ad7093c17b
This is a role that takes some ASCII gpg keys, and encrypts a file with them. Change-Id: If2fe7921ff051a1c5d0589f5e32fba26d30ae96c
39 lines
1.2 KiB
YAML
39 lines
1.2 KiB
YAML
- name: Check for existing key
|
|
command: |
|
|
gpg --list-keys {{ zj_encrypt_file.key_id }}
|
|
register: _key_exists
|
|
# A found key returns 0, a missing key returns 2
|
|
failed_when: _key_exists.rc != 0 and _key_exists.rc != 2
|
|
|
|
- name: Install key
|
|
when: _key_exists.rc != 0
|
|
block:
|
|
- name: Create temporary keyfile
|
|
tempfile:
|
|
state: file
|
|
register: _keyfile
|
|
|
|
- name: Copy keyfile material # noqa risky-file-permissions
|
|
copy:
|
|
content: '{{ zj_encrypt_file.gpg_asc }}'
|
|
dest: '{{ _keyfile.path }}'
|
|
|
|
- name: Import key
|
|
command: |
|
|
gpg --import {{ _keyfile.path }}
|
|
|
|
# Strip all whitespace and take the second line of output, which
|
|
# is the fingerprint, then import this at "I trust fully" level.
|
|
# This was a pain to figure out as gpg really wants to communicate
|
|
# with a tty if you do something obvious like "gpg --edit-key <id>
|
|
# ...". And what is menu option number "5" is actually "6" in the
|
|
# ownertrust db!
|
|
- name: Trust key
|
|
shell: |
|
|
echo $(gpg --fingerprint {{ zj_encrypt_file.key_id }} | sed -n "s/ //g;2 p"):6: | gpg --import-ownertrust
|
|
|
|
- name: Remove temporary keyfile
|
|
file:
|
|
path: '{{ _keyfile.path }}'
|
|
state: absent
|