
-    #  - FBF673CEEC030F8AECA814E73EDA9C3441EDA925
+    trusted_keys:
+      - FBF673CEEC030F8AECA814E73EDA9C3441EDA925
    env:
      ENABLE: true
      VERSION: "2.10"
--- a/roles/base/tasks/system.yml
+++ b/roles/base/tasks/system.yml
@ -9,6 +9,19 @@
    name: gpg
    state: present

+- name: Check for existing GPG keys
+  command: "gpg --list-keys {{ item.id }} 2>/dev/null"
+  register: gpg_check
+  loop: "{{ root_gpgkeys }}"
+  failed_when: false
+  changed_when: false
+  when: root_gpgkeys is defined
+
+- name: Import GPG keys
+  command: "gpg --keyserver {{ item.server | default('keys.openpgp.org') }} --recv-key {{ item.id }}"
+  loop: "{{ root_gpgkeys }}"
+  when: root_gpgkeys is defined and gpg_check.results | map(attribute='rc') | list != [0]
+
 - name: Install NTPsec
  ansible.builtin.apt:
    name: ntpsec