Signature Workflows¶

pulp_ansible supports Collection signing, syncing, and uploading. Collection signing adds extra validation when installing Collections with ansible-galaxy. Check out the workflows below to see how to add signature support.

Setup¶

In order to verify signature validity on uploads you will need to store your trusted key on the repositories gpgkey attribute.

Note

You can upload signatures without supplying Pulp any key, but pulp_ansible will not perform validity checks on the uploaded signature. You will also have to configure the ANSIBLE_SIGNATURE_REQUIRE_VERIFICATION setting to False. By default and once a key is provided, all signatures impossible to verify are rejected.

In order to have pulp_ansible sign collections stored in your repositories you will need to set up a signing service. First, create/import the key you intend to sign your collections with onto your Pulp system. Second, create a signing script on your Pulp system with the parameters you want on the generated signatures. Galaxy uses a signing script like the one below:

#!/usr/bin/env bash
FILE_PATH=$1
SIGNATURE_PATH="$1.asc"

# Create a detached signature
gpg --quiet --batch --homedir ~/.gnupg/ --detach-sign --local-user "${PULP_SIGNING_KEY_FINGERPRINT}" \
    --armor --output ${SIGNATURE_PATH} ${FILE_PATH}

# Check the exit status
STATUS=$?
if [[ ${STATUS} -eq 0 ]]; then
   echo {\"file\": \"${FILE_PATH}\", \"signature\": \"${SIGNATURE_PATH}\"}
else
   exit ${STATUS}
fi

Third, create the signing service using pulpcore-manager:

pulpcore-manager add-signing-service ansible-signing-service $SCRIPT_LOCATION $PUBKEY_FINGERPRINT

Reference: Signing Service

Signing Collections¶

Sign collections stored in repository foo with the signing service ansible-signing-service:

pulp ansible repository sign --name foo --signing-service ansible-signing-service

By default it will sign everything in the repository, specify --content-units with a list of specific collection hrefs you want to sign. Collections can have multiple signatures attached to them in a repository as long as they are all from different keys.

Syncing Signed Collections¶

Signature information will be present in the Galaxy APIs if your repository has signatures in it and when syncing from a Galaxy repository, signatures will automatically be synced as well if present. You can also specify to only sync Collections that have signatures with the signed_only field on the remote. e.g.:

pulp ansible remote update --name foo --signed-only
# Sync task will only sync collections with signatures now
pulp ansible repository sync --name foo --remote foo

Uploading Signed Collections¶

Signatures can also be manually created and uploaded to pulp_ansible.

pulp ansible content -t signature upload --file $SIGNATURE --collection $COLLECTION_HREF

Signatures can be verified upon upload by setting the keyring field on the repository to your keyring location, and then specifying the repository option when uploading the signature.

pulp ansible repository update --name foo --keyring $KEYRING_FILE_LOCATION
# Validate signature against keyring of repository
pulp ansible content -t signature upload --file $SIGNATURE --collection $COLLECTION_HREF --repository foo

Verifying Signatures with `ansible-galaxy`¶

Installing collections from pulp_ansible with signatures via ansible-galaxy requires specifying the keyring to perform the validation upon install:

ansible-galaxy collection install $COLLECTION -s "$BASE_ADDR"pulp_ansible/galaxy/foo/api/ --keyring $KEYRING_FILE_LOCATION

You can also verify already installed collections with the verify command:

ansible-galaxy collection verify $COLLECTION -s "$BASE_ADDR"pulp_ansible/galaxy/foo/api/ --keyring $KEYRING_FILE_LOCATION