zuul/zuul-jobs
Code Issues Proposed changes

add-gpgkey: trust incoming key

Browse Source 
Add the incoming key to the trustdb with ultimate trust.  I noticed
this when using this role in a job that rechecks the signatures made
with an imported key (c.f Id624aa1ec6213be70809a8f911ab4aadc8a6ed53
and related changes).

Remove "--allow-secret-key-import" as it doesn't do anything any more,
per the man page.

Change-Id: I5fce163bce5c68342a444c36d9ba4af6e4af362c
This commit is contained in:
Ian Wienand 2022-05-05 13:40:48 +10:00
parent fc133bd165
commit 8e7d5e0404
1 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
roles/add-gpgkey/tasks/main.yaml
View File

@ -10,7 +10,21 @@
mode: 0400
- name: Import GPG private key
command: "gpg --allow-secret-key-import --import {{ gpg_private_key_tmp.path }}"
command: "gpg --import {{ gpg_private_key_tmp.path }}"
- name: Trust the imported key
# Strip all whitespace and take the second line of output, which
# is the fingerprint, then import this at "I trust fully" level.
# This was a pain to figure out as gpg really wants to communicate
# with a tty if you do something obvious like "gpg --edit-key <id>
# ...". And what is menu option number "5" is actually "6" in the
# ownertrust db (ultimate trust)!
shell: |
set -o pipefail
echo $(gpg --show-keys {{ gpg_private_key_tmp.path }} \
| sed -n "s/ //g;2 p"):6: | gpg --import-ownertrust
args:
executable: '/bin/bash'
- name: Delete staged GPG private key
file: