PGP: Trust keys non-interactive with ansible

Distributing PGP keys with ansible is easy, but trusting them is a bit difficult, because trusting them is an interactive process with no command switch. To go around this problem you have to use the ownertrust feature. Ownerturst is a text file which contains the fingerprint and the trust level. This file can be imported without user interaction.

First step is to distribute the key to your target machine. You can do this for example with the copy module:

- name: Upload pgp key
  copy:
      content: "{{ mirror_pgp_key }}"
      dest: /root/mykey.pub

In my example I’ve stored the key in a variable and save it to a file. Next step is to dynamically extract its fingerprint:

- name: Extract fingerprint
  shell: gpg --with-fingerprint --with-colons /root/mykey.pub | grep fpr | cut -d ':' -f 10
  register: pgpfingerprint

Of course you can extract the fingerprint once and save it as a variable aside of the key. If I would rewrite it I would do it that way.

Next step is to write the extracted fingerprint to the text file:

- name: Create ownertrust
  copy:
      content: "{{ pgpfingerprint.stdout }}:6:\n"
      dest: /tmp/ownertrust

The format is “Fingerprint:TrustLevel”. The trust level 6 is absolute trust. Now you can import the ownertrust file into your key store:

- name: Import ownertrust
  shell: "gpg --homedir /etc/pacman.d/gnupg --import-ownertrust /tmp/ownertrust"

You have to add some resigsters so you only import the ownertrust when the key changes. Adapt it to your setup. If you have more keys then maybe a template is more suitable.


Du hast einen Kommentar, einen Wunsch oder eine Verbeserung? Schreib mir doch eine E-Mail! Die Infos dazu stehen hier.

🖇️ = Link zu anderer Webseite
🔐 = Webseite nutzt HTTPS (verschlüsselter Transportweg)
Zurück